Cyber security

Steps you should take now

  • Share
  • 4 questions CEOs should
    ask their CISOs
  • 10 leading practices to
    combat cyber threats
  • EY Security Program

4 questions CEOs should ask their CISOs

EY - 4 questions CEOs should ask their CISOs

4 questions CEOs should ask their CISOs

Every CEO should know if their organization has cyber security under control

This is not about developing deep technical knowledge. It is about understanding how an organization’s cyber-security approach relates to organizational and strategic priorities and protects the data that is vital to business success.

From our survey, only 35% of organizations have their information security professionals present to the board or the top governing structure on a quarterly basis, and this is often not enough.

These four questions could be the start of a critical discussion with your CISO about the safety of your organization:

1. Do you understand our wider business strategy?
2. Have you aligned our cyber security approach to our organizational strategy?
3. What are the gaps?
4. How are you evolving our cyber security approach to match the changing risk landscape?

10 leading practices to combat cyber threats

EY - 10 leading practices to combat cyber threats

10 leading practices to combat cyber threats

Knowing that an attack will inevitably occur has sparked improvements, but there are still steps that organizations need to take.

For the most part, organizations have improved their Information Security programs over the last 12 months. However, our findings suggest that organizations need to do more:

Commitment from the top

1. Board support. Organizations need executive support to establish a clear charter for the Information Security function and a long-term strategy for its growth

Organizational alignment

2. Strategy. Information Security must develop strong, clearly defined relationships with a wide range of stakeholders across the business and establish a clearly defined and formalized governance and operating model.
3. Investment. Organizations need to be willing to invest in cybersecurity.

People, processes and technology to implement

4. People. Today’s Information Security function requires a broad range of capabilities with a diversity of experiences. Technical IT skills alone are no longer enough.
5. Processes. Processes need to be documented and communicated, but Information Security functions also need to develop change management mechanisms to quickly update processes when opportunities for improvement arise.
6. Technology. Information Security functions must supplement their technology deployment efforts with strategic initiatives that address proper governance, process, training and awareness.

Operational enablement

7. Continuous improvement. Organizations must establish a framework for continuously monitoring performance and improving their Information Security programs in the areas of people, process and technology.
8. Physical security. Organizations should ensure that all their Information Security technology is physically secure, especially with consideration for access to Wi-Fi.
9. Analytics and reporting. Signature and rule-based tools are no longer as effective in today’s environment. Instead, Information Security functions may wish to consider using behavior-based analytics against environmental baselines.
10. Environment. Information Security requires an environment that includes a well-maintained enterprise asset management system to manage events associated with business priorities and assess the true risk or impact to the organization.

EY Security Program Assessment

EY - EY Security Program Assessment

EY Security Program Assessment

A holistic approach based on meaningful analytics.

Few companies today have the appropriate skills and resources in-house to effectively secure their information assets and at the same time optimize business performance. Organizations in all sectors can benefit from an objective assessment of their information security programs and structures.

EY’s innovative SPM framework is built upon a meaningful analysis of how information security shapes and fits into an organization’s overall risk management structure. At its foundation is a clear focus on the organization’s strategic priorities and business objectives.

EY's Security Program Management (SPM) framework

An SPM assessment assists with:

  • Understanding your organization’s risk exposure
  • Assessing the maturity of your current Information Security Program and identifying areas for improvement
  • Building a prioritized roadmap for project investments and organizational change initiatives
  • Collecting information to create benchmarks against other organizations
  • Validating that your security investments have improved your security posture

EY's Security Program Management (SPM) framework

EY's Security Program Management (SPM) framework ×