5 minute read 27 Oct 2023


How simplification can stem cyberattacks

How organisations can simplify the tech environment to stem cyberattacks

By Puneet Kukreja

EY UK & Ireland Cyber Security Leader

As the EY UK & Ireland Cyber Leader Puneet is passionate about building client centric, growth focused high-performing delivery organisations which are engineering led and powered by managed services.

5 minute read 27 Oct 2023

Bolstering cyber defenses with new technologies may have the opposite effect due to added complexity.

In brief
  • Expanding attack surfaces mean organisations need to ensure supply chains measure up on cybersecurity.
  • Building a company-wide culture of cyber vigilance is essential to reduce human error.
  • Cybersecurity must be viewed as a potential value creator rather than an inhibitor and constraint on activity.

The EY 2023 Global Cybersecurity Leadership Insights Study revealed that C-suite leaders are grappling with a growing range of present and anticipated threats. Organisations are facing an average of 44 significant cyber incidents a year, and detection and response times are slow with three-quarters of respondents taking an average of six months or longer to detect and respond to a cyber incident. Meanwhile, ransomware costs are forecast to reach US$265 billion by 2031, up from US$20 billion in 2021¹.

The survey also revealed how companies can strengthen their cybersecurity by emphasising simplicity, holistic thinking and the integration of cybersecurity considerations across the organisation.

Simplification of tech landscape imperative

Interestingly, the more cybersecurity solutions added by organisations, the more complex the environment becomes, and the more difficult it becomes to detect the signals associated with cyberattacks and breaches. Simplification of the technology environment, therefore, is key.

Organisations that consolidate technology into a single platform and reduce the number of vendor products can help ease integration and can help their security teams spot incidents more efficiently.

The most effective Chief Information Security Officers (CISOs) simplify their technology landscape, emphasise automation, and communicate effectively across organisational tiers.

The transition to cloud computing at scale and the Internet of Things (IoT) have increased openings for cyber breaches. 53% of cyber leaders agree that there is no such thing as a secure perimeter in today’s digital ecosystem.

Cyber complexity requires simplification, and this demands a close examination of the technology and services stack.

In today's digital landscape, the intricacy of cybersecurity challenges has reached unprecedented levels. To effectively mitigate these risks, organisations and governments must start by simplifying the technology and services stack.

One critical area of vulnerability is supply chains as all Irish organisations are now inextricably and digitally linked to businesses in their supply chain. Organisations that have more effective ways of managing cyber threats and have therefore fewer cyber incidents are almost twice as likely to be highly concerned about the risks the supply chain pose. CISOs in Ireland need to streamline their organisation’s supply chains to gain visibility into the resiliency of vendors on a continuous basis, not just as a one-off.

Organisations cannot assume that the cloud provider is handling all cyber risks. Cloud security is a shared responsibility.

Embed cybersecurity into workforce’s psyche

Cybersecurity awareness and vigilance needs to be embedded throughout the organisation. This requires buy-in from senior leaders and close communication between CISOs and the C-suite. Organisations that have cybersecurity operations embedded with core business priorities and strategies have higher odds of experiencing fewer incidents. The most effective CISOs translate the cybersecurity narrative into a storyline that resonates in terms of risk reduction, business impact and value creation.

The wider workforce remains a priority. Human error continues to be a major enabler of cyber breaches. Weak compliance to best practices outside the IT department was the third biggest internal challenge identified in the survey.

Only half of cybersecurity leaders say their cyber training is effective.

Non-IT adoption of best practices

Just 36%

Are satisfied with non-IT adoption of best practices.

This raises questions on how effective this training truly is. Being brilliant at the basics should be the focus.

Organisations need to simplify best practices asked of the workforce and create guardrails in their processes to limit risk rather than rely on compliance. Making cybersecurity second nature by embedding it into the psyche of every person in the organisation will help ensure more effective training and adherence.

Talent is a recurring challenge as the cybersecurity skills gap continues to grow. Upskilling is a key focus for most organisations in the study. Leaders in this space are prioritising recruiting or reskilling workers not currently in the cybersecurity field to bridge the gap. These non-traditional hires can emerge from a range of backgrounds, including functional areas where automation has reduced workloads significantly, such as finance and general IT. They are also more likely to outsource additional functions and capabilities to third-party specialists in the future.

Finally, cybersecurity is not just about asset protection. Done well, it can also support and accelerate innovation and value creation across the enterprise.

The best organisations weave cybersecurity into the fabric of the firm, shifting it from inhibitor to value driver. Cybersecurity can be value generative by positively impacting on an organisation’s pace of transformation and innovation and its ability to respond to market opportunities.

Cyber secure organisations win greater trust from customers and suppliers who will be more confident doing business with them.

With threats increasing quite steeply, Irish organisations need to take a step back and view their cyber defenses holistically. Simplification will make it easier to detect threats and breaches while a broader view will include the supply chain which is becoming a key vulnerability. CISOs also need to communicate the cyber agenda more effectively to build a culture of cyber awareness throughout the organisation.


In an age where connectivity and interdependence are paramount, it is crucial to streamline systems and processes. This begins with a thorough understanding of the technology infrastructure - from the software and hardware in use to the services and applications that power operations. Identifying redundancies, eliminating outdated components, and consolidating where possible can significantly enhance security.

Moreover, a critical aspect of this simplification process is understanding the role of third-party relationships, especially in terms of third-party risk, fourth-party risk and, in particular, review of risk models for Hardware and Software Bill of Materials (H&SBOM). As organisations and governments share data and services across their supply chains, it is vital to gain transparency into how this data is protected at every level. Simplification, in this context, means creating clarity within complex supplier networks.

By simplifying the technology stack and by enhancing visibility into third-party interactions, we can better navigate the evolving cyber landscape, reduce vulnerabilities, and bolster our cybersecurity defenses.

About this article

By Puneet Kukreja

EY UK & Ireland Cyber Security Leader

As the EY UK & Ireland Cyber Leader Puneet is passionate about building client centric, growth focused high-performing delivery organisations which are engineering led and powered by managed services.