Transformation strategy of the information security function

In Consulting

Due to the crisis events, companies rapidly implement new technologies to meet new business challenges. When implementing them, 58% of respondents to the EY Global Information Security Survey claim that the time frame was too tight to implement adequate information security measures, and 56% do not always know whether they are sufficiently protected against new hacker strategies. As companies implement new transformation initiatives, the risk of cyberattacks increases. In turn, CISO have the opportunity to demonstrate the strategic importance of their role and transform information security together with the business.

How EY can help

We offer our clients to develop and implement an information security strategy based on a cost-effective risk-oriented approach, taking into account the threat landscape specific to the organization.

This approach will allow information security to become a strategic business partner that supports new initiatives aimed at achieving the goals of the organization and its mission, while at the same time ensuring the appropriate level of security and preventing losses from the realization of risks.

The main advantages of the strategy implemented according to this approach:

  • Effective distribution and use of resources and activities of the entire organization in the field of information security
  • Adaptability to changes in the business environment 
  • Increased attention to compliance with regulatory requirements
  • Transparency of investments in information security
  • Effective planning and implementation of initiatives
  • Qualitative and quantitative performance measurement and proper reporting will increase job satisfaction of the function

What we do

We analyze the current status of information security and develop the target state of all components of the Operational Model of the information security function - a set of all factors that affect the ability of the function to achieve the goals set by the organization: 
  • Corporate governance
    • Information security goals and their compliance with business goals
    • Subordination of the function at the level of senior management
    • The structure of collegial bodies, where issues of InfoSec are considered
    • Interaction with other departments and senior management
    • InfoSec reporting and its format
  • Policies
    • The structure of regulatory documentation and its completeness to cover the activities of the InfoSec function
    • The process of managing documented information on information security
  • Processes
    • Existing InfoSec processes and their maturity to support operational activities
    • Processes that are not performed, or performed inefficiently or partially
  • Technical architecture
    • Necessary, economically feasible technical means of protection against threats inherent in the organization
    • Tools for automating and increasing the efficiency of InfoSec processes
  • Organizational structure
    • The structure of the information security unit and its compliance with the business strategy and sustainable development strategy
    • The main roles and responsibilities, and the efficiency of their distribution
    • Drivers of the number of personnel for the implementation of current and prospective tasks
  • People and competencies
    • Competence structure of InfoSec function employees
    • The process of training and development of employees' competencies
    • The process of managing employee motivation
  • Performance measurement
    • Main InfoSec risks of the organization and key risk indicators for their measurement
    • Key Performance Indicators (KPIs), both for individual roles and divisions and the function as a whole

After agreeing on the target state and the ways to achieve it with the customer's representatives, we develop a roadmap for transformation projects. If necessary, we help our clients implement the transformation program or its projects.

Also, we can focus on individual components of the Operating Model, according to the client's needs.

Why EY?

Our team has vast experience in the implementation of various information security projects, including the development of a strategy for the transformation of the InfoSec function. The Ukrainian team has completed more than 10 such projects over the past 5 years for leading local and international companies in their field. To form our approach, we use leading practices of information security, in particular, ISO 27001, NIST Cybersecurity Framework, SANS CIS Controls, and others.

Contact us