1. Cybersecurity has bridges to fix and build
At the height of the pandemic, cybersecurity teams came under scrutiny as businesses responded to the changing environment. “There was a need for speed and a get-it-done attitude,” says Mike Maddison, EY EMEIA Consulting Cybersecurity Leader. “But did cybersecurity teams bring forward solutions to act as an enabler? Unfortunately, in many cases, they were very much seen as the blocker.”
Emerging findings from this year’s GISS suggest cybersecurity’s relationship with other functions has deteriorated over the last 12 months. One point of concern is that the decline in relationships is most pronounced among functions taking the lead in the growth agenda. Approximately half of respondents judge their relationship with the marketing function to be negative, for example, up from 36% a year ago, while a higher proportion than last year also say the same of product development.
A challenge is these outward-facing functions have taken control of their technology renewal programs and can bypass cybersecurity. “Many teams have introduced cloud-based platforms during the pandemic, introducing new risk without discussing the changes with cybersecurity,” says Lovejoy.
In turn, around four in 10 respondents say a key priority after COVID-19 is to address risks introduced as their organization responded to lockdown. Moreover, our findings suggest the problem is becoming more entrenched over time, with CISOs increasingly excluded from the earliest stages of strategic transformation: approximately 50% say they are brought in at the planning or design stages of new business initiatives, down from 63% a year ago.
2. Regulatory fragmentation is adding an extra layer of stress for CISOs
Faced with competing demands for their time and resources, CISOs are increasingly preoccupied with privacy and security regulation. For global businesses, whose operations span multiple jurisdictions, the ongoing fragmentation of regulation is an additional pressure.
Around one in two respondents says compliance can be the most stressful part of their job, and approximately 55% expect regulation to become even more fragmented and time-consuming in the years to come. “It creates an enormous amount of overhead – you’re answering the same question in a variety of different ways,” says Dave Burg, EY Americas Consulting Cybersecurity Leader.
To add to the problem, it is becoming harder for CISOs to access the resources they need to manage regulation. Almost six in 10 say COVID-19 has increased the risk of non-compliance, but CISOs say regulation is less effective as a lever to secure new funding. Less than one in five describes regulation as an effective way for them to make the case for budgets, down from 29% in 2020.
“Regulations are fragmenting, but the primary need of today’s business is to transform,” says Lovejoy. “If a CISO says, ‘I need more money for regulation,’ it doesn’t carry as much weight as it did.”
3. The scale and complexity of the cybersecurity threat continue to grow
CISOs are determined to focus on growth and business enablement, but they are also mindful of the increasingly sophisticated threats they face. The vulnerabilities introduced by pandemic-era technology are only part of the story, with bad actors seeking to exploit a range of new entry-points.
“Attacks have become commoditized,” says Richard Watson, EY Asia-Pacific Consulting Cybersecurity Leader. “You can buy a ransomware program cheaply and easily on the dark web. Viruses have been democratized.”