In last year’s GISS, 46% of respondents thought that compliance drove the right behaviors within their business. In 2021, this figure has fallen to 35%. At the same time, less than one in five (18%) respondents describe regulation as an effective way for them to make the case to their boards for additional budget, down from 29% in 2020.
While senior executives may have become more responsive to business cases that link increased cybersecurity spending with transformation, they appear less moved than they were by CISOs’ warnings about the growing compliance burden.
Not all cybersecurity leaders are pessimistic about regulation. Roland Cloutier at TikTok says regulation is consuming “at least 50 or 60%” of his time, but he remains positive overall. “Our strategic security programs are based on the next generation requirement around regulatory considerations and consumer protection. That's a great thing. We're enabling our products to be ready for the future. It’s helping us create the leading industry concept of how to operate as a business dedicated to protecting the safety, security, and privacy of our users worldwide.”
3. Cybersecurity’s relationships with other leaders are deteriorating
To manage the cyber risk attached to strategic transformation, CISOs need to provide counsel at the earliest stages of investment decision-making. But the relationships between cybersecurity and other functions in the business, which are essential for such consultations to take place, lack positivity and strength.
Business leaders exclude the CISO
Weak relationships have long been a concern for CISOs, but this year’s GISS suggests the problem is becoming more pronounced. According to the survey, business leaders are cutting cybersecurity out of vital conversations. Around six in 10 (58%) say their organization sometimes implements new technology with timescales that do not allow for suitable cybersecurity assessment or oversight.
Dan Higgins, EY Global Consulting Technology Leader, calls it concerning that CISOs are involved late in the process of deploying new technology and data solutions. “It is imperative that CISOs establish their seat at the table at the strategy and solution architecting phases of digital transformation, when these risks can be proactively addressed and avoided,” he says.
It’s a trend that may be driven from the top of the business. According to the EY CEO Imperative Study 2021, CEOs no longer describe cybersecurity as their top concern, as they did in 2020. Their focus in 2021 has turned instead to challenges around adopting new technology.