How does security evolve from bolted on to built-in?

4 minute read 18 Feb 2020

Show resources

  • EY Global Information Security Survey 2020 (pdf)

    Download 996 KB

CISOs pursuing and driving a culture of Security by Design can play a crucial role as enablers of transformation.

In the face of mounting cyber threats, many organizations go on the defensive – and miss a golden opportunity to gain a competitive edge by putting enhanced cybersecurity and privacy at the heart of their strategy.

To make the shift to a culture of Security by Design, CISOs must embrace the commercial realities facing their organizations in a disruptive marketplace. And the rest of the business, from board level down, must ensure cybersecurity has a seat at the leadership table.

The shift is a shared responsibility: CISOs can – and must – engage more collaboratively with the rest of the business, while boards, C-suites and other business functions must commit to a closer working relationship with their cybersecurity colleagues. Only in this way can cybersecurity teams play a crucial role as enablers of transformation.

In this year’s EY Global Information Security Survey, we look at the evolving role of the cybersecurity function from three perspectives:

1. A systemic failure in communication

Activist attackers were the second-most common source of material or significant breaches, the report shows. The increase in activist attacks underlines how the cybersecurity function needs a much deeper understanding of its organization’s business environment. CISOs who do not work collaboratively with colleagues across the business will inevitably be side-stepped by other functions and lines of business which could, for example, launch new products or services that expose the organization to new threats.

Early findings from the forthcoming EY Global Board Risk Survey identified “Technology Disruption” as the greatest strategic opportunity for organizations. The fact that many organizations are seizing on this opportunity by undergoing technological transformation also requires CISOs, the board and C-suite, and the business to work together even more closely. This is so that they can embed cybersecurity solutions at a much earlier stage of new business initiatives – a culture of Security by Design.

Lacking Security by Design


of organizations say cybersecurity is involved right from the planning stage of a new business initiative.

  • The cyber and privacy threat is increasing and expanding. About 6 in 10 organizations (59%) have faced a material or significant incident in the past 12 months, and as the EY Global Board Risk Survey reveals, 48% of boards believe that cyber attacks and data breaches will more than moderately impact their business in the next 12 months. About one-fifth of these attacks (21%) came from “hacktivists” (that is, tech-enabled, political and social activists) – second only to organized crime groups (23%).
  • Only 36% of organizations say cybersecurity is involved right from the planning stage of a new business initiative.
  • Cybersecurity spending is driven by defensive priorities rather than innovation and transformation: 77% of new initiative spending focused on risk or compliance rather than opportunity.
  • One in five respondents spend 5% or less of their cybersecurity budget on supporting new initiatives.

2. Increase trust with a relationships reboot

So, with Security by Design as the goal, CISOs and their colleagues across the organization – including functions, such as marketing, R&D and sales – need to form much closer relationships in order to improve overall business understanding of cybersecurity and meet the mark of Security by Design. 

Increased collaboration with other functions must be a priority, but cybersecurity also needs to form much more productive relationships with the board, the C-suite and senior leaders.

Time for a relationships reboot


of organizations say that the relationship between cybersecurity and the lines of business are at best neutral, to mistrustful or non-existent.

  • The relationship between cybersecurity and marketing is at best neutral, to mistrustful or non-existent, according to 74% of organizations; 64% say the same of the research and development team; 59% for the lines of business. Cybersecurity teams even score poorly on their relationship with finance on whom they are dependent for budget authorization, where 57% of companies say they fall short.
  • About half of respondents (48%) say that the board does not yet have a full understanding of cybersecurity risk; 43%, meanwhile, say that the board does not fully understand the value and needs of the cybersecurity team.
  • The EY Global Board Risk Survey reveals that boards lack confidence in their organization’s cybersecurity, with 50% – at best – stating they were only somewhat confident.
  • Just 54% of organizations regularly schedule cybersecurity as a board agenda item.
  • Six in ten organizations say that they cannot quantify the effectiveness of their cybersecurity spending to their boards.

3. The CISO becomes the agent of transformation

With stronger relationships at business and board level, a better understanding of the organization’s commercial imperatives, and the ability to anticipate the evolving cyber threat, CISOs can become central to their organizations’ transformation. 

They will need a new mindset, as well as new skills in areas such as communication, negotiation and collaboration. The CISOs that will become powerful agents of change will be the ones who instead of saying “No” to new initiatives say “Yes, but…”

Cybersecurity function seen as an obstacle to innovation


of organizations would describe cybersecurity as enabling innovation; most choose terms such as “compliance-driven” and “risk averse.”

  • Just 7% of organizations would describe cybersecurity as enabling innovation; most choose terms such as “compliance-driven” and “risk averse.”
  • About half the organizations (48%) say that the primary driver for new spending is risk reduction, and 29% cite compliance requirements. Just 9% point to new business initiative enablement.
  • Six in ten organizations do not have a head of cybersecurity who sits on the board or at executive management level.

EY recommendations in brief

Based on the findings from this year’s GISS, it is clear that there is now a real opportunity to position cybersecurity at the heart of business transformation and innovation. This will require boards, senior management teams, CISOs and leaders throughout the business to work together to:

  1. Establish cybersecurity as a key value enabler in digital transformation — bring cybersecurity into the planning stage of every new initiative. Take advantage of a Security by Design approach to navigate risks in transformation, product or service design at the onset (instead of as an afterthought).
  2. Build relationships of trust with every function of the organization — analyze key business processes with cybersecurity teams to understand how they may be impacted by cyber risks and how the cybersecurity team can help enhance the business function around them.
  3. Implement governance structures that are fit for purpose — develop a set of key performance indicators and key risk indicators that can be used to communicate a risk-centric view in executive and board reporting.
  4. Focus on board engagement — communicate in a language the board can understand; consider a risk quantification program to more effectively communicate cyber risks.
  5. Evaluate the effectiveness of the cybersecurity function to equip the CISO with new competencies — determine the strengths and weaknesses of the cybersecurity function to understand what the CISO should be equipped with and how.
  • What is Security by Design?

    Security by Design is a new approach that builds cybersecurity into any initiative from the onset, rather than as an afterthought, enabling innovation with confidence. It is a strategic and pragmatic approach that works across all parts of the organization. Security by Design remains in the initiative’s lifecycle to help with the ongoing management and mitigation of security risks.


New EY research suggests that outside of the need for compliance, a gulf separates cybersecurity from the business. To bridge the chasm, CISOs need to prove their value in a language boards and C-suites can understand; and the business needs to embrace cybersecurity from the onset and through the lifecycle of every initiative.

About this article