7 minute read 14 Oct 2021

How to risk balance your investments in cybersecurity

By Marc Minar

Senior Manager, Cybersecurity | Switzerland

Member of the Swiss Cybersecurity Leadership Team in EY's EMEIA Financial Services Consulting practice. Licensed pilot and passionate golf player.

7 minute read 14 Oct 2021

To efficiently manage limited cybersecurity budgets, companies should make risk-adjusted investments in security controls.

In brief
  • No organization can afford to make unlimited investments in their cybersecurity. 
  • An independent assessment can help decision makers to invest appropriately in cybersecurity by balancing risks and protection required.
  • The assessment should be aligned to industry standards and benchmarked against peers to offer actionable insights.

Most organizations today acknowledge that they must embrace new technology and continually innovate in order to remain competitive and relevant. However, in the rush to modernize their systems and operations, many introduce vulnerabilities across their business, and expose themselves to a growing number of risks. This can happen, for example, when moving critical systems into the cloud. Cyber-preparedness and -planning are further complicated by the evolving regulatory and threat landscape. This, coupled with other developments and trends, makes for a challenging situation in safeguarding cybersecurity as a risk function while also enabling the business and protect customers, products, production and supply chains whilst staying within budget restrictions.

A comprehensive cyber posture assessment is a practical approach to address these challenges. It reveals whether the current setup is able to meet evolving cyber threats and highlights focus areas for future investment. In the Swiss market, we observe growing demand for assessments to prepare for the migration of critical IT systems into a public cloud. For financial services institutions in particular, this move is further complicated by applicable FINMA regulations such as the Circulars 18/03 “Outsourcing” or 08/21 “Operational Risks for Banks”. Given the far-reaching impact of the topic, the quality of such an assessment is extremely important. A good assessment will add value, provide guidance to adhere to relevant regulations, be based on industry best practice and be tailored to the unique threat scenario of the organization.

Organizations today must innovate to survive, but in doing so face ever-growing threats of cyber-attacks and increased regulatory pressure

For many years, the financial industry has been seeking ways to assess their current cyber situation rapidly as the basis for developing agile strategies and roadmaps for transformation. To address their risks, they need to consider complex, interrelated aspects such as cybersecurity, supply chain, finance, IT and other business areas. Until now, the market has struggled to provide adequate tools that truly enable organizations to address these challenges. Those available tended to lack an efficient assessment lifecycle (e.g. not providing an end-to-end solution) or fell short on deep insights. In the absence of benchmarking data for comparisons with peers, sectors or the industry as a whole, decisions have often been constrained by internal data. This limited visibility was often paired with the absence of an evidence-based approach, resulting in a poorer quality decision-making basis. This was reflected in our latest EY Global Information Security Survey (GISS) where an overwhelming majority of Swiss participants confirmed that they have little trust in cyber risk measures presented to them.

Lack of trust


of boards are confident that the cyber risks and mitigation measures presented to them can protect their enterprise from cyber-attacks

A holistic and fit-for-the-organization assessment starts by identifying relevant risk scenarios. As organizations continue to evolve and adapt to the ever-changing economic, threat, regulatory and technology landscapes, they are likely to be faced with one or a combination of the following scenarios:

  • Organizational changes

    Organizational changes can lead to the introduction of new business units, related processes, technology and people, including leadership realignment.

  • Critical events/incidents

    Active or past security events impact an organization’s products, solutions, infrastructure and/or third-party connections, requiring a security strategy review.

  • Emerging technology

    Organizations are increasingly adopting/developing technologies such as cloud, Internet of Things, customer self-service or remote working; at the same time, mainstream media is likely to cover high profile security breaches.

  • Peer benchmarking

    Better insights are powered by benchmarking of an organization’s cybersecurity posture against peer organizations within the same or across multiple industry sectors.

  • Regulatory pressure

    Global and local regulatory requirements impact various aspects of business operations.

  • M&A

    M&A activities often go hand in hand with changes which can impact the organization’s threat surface when previously untested technology and processes are introduced.

