10 minute read 18 Oct. 2021
EY - Reframe your future surfer storm

Global Information Security Survey 2021: Business Growth with Cybersecurity

By Yogen Appalraju

EY Canada Cybersecurity Leader

Committed to helping clients minimize the impact of cyber threats. Proud husband and father.

10 minute read 18 Oct. 2021

Our latest 2021 EY Canada Global Information Security Survey (GISS) shows how cybersecurity can drive future growth

In brief:
  • Canadian businesses stand to gain by better connecting cybersecurity to the rest of the business.
  • If Chief Information Security Officers (CISOs) can dismantle operational silos, cybersecurity can help build resiliency and drive future growth in every aspect of a business.
  • The Canadian highlights of the 2021 (infographic) GISS showcases how CISOs have the opportunity to make a difference by driving organization change.

2021 EY Global Information Security Survey (GISS) shows operational silos hold progress back. Legacy risk frameworks require fresh thinking. Internal disconnects continue to drive awareness gaps around the value that cybersecurity can bring. Even so, the opportunity remains.

The right strategy can empower CISOs to translate progress gained during the crisis into sustainable collaboration, more integrated operations and stronger relationships meant to generate long-term value in a market transformed.

CISOs now have a unique chance to bolster their presence and effectiveness in Canadian organizations.

The key is to harness the progress made over the course of the pandemic and work with stakeholders as a united leadership team to:

  1. Take down operational silos to create a connected path forward.
  2. Embrace a new way of managing risk.
  3. Drive a cultural shift by cultivating internal awareness.

Our 2021 EY GISS showcases how this transformational opportunity can shape cybersecurity — and overall business results — for the better in an era when security, privacy and compliance will continue to be top of mind for internal and external stakeholders.


Man catching a wave on surfboard
(Chapter breaker)

Chapter 1

Take down operational silos so cybersecurity can create a connected path forward


Redrawing the organizational chart and making cybersecurity and privacy the connective thread between functional capabilities doesn’t only make your organization stronger. It can also support efficiency, cut down costs, and foster the kind of collaboration that speaks directly to internal and external calls for secure products, services and solutions. 


  • Risk itself has changed. Our findings from the Global Information Security Survey show more than 40% of leaders have never been as concerned as they are now about managing cyber threats the business faces. You cannot tackle that increase in disruptive risk without drawing better connections between functional teams.
  • Innovation is happening everywhere. Cloud is now the foundation for emerging technology. Developers are building new code and defining the server to house it themselves. Yet nearly 40% of organizations view the relationship between security and product development/R&D teams as a neutral one, characterized by low levels of consultation. That prevents security and privacy by design from taking hold.
  • Cybersecurity and privacy are invited to the party late. Although many organizations are already looking beyond Cloud 2.0 and its focus on containerization to address serverless technologies and blockchain through Cloud 3.0, cyber resources remain disconnected from the planning process. Less than one quarter of Canadian organizations bring cyber and privacy in at the planning stage. This can lead to costly ramifications, sending designs back to the drawing board at the 11th hour because they were built without appropriate security safeguards and default privacy settings.

How can organizations take action now?

  • Set tone from the top
  • Cross-pollinate cyber resources
  • Draw a new R&D framework

Global Information Security Survey 2021


Cyber leaders have never been as concerned as they are now about managing cyber threats

The adage that there is no cloud, only ‘someone else’s computer,’ is an outdated and precarious approach to operate modern IT and cyber security by. Today, emerging technologies offer organizations the ability to consume a myriad of cloud services offered across infrastructure, platform and software as a service and this necessitates a major shift in how emerging cyber risks must now be managed.
Amin Lalji
EY Canada Associate Partner, Advanced Cybersecurity Solutions Leader


Surfer women walking toward sea with surfboard side view
(Chapter breaker)

Chapter 2

Reshape cybersecurity and embrace a new way of managing risk


As markets and organizations evolve, there’s room to reshape the way cybersecurity and privacy teams operate, too. Assessing ways of working, embracing new models and reimagining required skillsets can help this critical function shift to better address the changing needs and demands of the business, as well as the customers and regulators these groups serve.


  • Regulatory expectations are changing. Half of Canadian execs say ensuring compliance in today’s regulatory landscape is the most stressful part of their job. Some 70% expect regulations to become increasingly fragmented, making them harder and more time consuming to manage. Internally, fragmented responses can hamper efforts further, exposing the organization to additional risk. By reframing regulatory requirements from a risk-based perspective, cyber and privacy teams can get ahead of changing regulations and initiate proactive relationships that serve the entire organization better.
  • Innovation is cycling more quickly than ever before. While most organizations feel cybersecurity protects the business, 73% say this function doesn’t actually enable innovation. That’s a missed opportunity. Innovation cycles are shorter than ever, magnifying the importance of security and privacy. Reframing the function’s focus to prioritize innovation alongside security and privacy can help businesses build solutions that are inherently more secure at a time when stakeholders are increasingly concerned about their privacy in a hybrid business world.
  • Business-centricity is everyone’s responsibility. Only 20% of CISOs are confident they speak the same language as their peers across the business. But there’s a real business case for cybersecurity and privacy specialists to contribute to all functional areas. Progressive organizations want to see how cybersecurity teams are getting creative to secure new products, digital offerings and broader business improvement initiatives. As business units adopt agile ways of working, building “security and privacy by design” is becoming more realistic. Cybersecurity teams must also adapt to approach risk through a commercial lens to drive more efficient overall business outcomes.

