Cyber leaders’ confidence in their organization’s defenses plummets, but costs mount

• Just 1 in 5 respondents considers their organization’s approach to cyber to be effective
• Annual spend on cyber hits US$35m with median cost for a breach expected to reach US$4m
• 76% of respondents take six months or longer to detect and respond to an incident

While the number of cyber threats and associated costs are increasing, cybersecurity leaders appear to be struggling with the effectiveness of their organization’s defenses, according to the EY 2023 Global Cybersecurity Leadership Insights Study.

The survey of 500 cybersecurity leaders worldwide finds that just one in five considers their organization’s approach to be effective for current and future threats. Half of respondents also appear skeptical about the effectiveness of the training that their organizations provide and just 36% are satisfied with the levels of adoption of best practices by teams outside the IT department.

At the same time, cyber leader respondents report mounting costs associated with cybersecurity investment and an average of 44 cyber incidents in 2022. Chief information security officer (CISO) respondents report an average annual spend of US$35m on cybersecurity and that the median cost of a breach to their organization has increased by 12% to US$2.5m in 2023 and is anticipated to reach US$4m.

Despite high levels of spending, detection and response times appear slow. More than three-quarters of respondents (76%) say their organizations take an average of six months or longer to detect and respond to an incident.

Richard Watson, EY Global and Asia-Pacific Cybersecurity Consulting Leader, says:

“After all the time and money spent on cybersecurity, CISOs still feel very unprepared against cyber threats. The levels of dissatisfaction are more worrying when seen in the context of increasing geopolitical instability, economic uncertainty and the rapid adoption of emerging technologies that will push the number of incidents to even higher levels and see cyber adversaries continually evolve.”

Simplify to survive

The study finds that those organizations that are more satisfied with their approach to cybersecurity, experience fewer cyber incidents and can detect and respond to incidents quicker have certain common characteristics.

While 70% of these “Secure Creators” identified in the study, define themselves as early adopters of emerging technology, they focus on extracting the most value from specific advanced solutions, such as artificial intelligence/machine learning (AI/ML) (62%) and Security, Orchestration, Automation and Response (SOAR) (52%) that allow them to have a clear line of sight of cybersecurity incidents. In addition, they have specific strategies in place for managing attacks through multiple sources: their own cloud, their partners and through their supply chains. Respondents from these types of organizations appear almost twice as likely to be highly concerned about cyber risks from their supply chain (38%) and related risks, such as intellectual property protection (38%).

Finally, “Secure Creators” embed cybersecurity thinking and training from the C-suite down to the workforce. As a result, CISOs from these organizations say that their approach is more likely to positively impact their pace of transformation and innovation (56%), as well as their ability to rapidly respond to market opportunities (58%) and to focus on creating value (63%).

Watson says: “When it comes to technology, the more clutter an organization has in its armory, the harder it is to pick up signals and get on top of issues quickly. CISOs should focus not on bolting on new technologies but integrating existing ones better. Organizations are now inextricably and digitally linked to businesses in their supply chain. CISOs should champion thinning out supply chains, so they are dealing with fewer suppliers, and work to ensure that a cyber security lens is applied over them.

“It is the very scale and complexity of security measures and processes in an organization that pose the greatest threat to efficient cybersecurity. Instilling a culture of being brilliant at the basics of cybersecurity across the organization can prove to be the best defense.”

-ends-

Notes to editors

About EY

EY exists to build a better working world, helping create long-term value for clients, people and society and build trust in the capital markets.

Enabled by data and technology, diverse EY teams in over 150 countries provide trust through assurance and help clients grow, transform and operate.

Working across assurance, consulting, law, strategy, tax and transactions, EY teams ask better questions to find new answers for the complex issues facing our world today.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. Information about how EY collects and uses personal data and a description of the rights individuals have under data protection legislation are available via ey.com/privacy. EY member firms do not practice law where prohibited by local laws. For more information about our organization, please visit ey.com.

This news release has been issued by EYGM Limited, a member of the global EY organization that also does not provide any services to clients.

About the EY 2023 Global Cybersecurity Leadership Insight Study

In February and March 2023, the EY organization conducted research to better understand how companies are approaching their organization’s cybersecurity to prepare for the cybersecurity threats of today and tomorrow. EY professionals surveyed 500 C-suite and cybersecurity leaders across 19 different sectors and 25 countries covering the Americas, Asia-Pacific and EMEIA (Europe, the Middle East, India and Africa). Respondents represented organizations with more than US$1b in annual revenue.