Chapter 1
CISO at the crossroads
A time of stress, change and opportunity.
The COVID—19 pandemic has bulldozed every business to adapt to disruptions within timeframes that would have otherwise been considered as a herculean task just a short time ago. Organizations rolled out new customer-facing technologies and cloud-based tools that supported remote working and kept the channel to market open.
But the speed of change came with a heavy price. Many businesses did not involve cybersecurity in the decision-making process, whether through oversight or an urgency to move as quickly as possible. For instance, we saw cyber-attacks increasing in an exponential manner towards various Critical Information Infrastructure (CII) entities specifically across power and other utilities.
Tiffy Isaac, EY India Cybersecurity Partner says that “with the exponential increase in data usage, the new way of working has led to a whole new set of diverse risks that are associated with managing operational continuity, compliance and security”.
India reported 1.16 million cyber security cases in 2020 and that is a 3-fold more than 2019, as per government data presented in the parliament of India.
Today, no industry is safe or spared from attacks. Each sector such as manufacturing, energy, retail, professional services, government, healthcare, media, transport, education, etc. has been a victim of cyberattacks.
Over the last year, threat actors have increasingly adopted new strategies, whether by targeting businesses with phishing campaigns, by embedding backdoor codes that enable exploiting commercial software, targeting newer vulnerabilities in the areas of procurement or exploiting the ever—evolving supply chain which quickly moved from a physical supply chain to software supply chain and eventually to a digital supply chain. Attackers are targeting a growing attack surface area and their tactics are increasingly getting more and more unpredictable.
Yet, CISOs are struggling to make themselves heard. Most respondents (46%) admit that cybersecurity teams are not consulted, or are consulted too late, when leadership makes urgent strategic decisions. Whilst some maintain that this happens ‘not very often’, it only needs to happen once for a flaw in the defenses to be exploited by threat actors.
How EY can help
Cybersecurity Architecture, Engineering & Emerging Technologies
EY services are designed to help organizations protect their enterprises from adversaries that seek to exploit weaknesses in the design and operation of their technical security controls, including disruptive technologies such as cloud computing, blockchain, and Internet of Things (IoT).
Read moreAs CISOs work to transform their organizations to create long—term value, the stakes are high. As companies become more and more digital, cybersecurity plays an important role in their journeys. CISOs are struggling to turn these digital risks into any kind of competitive advantage to create long—term value. Businesses are witnessing a renewed focus of customers for a differentiated experience, responsive cybersecurity posture, digital, and sustainability.
Chapter 2
Three challenges holding back the CISO
Turning the tide on cybersecurity.
1. Today’s cybersecurity organization is overwhelmed and underfunded
Despite the need for agility, given the volatility of the pandemic era and the possibility of future disruptions, survey data indicate that budget allocation processes remain largely rigid. Most of the respondents throughout India believe that cybersecurity expenses are not factored adequately into the cost of strategic investments and most Indian respondents agree with this scenario. As a result, even though the amount of cybersecurity investment in India is higher, there is still a need for organizations to strategically invest in the cybersecurity function.
69% of respondents are of the opinion that their annual spend on cybersecurity is below US$500,000.
Nearly 7 out of 10 (67%) CISOs surveyed believe that their budget is lower than what they needed to manage the cyber—related challenges that have emerged in the last 12 months. According to market analysts, India's cybersecurity services industry is projected to grow from US$4.3 billion in 2020 to US$7.6 billion in 2022. It is estimated that the market size for data security in India will be US$13.6 billion by 2025, and it will grow at 21% per year[1].
How EY can help
Data protection and privacy
EY data protection and privacy services help organizations stay up-to-date with leading services in data security and data privacy, as well as complying with regulation in a constantly evolving threat environment and regulatory landscape.
