6 minute read 20 May 2021
Man and woman on city street

Why cybersecurity could be the missing link to growth

By Kris Lovejoy

EY Global Consulting Cybersecurity Leader

Cybersecurity guru. Married mother of four. Enjoys diving, hiking and refinishing furniture. Lives in McLean, VA.

6 minute read 20 May 2021
Related topics Cybersecurity GISS

In the wake of the pandemic, CISOs can reposition themselves as enablers of growth. But early findings from the latest EY Global Information Security Survey suggest they must first overcome four deep-seated barriers. 

In brief
  • As businesses responded to COVID-19, the cyber threat became more complex, intensifying the pressure on cybersecurity teams.
  • The role of CISO is at a crossroads, with cyber practitioners striving to keep the business safe while enabling innovation and growth.
  • Cybersecurity teams must build new bridges, manage regulatory fragmentation, understand a rapidly evolving threat, and make a compelling case for resources.

The COVID-19 pandemic was a turning point for cybersecurity teams. As organizations shifted overnight to remote and flexible ways of working, attackers seized the opportunity to exploit vulnerabilities in their defenses. At the same time, businesses implemented new technologies at pace, demanding security teams act quickly, identify weaknesses, and contain threats.

All this intensified pressure on the chief information security officer. Now, as firms step beyond the pandemic, CISOs have another critical role: enabling recovery and growth. Early findings from the latest EY Global Information Security Survey (GISS) suggest that the majority of cybersecurity leaders are choosing to see the crisis as an opportunity to raise their profile across the business. In this new world, CISOs can finally dispense with the perception that their function is a brake on innovation and change. But a balance must be struck.

“During COVID, businesses introduced technology to communicate with customers and support new ways of working, but those technologies weren’t secure,” says Kris Lovejoy, EY Global Consulting Cybersecurity Leader. “Hackers will attack vulnerabilities in the system for years to come. For cyber practitioners, the question needs to be: How can we ensure our business reaps the benefit of the technology, without leaving us open to attack.”

As the challenges of the crisis continue to evolve, CISOs are at a crossroads. Becoming an enabler of growth is essential, but it’s easier said than done. Our CISO Imperative series is designed to help you on that journey, providing critical answers and actions to reframe the future of your organization. In this introduction to the themes of GISS 2021, we highlight four barriers CISOs must first overcome.

During COVID, businesses introduced technology to communicate with customers and support new ways of working, but those technologies weren’t secure
Kris Lovejoy
EY Global Consulting Cybersecurity Leader

1. Cybersecurity has bridges to fix and build 

At the height of the pandemic, cybersecurity teams came under scrutiny as businesses responded to the changing environment. “There was a need for speed and a get-it-done attitude,” says Mike Maddison, EY EMEIA Consulting Cybersecurity Leader. “But did cybersecurity teams bring forward solutions to act as an enabler? Unfortunately, in many cases, they were very much seen as the blocker.”

Emerging findings from this year’s GISS suggest cybersecurity’s relationship with other functions has deteriorated over the last 12 months. One point of concern is that the decline in relationships is most pronounced among functions taking the lead in the growth agenda. Approximately half of respondents judge their relationship with the marketing function to be negative, for example, up from 36% a year ago, while a higher proportion than last year also say the same of product development.

A challenge is these outward-facing functions have taken control of their technology renewal programs and can bypass cybersecurity. “Many teams have introduced cloud-based platforms during the pandemic, introducing new risk without discussing the changes with cybersecurity,” says Lovejoy.

In turn, around four in 10 respondents say a key priority after COVID-19 is to address risks introduced as their organization responded to lockdown. Moreover, our findings suggest the problem is becoming more entrenched over time, with CISOs increasingly excluded from the earliest stages of strategic transformation: approximately 50% say they are brought in at the planning or design stages of new business initiatives, down from 63% a year ago.

2. Regulatory fragmentation is adding an extra layer of stress for CISOs

Faced with competing demands for their time and resources, CISOs are increasingly preoccupied with privacy and security regulation. For global businesses, whose operations span multiple jurisdictions, the ongoing fragmentation of regulation is an additional pressure.

Around one in two respondents says compliance can be the most stressful part of their job, and approximately 55% expect regulation to become even more fragmented and time-consuming in the years to come. “It creates an enormous amount of overhead – you’re answering the same question in a variety of different ways,” says Dave Burg, EY Americas Consulting Cybersecurity Leader.

To add to the problem, it is becoming harder for CISOs to access the resources they need to manage regulation. Almost six in 10 say COVID-19 has increased the risk of non-compliance, but CISOs say regulation is less effective as a lever to secure new funding. Less than one in five describes regulation as an effective way for them to make the case for budgets, down from 29% in 2020.

“Regulations are fragmenting, but the primary need of today’s business is to transform,” says Lovejoy. “If a CISO says, ‘I need more money for regulation,’ it doesn’t carry as much weight as it did.”

3. The scale and complexity of the cybersecurity threat continue to grow

CISOs are determined to focus on growth and business enablement, but they are also mindful of the increasingly sophisticated threats they face. The vulnerabilities introduced by pandemic-era technology are only part of the story, with bad actors seeking to exploit a range of new entry-points.

“Attacks have become commoditized,” says Richard Watson, EY Asia-Pacific Consulting Cybersecurity Leader. “You can buy a ransomware program cheaply and easily on the dark web. Viruses have been democratized.”

Regulations are fragmenting, but the primary need of today’s business is to transform
Kris Lovejoy
EY Global Consulting Cybersecurity Leader

The supply chain is a particular concern. Just one in three respondents is confident they can ensure their supply chain is watertight in its ability to defend against attackers, while approximately six in 10 caution that bad actors are using new strategies, such as exploiting vulnerabilities in procurement.

Overall, there is real concern about the scale and growing maturity of the threat. Less than half of respondents feel confident about managing the bad actors they face – and more than four in 10 have never been as worried as they are now about their organization’s ability to repel the cyber threat.

4. Budget inflexibility opens the door to avoidable breaches

More than a third of respondents say budget restrictions are making a cybersecurity breach inevitable, while approximately 40% worry costs are not adequately factored into strategic investment plans. Indeed, four in 10 also warn their budget is inadequate to confront the new threats emerging over the past 12 months.

“There is no longer a blank cheque to be written for cybersecurity,” says Watson. “Resources are hard to come by and people are trapped in their country of origin. They can’t fly around the world to solve complex projects.”

Addressing this issue requires CISOs make a stronger and clearer case for resources, couched in the language of their organization’s strategic objectives. But it will also be necessary for companies to build more flexibility into the budget-setting process. Today, approximately 40% of CISOs say cybersecurity costs are shared across the organization, but around 15% do so dynamically, based on how resources are used.

Conclusion: CISOs are building on the momentum

CISOs are at a crossroads, but there is a widespread momentum for change. EY Americas Cybersecurity Leader Dave Burg notes, for example, many teams built up a huge store of credibility during the crisis. “I know of many who were viewed as superstars,” he says. “They can build on this.”

This article introduces early findings of this year’s EY Global Information Security Survey. It is based on a sample of 642 senior cybersecurity executives, out of a total that will exceed 1,000 when the fieldwork closes. Respondents work for businesses worldwide, each of which exceeds $1BN in annual revenue.

Summary

This article introduces early findings of this year’s EY Global Information Security Survey and outlines four barriers that CISOs face as they strive to become enablers of growth.

About this article

By Kris Lovejoy

EY Global Consulting Cybersecurity Leader

Cybersecurity guru. Married mother of four. Enjoys diving, hiking and refinishing furniture. Lives in McLean, VA.

Related topics Cybersecurity GISS