Security leaders and their boards/C-suites are not always fully engaged on how to confront the systemic risks posed by cyber threats.
Almost two-thirds of companies are failing to incorporate cybersecurity at an early stage as they focus on tech-enabled transformation projects and innovation, new EY research reveals. Early findings from the latest EY Global Information Security Survey (GISS) reveals that just 36% of cybersecurity teams are asked to play an early and integral role in such initiatives.
The problem, which threatens to seriously undermine many organizations’ efforts to exploit digitalization and emerging technology, appears to stem from shortfalls in engagement, understanding and risk awareness between company boards, other functions of the business and the cybersecurity team. Without closing such gaps, cybersecurity teams will continue to find it difficult to secure the resources, support and status they need to properly protect their organizations.
Right now, while many organizations say that their cybersecurity teams have good relations with adjacent functions such as IT, audit, risk and legal, they are concerned about the lack of connection with other parts of the business. For example, 74% say that the relationship between cybersecurity and marketing is at best neutral, to mistrustful or non-existent; 64% say the same of the research and development team; 59% for the lines of business. Cybersecurity teams even score poorly on their relationship with finance on whom they are dependent for budget authorization, where 57% of companies say they fall short.
These findings are particularly concerning as this year’s GISS, which interviewed almost 1,300 businesses worldwide, underlines warnings that the threat level continues to rise. It reveals that 59% of companies have experienced an increase in the number of destructive attacks over the past 12 months. Of those, more than half have been hit by an increase of 10% or more.
That increase in attacks is one reason why CEOs now regard cybersecurity as one of the most urgent risks they face. The 2019 EY CEO Imperative Study revealed that CEOs believe that national and corporate cybersecurity is the greatest threat facing the world economy over the next 10 years.
However, this year’s GISS reveals a gap between intent and practice, with many organizations failing to work sufficiently closely with their boards on cybersecurity.
Where to improve
While most companies say their boards have at least some involvement in establishing and approving the strategy, direction and budget of their cybersecurity programs, only a minority are completely engaged in this work.
One problem for many boards is that they do not feel equipped to understand the risks their organizations face or the measures that would mitigate those risks. The priority now for chief information security officers (CISOs) must be to give the business’s senior leaders a better understanding of cybersecurity.
They will be pushing at an open door: boards themselves are keen to improve in this area, with almost half of those where there is a knowledge shortfall now taking steps to remedy it. Only 25% of respondents to the GISS say that they are able to quantify risk in financial – or business – terms. Meanwhile, early findings from the EY Global Board Risk Survey suggests that only 20% of boards are extremely confident in their organizations’ cyber-attack mitigation measures.