Read moreThe discipline of cybersecurity is under greater scrutiny today than it has been in the past. The Board has acknowledged the need to discuss security issues more frequently than ever before considering the sudden spike of cybersecurity incidents in India. To mitigate the challenges of a weak and undefined cybersecurity budget, focus has been on the following activities:
14%
reviewed their legacy architecture for cost-reduction opportunities
13%
realigned cybersecurity requirements to better meet changing business needs
7%
reduced the employee headcount
16%
increased reliance on third — party providers
10%
scaled back innovation activity to focus on core, non—strategic tasks
Whilst organizations are realizing the importance of cybersecurity, their budgets need to be restructured to reinforce their cyber defense. Additionally, cybersecurity budgets should be factored adequately into the cost of strategic investment and should drive business objectives.
2. Regulatory fragmentation: a challenge for CISOs?
Privacy and security regulations demand more from CISOs than ever before. Global businesses operating in multiple jurisdictions are under additional pressure due to fragmentation of regulation.
Compliance is one of the most stressful aspects of their jobs for approximately three out of five (60%) respondents, and approximately 61% expect regulations to become even more fragmented and time—consuming in the future.
“The Indian compliance environment is becoming more complex, with organizations operating National and International levels, with silos, overlaps and massive amount of being generated by Indian citizens. The regulatory and legal requirements are bound to get more explicit and stringent basis various industry/sector,” reflects Vidur Gupta, EY India Cybersecurity Partner.
3. Deteriorating relationship between CISOs and other leaders
CISOs have always worried about weak relationships, but the GISS suggests the problem is becoming more pronounced. According to the study, business leaders are not considering cybersecurity during important conversations.
How EY can help
Digital identity and access management
Identity and access management (IAM) is a foundational element of any information security program.
Read more“Cybersecurity has been evolving from a technical discipline to a strategic concept and it is imperative for businesses to have the Cybersecurity function as a strategic contributor starting at the Board,” says Burgess Cooper, EY India Cybersecurity Partner
77% of organizations sidestepped cyber processes and failed to consult security teams during the planning phase.
Compared to 2020, when more than a third of respondents (36%) believed that cybersecurity teams were consulted when planning new business initiatives, that number plunged to 23% in 2021. This could be due to the fact that the business and cybersecurity teams are finding it challenging to co-ordinate and communicate frequently in remote working model.
When cybersecurity is embedded in the business, CISOs will be in a strong position to help drive innovation and become better informed of threats faced by the organization.
Chapter 3
Next steps for the organizations and CISOs
Building a bridge together.
How should CISOs respond to the core challenges outlined in this year’s GISS? CISOs must be available to different departments and remain ahead of the curve in an ever-changing threat landscape, across all areas of cybersecurity. Their relationship with the Board must shift from ‘informing the Board’ to ‘educating the Board’ and eventually ‘leading the Board‘ on cyber risk program, its maturity and way ahead.
“It is of paramount importance that the cybersecurity function is supported by the Board as a trusted enabler for transformation and growth,” says Kartik Shinde, EY India Cybersecurity Partner.
Beyond the storm: future of cybersecurity
Whilst CISOs have risen to the challenge and can today demonstrate the growing strategic importance of their role, the crisis has certainly provided an opportunity. CISOs can leverage this opportunity to accelerate their efforts to address new age constructs.
Although it is not a direct or straightforward initiative, it is an ambitious objective that can be reached within a year, and this is the time when cybersecurity has been given prominence like never before, especially in India. For strategies, investments, and priorities, CISOs must be involved with the business. It is the time for them to secure a seat at the table, whilst continuing to build stronger, trust-based relationships with their C-suite peers.
How EY can help
Next generation security operations and response
Our Next generation security operations and response services along with a deep portfolio of consulting, implementation and managed services, can help organizations build a transformation strategy and roadmap to implement the next generation of security operations.
Read moreRelated articles
Summary
The cybersecurity function can become a vital enabler of growth. First it needs to address budget shortfalls, overcome regulatory complexity and improve relationships with the business.