How can organizations take action now?

  • Assess the skills you have
  • Realign the talent agenda
  • Shift regulator relationships

Global Information Security Survey 2021


expect regulations to become increasingly fragmented, making them harder and more time consuming to manage

Privacy regulations are more than just another compliance exercise. They represent a way of holding organizations accountable for how they collect and process personal data and protect individuals’ right to privacy. The bigger objective is helping organizations create ethical business practices while gaining consumer trust.
Roobi Alam
EY Canada Privacy Leader


Dramatic clouds storms and crepuscular rays on the great plains
(Chapter breaker)

Chapter 3

Drive a cultural shift by cultivating internal awareness


Change is only as impactful as our ability to manage it meaningfully. If you’re taking down operational silos, or changing the way cybersecurity and privacy operates, the organization needs to know. Internal education and awareness building transforms cross-functional teams into stewards of privacy, data protection and cybersecurity. Succeeding on this front can unlock benefits for both the organization and its stakeholders while bolstering the bottom line.


  • New investments are creating new risks. In our latest survey, 45% of organizations said they planned significant investments in data and technology over the next 12 months. But fewer than 30% describe cybersecurity as an innovation enabler. Bridging that gap requires internal education around the specific capabilities and skillsets that security and privacy can bring to the innovation table so they’re considered earlier on in the process.
  • People don’t know what they don’t know. Only 34% of executive management teams say they’d describe cyber as flexible and collaborative. There’s no point in working to bring something new to the cybersecurity mix if the organization is holding on to legacy views of who you are and what you stand for. Creating opportunities to get to know the function better drives fruitful collaboration and profitable results.
  • Collaboration doesn’t always come naturally. Just over two thirds (68%) of CISOs say executive management wouldn’t describe the role of cybersecurity as commercially minded. Changing that perspective will require cybersecurity and privacy teams to show, not tell, what they’re capable of. Showcasing innovation stories centred on cross-functional teaming can bring people on board.

How can organizations take action now?

  • Make a plan for change
  • Focus on storytelling through internal channels
  • Celebrate wins without moving the goal posts

Global Information Security Survey 2021


of Cyber leaders say executive management would describe the role of cybersecurity as enabling innovation

In a digitally transformed organization, cybersecurity and privacy functions cannot solely focus on risk reduction. In addition to value protection, they also need to enable value growth and optimization. This requires cybersecurity and privacy to transcend legacy paradigms and operating models. That means engaging and educating across functional lines on integrating cyber and privacy into their ventures from the outset. and transforming cyber and privacy from gatekeepers to agile functions that operate as true partners to the business.
Ali Varshovi
EY Canada Financial Services Cyber Leader

What’s the bottom line?

In Canada and around the world, security functions are facing a critical inflection point. Seizing this moment to bring cybersecurity and the business closer together tells the market your security and privacy matter most. Start by dismantling operational silos, supporting a new view of risk, and driving meaningful internal culture change. Doing so now can bake security and privacy into everything you do and differentiate your organization in a sea of competition. 

Canadian CISOs have the opportunity to make a difference [infographic]

CISOs have the opportunity to make a difference

Our 2021 Global Information Security Survey (GISS) identifies the actions Chief Information Security Officers (CISOs) need to take to help drive organizational transformation during this critical time.

Click to view the infographic

  • Survey methodology

    The data in this year’s GISS report is based on a survey of CISOs and other senior leaders at 1,010 organizations, including 71 Canadian respondents, carried out between March and May 2021. CISOs and other C-suite professionals comprised 50% of respondents; the others were C-1 cybersecurity professionals. Surveys were primarily conducted via telephone, with a minority completed online.


New cyber risks are mounting as threat actors become increasingly mature. Consumers have come to expect security and privacy by design, even as innovation moves at the speed of light. Legacy frameworks and internal disconnects represent serious gaps that organizations must address now. Adapting risk management and creating meaningful culture change can help entrench cybersecurity in every aspect of your business, to build resiliency and drive future growth.

About this article

By Yogen Appalraju

EY Canada Cybersecurity Leader

Committed to helping clients minimize the impact of cyber threats. Proud husband and father.