  • New cybersecurity leader

    Many organizations are choosing to appoint a cybersecurity leader tasked with understanding the current posture of organization’s cybersecurity program in order to determine investment, strategy and roadmap to transition to desired maturity.

  • Reporting requirements

    An accurate and up-to-date overview of reporting requirements supports cyber governance and oversight by providing cybersecurity program metrics, current maturity ratings and insights with a regular cadence.

  • Cybersecurity resiliency review

    A cybersecurity resiliency review assesses the organization’s ability to respond to significant disruptions due to cybersecurity incidents and to inform updates to existing crisis management plans.

Once one or more of these risk scenarios have been identified, it is also wise to maximize the potential value from these unique opportunities (e.g., when a new cybersecurity leader takes over the cybersecurity function).

The role of Chief Information Security Officers (CISOs) in Switzerland and across Europe is shifting. No longer seen as innovation blockers, today’s CISOs are problem solvers who enable their organizations to transform safely and securely. Especially in today’s world of constant change, organizations need to assess capabilities continually to stay relevant and gain a competitive advantage. They need to confront unforeseen situations and be prepared well in advance to handle situations in a volatile, uncertain, complex and ambiguous (VUCA) environment. To align efforts where they are needed most, the strategy should be up to date and able to prioritize focus areas. New value often comes from highlighting issues or topics which might otherwise have gone unnoticed and using them to create opportunities. 

CISOs cannot afford to be seen as blockers of innovation; they must be problem solvers — enablers who promote Security by Design and allow their organizations to transform safely and securely

The risk scenarios set out above are also unique opportunities to create value for an organization, by not only further strengthening the cyber controls in place, but by also enabling business functions. To provide better answers and to address the cyber, IT and regulatory challenges outlined, a cyber maturity diagnostic and benchmark assessment can be performed. Such an assessment can help organizations' understanding whether the right information assets are being protected to the appropriate level of security based on their value to the company.

Typically, a comprehensive assessment firstly aims to understand the business context, then the risk scenarios faced by the business are determined. Next, the desired maturity profile and relevant roadmaps should be considered. One outcome of such an assessment is an action-oriented plan containing prioritized initiatives to better equip the organization to evaluate and justify the value provided by cybersecurity. Naturally, it makes sense to enrich the assessment with additional enablers to inform the cybersecurity strategy and roadmap planning, e.g., through a dedicated cybersecurity value optimization, a review of the operating model and governance structure or through a cybersecurity transformation or co-sourcing engagement.

Unclear financial impact


of respondents say they cannot quantify, in financial terms, the effectiveness of their cybersecurity spending in addressing the risks faced by the business

Our latest GISS study reveals that a large portion of respondents in Switzerland cannot quantify, in financial terms, the effectiveness of their cybersecurity spending in addressing the risks faced by the business. A thorough analysis is the basis for prioritizing investments and setting the scene for sustainable growth. An independent assessment often reveals more about the current state of security in an organization than internal reviews.

A comprehensive assessment, typically supported by state-of-the-art tools, enables you to rapidly assess your current state and to develop agile strategies and roadmaps to transform your organization. The value added is not only the identification of key business risks related to the maturity of specific cybersecurity domains areas, but also the alignment of the cybersecurity strategy with a focus on the organization's strategic priorities and business objectives. It enables a facilitation of a dialogue between the cybersecurity team and business leaders to articulate the benefits of cybersecurity program investments and helps to understand areas of improvement requiring additional investment. This industry-proven method helps in developing pragmatic recommendations to further improve cybersecurity programs, especially with the correct alignment of risk and cost with business needs. 


No matter the organization, cybersecurity maturity level or threat landscape, it has never been more important to effectively protect your organization from cyber threats. At the same time, it’s important to embrace new technology and continually innovate to remain competitive and relevant. To address ever-changing economic, threat, regulatory and technological challenges, CISOs and security organizations must regularly and independently assess the controls and risks related to key assets of the corporation while staying within budget restrictions.

About this article

By Marc Minar

Senior Manager, Cybersecurity | Switzerland

Member of the Swiss Cybersecurity Leadership Team in EY's EMEIA Financial Services Consulting practice. Licensed pilot and passionate golf player.