How Irish CISOs can become enablers of innovation and growth

CISOs in Ireland have had a particularly difficult time, culminating perhaps in the “catastrophic” ransomware attack on the Irish Department of Health² in May 2021. Nine in 10 (90%) Irish cybersecurity leaders report an increase in disruptive cyberattacks over the last 12 months, compared to 72% globally (see Figure 1).

“Our experience tells us that both the number and the severity of these incidents is increasing exponentially in Ireland,” says Carol Murphy, EY Ireland Consulting Partner and Head of Technology Risk. She adds: “This is due to Ireland being perceived as being less mature and, therefore, presenting more opportunity for vulnerabilities to be exploited by cyber criminals than some other markets.”

Irish CISOs’ business partnering ambitions have been undermined way more than their global peers’. More than two-thirds (68%) complain that their teams are sometimes consulted too late or even not at all when their organisations make strategic decisions. Globally, only 56% of respondents share this concern. In Ireland, many organisations still do not have a CISO or have only recently appointed one. “So, this role is still evolving. There is more work to be done to build awareness of the role of CISO and to articulate the value that can be delivered to the business through this role,” reflects Carol Murphy.

She warns that the attacks have increased in frequency as well as in sophistication and malicious intent: “These are complex, sophisticated attacks performed by organised criminals. There is nothing random or opportunistic about them.”

How, then, can CISOs in Ireland manage the threat, while redoubling their longer-term efforts to become a growth-enabling function? Which challenges do they face, preventing them from growing their influence in the business? 

CISOs in Ireland are more likely than their international counterparts to feel overwhelmed by the burden of compliance. Their concerns mirror the ongoing fragmentation of international regulation, which has left many struggling to cope with evolving privacy and security regimes on a regional and national level as well as new industry-specific standards.

More specifically, the global scale of many Irish employers, reflecting the country’s attractiveness as a location for international business, is adding pressure.

“Ireland is the European hub for so many global organisations,” explains Carol Murphy. “It is their gateway to the rest of Europe and they are, therefore, navigating regulation across multiple geographies and divisions. That is a real challenge.”

More than four in 10 (42%) Irish respondents describe compliance requirements as the most challenging aspect of cybersecurity (see Figure 2). A more modest 29% of global respondents feel the same way.

There is little chance of a slowdown in regulation in the years to come. European Union regulation – such as the NIS Directive, its revised scope as covered by the NIS 2 Directive, and potential reforms to GDPR – is becoming more comprehensive.

Emerging technologies such as artificial intelligence, along with the ethical considerations around their use, will also spawn new regulation as businesses explore opportunities to create new value from data.

Against this backdrop, 60% of Irish CISOs expect regulation to become more complex and more time consuming to manage in the years to come. Already, more than half (54%) say that delivering compliance for their organisations can be the most stressful part of their jobs.

These sentiments stem, in part, from CISOs being excluded from the early stages of decision-making. “Where cybersecurity is involved from the start – focussed on security and privacy by design – there is an opportunity to work with regulation and compliance in mind from the beginning, rather than having to reverse-engineer it,” advises Carol Murphy.

Irish cybersecurity functions are underfunded. More than half of the respondents (52%) in Ireland flag that it is just a matter of time until they suffer a major breach that could have been avoided had they invested more wisely in cybersecurity.

The key, suggests EY’s Carol Murphy, is to get away from a narrow boardroom discussion about numbers. “The way to think about this is about understanding your most critical assets,” she says.

CISOs’ best chance of securing a more strategic role in their organisations’ decision-making processes is to build stronger relationships with other functions. Right now, nearly half (44%) of Irish CISOs concede they have a poor relationship with their organisation’s business heads. At the same time, 48% and 42%, respectively, are disparaging about their relationships with HR and marketing functions.

There is a danger that poor relationships are preventing CISOs from fully assessing the threats facing their organisations, potentially fuelling a false sense of confidence. Irish CISOs are, for example, noticeably more confident than their global peers. Six in 10 say they are confident they understand and can anticipate new strategies used by threat actors, compared to only 48% of international respondents.

Similarly, while 70% of Irish CISOs say their employees sometimes share damaging disinformation about the company using its technologies, 62% feel positive about their ability to measure the extent to which staff are engaging with disinformation. Only 37% of global respondents show the same level of confidence.

Such overconfidence underlines the need to look at cybersecurity more holistically, argues EY’s Carol Murphy. “It is not just about your technology,” she says. “It is about being able to articulate the risk in a business context.

Ultimately, it is about moving from being a blocker of change to a participant in digital transformation who provides the organisation with the solutions it needs to innovate.” 

Facing long-standing and complicated challenges, Irish CISOs are battling to counter the escalating threat and to secure their roles as strategic partners.

Three responses may prove critical:

Make a stronger case for compliance spending

As regulation continues to fragment, cybersecurity teams in Ireland have yet to optimise how they manage compliance. It is also an area where funding is becoming harder to attain. Just 10% of Irish CISOs say that compliance needs are the primary driver for new funding.

It is increasingly vital to make a stronger case for new funds by communicating the scale of the challenge as well as the huge potential damage of a compliance breach. New technologies such as RPA and AI that automate manual compliance work will free up precious resources, new ways of working will deliver benefits, and greater regulatory experience and knowledge in the team will be important.

“The challenge for many organisations spans people, process and technology,” says Carol Murphy. “Currently, however, they are stuck with manual systems, sub-optimal processes and skills gaps.”

Test for overconfidence through self-evaluation

Organisations cannot be truly confident in their ability to manage cyber risk unless they consistently test their abilities to counter and respond to danger. Doing so requires regular crisis response exercises, the growing use of methods such as penetration testing, and critical evaluation of forensic security and other capabilities.

“Have CISOs thought about business continuity?” asks Carol Murphy. “How will they ensure the business can function? What are the workarounds and solutions for customers, suppliers and staff? Cybersecurity has to constantly question itself to be sure its confidence is not misplaced. It has to be Trust by Design.”

Build bridges and influence

Stronger relationships with other business units will ensure CISOs have a clearer picture of difficult challenges, such as the risk of disinformation, and are in a stronger position to defend the business.

More broadly, CISOs who work closely with colleagues across the organisation will have a better understanding of the business’ wider strategic imperative. An ability to talk the language of the business will enable CISOs to secure improved resources, while helping fulfill their potential as growth enablers.

“Aim to build a peer group or network, both within and outside your organisation, that you can learn from and share ideas with,” suggests Carol Murphy. “Build a reputation for being innovative and progressive, rather than someone who focuses on the reasons why the organisation can’t do something.”