- Organizations fail to address cybersecurity risk in the early stages of any new digital initiative
- Activist attacks are the second most common motive for cyber attacks
Despite the overall growth in cyberattacks, only one-third of organizations say the cybersecurity function is involved at the planning stage of a new business initiative, according to the EY Global Information Security Survey (GISS).
This year’s GISS, which surveyed almost 1,300 cybersecurity leaders at organizations worldwide, showed that almost 60% of organizations have faced an increased number of disruptive attacks in the past 12 months. Moreover, over the last year, activists were responsible for 21% of successful cyber attacks – second only to organized crime groups (23%) – compared with last year’s study, where just 12% of respondents considered activists as the most likely source of an attack.
Despite the increasing risk, only 36% of new, technology-enabled business initiatives include the security team from the beginning.
Kris Lovejoy, EY Global Cybersecurity Leader, Advisory, says:
“Cybersecurity has traditionally been a compliance activity, bolted on by a checklist approach instead of built into every technology-enabled business initiative. This is not a sustainable model. If we ever hope to get ahead of the threat, we must focus on creating a culture of security by design. This can only be accomplished if we successfully bridge the divide between the security function and the C-suite and enable the chief information security officer (CISO) to act as a consultant and enabler instead of the stereotypical roadblock.”
According to the survey, while cybersecurity teams generally have good relations with adjacent functions such as IT, audit, risk and legal, there is a disconnect with other parts of the business. Almost three-quarters (74%) say that the relationship between cybersecurity and marketing is, at best, neutral, if not mistrustful or non-existent, while 64% say the same of the research and development team and 59% for the lines of business. More than half (57%) say their relationship with finance, on which they depend on for budget authorization, is also strained.
Lovejoy says: “As companies undergo transformation, what’s needed is to build relationships of trust across every function of the organization, starting at the board level so that cybersecurity is established as a key value enabler. Boards, senior management teams, CISOs and leaders throughout the business must collaborate to position cybersecurity at the heart of business transformation and innovation.”
Notes to Editors
EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.
EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. Information about how EY collects and uses personal data and a description of the rights individuals have under data protection legislation is available via ey.com/privacy. For more information about our organization, please visit ey.com.
This news release has been issued by EYGM Limited, a member of the global EY organization that also does not provide any services to clients.