6 minute read 27 Jan 2022

Boards must act across three key areas as major pressures threaten cybersecurity’s ability to address risks more effectively.

Network administrator in server room

Three cybersecurity considerations that boards should address

By Steve Lam

EY Asean Cybersecurity Leader

Cybersecurity strategist. Trusted boardroom advisor. Early technology adopter. Creative problem-solver. Avid cyclist, reader and collector of mechanical keyboards.

6 minute read 27 Jan 2022

Show resources

Boards must act across three key areas as major pressures threaten cybersecurity’s ability to address risks more effectively.

In brief
  • Inadequate budgets, strained relationships with the business and regulatory complexity are three major challenges faced by the cybersecurity function today.
  • Boards must drive the cybersecurity function’s alignment with core business objectives and adoption of a flexible risk- and footprint-driven budgeting model.
  • They also need to review the cybersecurity team’s talent profile and size to see if it can address emerging threats and vulnerabilities.

The disruption of the global pandemic has unleashed a perfect storm for threat agents to act. About three in four (73%) Asia-Pacific businesses saw an increase in disruptive attacks in 2021, compared with just 47% in the previous year, according to the EY Global Information Security Survey 2021 (GISS).

The rise in cyber attacks has been exacerbated by the speed at which companies rolled out digital transformation to cope with the unprecedented disruption of the pandemic. Many businesses did not involve cybersecurity in the decision-making process, either due to oversight or the urgency to expediate the process. For example, more than half of the respondents in the GISS said their organizations sidestepped cyber processes to facilitate new requirements on remote or flexible working. As a result, new vulnerabilities entered the fast-changing environment and continue to threaten businesses today.

According to the GISS, the senior leadership in many companies is increasingly concerned about the security team’s ability to protect the organization and more businesses are putting cybersecurity on their regular board agendas. However, just 9% of boards in the EY Global Board Risk Survey 2021 reported being extremely confident that their organization’s cybersecurity risk mitigation measures can protect the business from major cyber attacks, down from 20% the previous year. How can boards help bolster the cyber resilience of their companies?

The cybersecurity function today is struggling with several pressures that could be holding it back from tackling risks more effectively. This has significant implications for the board’s oversight role in the organization’s cyber resilience. Understanding the pressures faced by the cybersecurity function and addressing them is therefore a board imperative.

There will be significant implications for the board’s oversight role in the company’s cyber resilience if various pressures hold back the cybersecurity function from addressing risks more effectively.

Challenges hampering the cybersecurity function 

Chief Information Security Officers (CISOs) are grappling with a confluence of challenges and three stand out: inadequate budgets, strained relationships with the business and regulatory complexity.

The cybersecurity function today tends to be severely underfunded. Despite the growing threat of cyber attacks, the cyber spend of Asia-Pacific businesses is only 0.05% of their annual revenue, according to the GISS. Respondents also said that cybersecurity expenses are not factored adequately into the cost of strategic investments like IT supply chain transformation.

Such cost-cutting has severe implications. The GISS revealed that 41% of businesses in the Asia-Pacific region expect to suffer a major breach that could be averted with better investment. Budget restrictions will also compel CISOs to make difficult decisions to wind down some strategic activities that were initiated before the COVID-19 crisis.

Perhaps even more worrying is cybersecurity’s relationships with the rest of the business. Seventy-one percent of Asia-Pacific cybersecurity leaders describe their relationships with business owners as being neutral or negative, while over 4 in 10 (44%) say their dealings with the marketing and HR functions are poor.

Of concern is how cybersecurity is being left out of vital conversations. Almost 80% of respondents in the GISS said cybersecurity teams are not always consulted or briefed in a timely manner until after the planning stage has finished. This suggests that other business functions do not always perceive cybersecurity as a strategic partner. When the CISO’s relationship with the business is under strain, the fallout is greater exposure to cyber risks.

Compounding the pressures for cybersecurity functions is regulatory fragmentation as the global compliance environment becomes more complex. Respondents in the GISS foresee that regulations will become more heterogeneous in the coming years, with compliance likely to be the most stressful part of their job. 

Reframing the cybersecurity function 

The board needs to evaluate the effectiveness of the cybersecurity function regularly. It can help strengthen the cybersecurity team’s effectiveness in a few key ways.

First, the board should assess the cybersecurity team’s degree of alignment with core business objectives. It is imperative that the CISO is involved in the planning of strategic digital investments so that related risks can be proactively addressed. Only 20% of Asia-Pacific businesses in the GISS include cybersecurity in the planning phase of any digital transformation program, indicating a significant opportunity for improvement in this area.

The board should play an active role in bringing cybersecurity to the rest of the business and vice versa. It can do this by directing the CISO to better quantify the commercial value that investing in cybersecurity brings and communicate cyber risks in non-technical terms to help the business understand the strategic value of cybersecurity as an enabler — rather than a roadblock — of growth. It can also direct business units to consider cyber risks and involve the CISO early in business and technology discussions.

Second, the board should monitor the company’s investments in cybersecurity and direct the management, if necessary, to take a proactive investment stance on cyber risks. Many CISOs currently struggle with inflexible budgeting models, where cybersecurity budgets are based on an allocated fixed portion within a larger corporate expense without considering the company’s growing cyber footprint and what is really required to protect the company from cyber risks. Adopting a flexible risk- and footprint-driven budgeting model instead of a “keep the lights on” approach will allow the business to align its cybersecurity strategy more closely with transformation initiatives, especially as the company transitions to more agile ways of doing business. 

Third, the board should review the talent profile and size of the cybersecurity team and assess if it is robust enough to deal with today’s cyber attacks. Cybersecurity teams need a combination of individuals with advanced technical skills who can detect emerging threats and find flaws in defenses, as well as members who excel in building interdepartmental relationships. Hiring such multi-skilled talent is challenging, given the shortage and high turnover of cybersecurity talent in the market. This makes it even more critical for the business to devise an end-to-end cyber capability approach that improves hiring, retention, capability building and people development, leverages professional services and uses technologies to automate labor-intensive tasks so that cybersecurity teams can focus on more strategic work.

Oversight of cybersecurity is an increasingly important function of the board. By spending more time on discussions about cybersecurity risks, the board will send a clear message that these are critical business issues and that the cybersecurity function is a strategic business partner. This will help the function work with the business more effectively to execute transformation programs that are not only successful, but also implemented in a cyber-secure way.

Boards should consider the following questions:

  • How regularly does the board discuss cybersecurity matters and what metrics does it use to monitor the organization’s cyber resilience?
  • What governance structures does the board have in place to oversee cybersecurity and are these subject to regular effectiveness reviews?
  • How can the organization invest more strategically in cybersecurity to address the growing risk of data breaches?
  • How is the organization designing cybersecurity into its data, processes and systems from the outset in digital transformation projects so that it can innovate with confidence?
  • Does the board have access to information on supply chains, i.e., which suppliers have access to the organization’s systems and what controls and security protocols do they have in place?

Summary

To strengthen cyber resilience, the board needs to assess how well the cybersecurity team is aligned with core business objectives and drive the CISO’s involvement in the planning of strategic digital investments. It should also monitor cybersecurity investments and drive adoption of a flexible risk- and footprint-driven budgeting model for better alignment of the company’s cybersecurity strategy with transformation initiatives. In addition, the board should help the business improve the cybersecurity team’s talent profile to better address emerging cyber risks.

About this article

By Steve Lam

EY Asean Cybersecurity Leader

Cybersecurity strategist. Trusted boardroom advisor. Early technology adopter. Creative problem-solver. Avid cyclist, reader and collector of mechanical keyboards.