Chapter
Build on boardroom influence
CISOs in the UK are well resourced but under-represented in strategic planning.
Authorities in the UK took a relatively early lead on cyber risk. The Government launched the National Cyber Security Centre in 2016, recognising that it needed to drive awareness and responsiveness. Campaigns, such as Cyber Essentials, provide a range of cybersecurity support for organisations of all shapes and sizes, while the Network and Information Systems (NIS) regulations introduced common levels of security for operators of essential services and digital service providers.
This national focus kept cyber risk at the top of the board agenda for many UK companies, ensuring it is widely regarded as a key business risk, assessed by risk committees and discussed in most corporate reports. In our findings, more than a third of UK respondents (34%) say that cybersecurity is a boardroom agenda item at least weekly or monthly in their firm. Globally, the figure is just 22%.
One result of this focus is that CISOs in the UK are, relatively speaking, well-resourced. Nearly 6 in 10 (59%) declare themselves happy with the funding they receive for cybersecurity, which is ahead of their counterparts in the US (56%), Canada (54%) and Australia (54%), as well as the global average (51%). At the same time, 46% of UK CISOs say that their board fully understands the value and needs of the cybersecurity team.
But a significant challenge remains. CISOs in the UK may have secured adequate budgets, but few have managed to shift the organisation’s perception of the role that cybersecurity plays, leaving them at risk of exclusion from the strategic conversation.
EY UK GISS 2021
16%of the surveyed UK CISOs say that they are brought into discussions about new strategic investments at the planning stage.
26% of US CISOs, by contrast, are brought into their organisation’s strategic conversations from the outset and have made this leap successfully. Just 1 in 10 UK CISOs have direct reporting lines to their organisation’s CEO, against 14% globally.
In the absence of a more strategic role, UK CISOs will struggle to take full advantage of their resources. Their work will remain reactive and tactical, rather than enabling the organisations to embrace security by design, or to future-proof their strategic investments.
Chapter
Bear down harder on supply chain risk
For UK businesses, the supply chain is a significant point of vulnerability.
UK CISOs see supply chain cyber risk as the overall top challenge for their team. Nowhere else in the survey is the supply chain of such grave concern. Why is this? Much of the apprehension could be attributed to the sheer number of attacks that UK organisations have faced, that can be linked back to supply chain exposure.
An additional pressure point is the changing nature of the supply chain. Even before COVID-19 prompted businesses to review their resilience, companies in the UK were thinking about how the country’s departure from the European Union (EU) might affect their logistics. Brexit, bringing new rules on imports and exports to and from the EU, has forced businesses to rethink their networks — and take on new exposures to cyber risk.
EY UK GISS 2021
42%of the surveyed UK CISOs believe that they can defend and recover from a cybersecurity attack.
In turn, less than half of UK CISOs (42%) are confident that their entire supply chain is secure in its ability to defend and recover against threat actors. It is not just immediate suppliers that worry them — 52% say third and fourth parties in their supply chain represent the greatest compliance risk to the organisation.
At least half the attacks that our clients receive are third-party initiated in some way, and the attacks on software vendors are significant because so many customers use their products.
Clearly, CISOs in the UK recognise the scale of the issue. While 34% of CISOs globally say that fixing new vulnerabilities in the supply chain is a top priority in the wake of the pandemic, the figure rises to 40% in the UK.
Chapter
Take control in a fragmented compliance landscape
Frustrated by regulations, CISOs need to get smarter about meeting compliance requirements.
CISOs in the UK face an increasingly complex set of compliance challenges. They must deal with supranational regulations, such as General Data Protection Regulation (GDPR), as well as national requirements. Industries, such as financial services and utilities also face sector-specific regimes, and new regulation continues to be unveiled.
Half of UK CISOs flag that ensuring compliance across the regulatory landscape can be the most stressful element of their job. Nor are they convinced that this stress is fully justified: only 36% believe fully that compliance requirements are driving the right focus and behaviours.
Today, there is not even a sense that the regulatory imperative gives CISOs leverage as they apply for greater funding and resources. Fewer than half (45%) say that regulation has made it easier for them to make the case for cybersecurity budget.
Despite these frustrations, the regulatory environment, as it stands today, is the reality of what CISOs must deal with. How, then, to manage this issue?
One answer is to think about the organisational structure — including the governance — of cybersecurity. By implementing a centralised set of controls, from which all regulatory requirements pivot, security teams can ensure that they are responding to questions only once. With the right tracking and oversight, organisations can get to a point where responding to myriad compliance requests is owned by one person and comes from one set of controls.
Many CISOs would rather design cybersecurity structures to suit the critical risks that their organisations face, rather than simply to align with compliance requirements. A risk-based decision is better than a compliance-driven decision, but the key is to reduce the need to meet multiple different compliance requirements and to answer multiple questions.
Chapter
Rising to the challenge: how UK CISOs should respond
CISOs in the UK have their hands full. This chapter explores how CISOs can best move forward.
This year’s GISS suggests that UK CISOs do not need to convince their boards or key business partners of their value, in terms of protecting the organisation from risk. But, as organisations focus on growth and recovery from the global pandemic, cybersecurity must secure a reputation as a strategic enabler.
CISOs will need to embrace the commercial imperatives of the business, ensuring that the new initiatives are implemented, rather than acting as an obstacle to change. Just 32% of CISOs believe, for example, that the executive team would describe cybersecurity as enabling innovation. Tackling these challenges will help ensure CISOs are consulted on new ideas at the earliest possible stage.
Explore the potential of automation to reduce compliance drudge
CISOs warn about the time and resource that must be devoted to compliance work, particularly as regulation fragments. They recognise the importance of compliance but highlight the repetitive nature of the work involved when meeting numerous regimes, each with subtle variations.
Technology can help, with automation enabling cyber professionals to focus more attention on risk-based and value-added work. Investing in new tools, such as robotic process automation, may be valuable, but many CISOs will be able to get more out of the tooling they already use.
Build stronger relationships across the business to address supply chain risk
Many UK CISOs worry about the strength of their relationships with other key business functions. While most report strong relationships with functions, such as finance, legal and risk, relations with marketing, product development and business lines, are not as resilient. Just 24% of the UK CISOs characterise their relationship with marketing as trusting and consultative, for example.
Strengthening these relationships will help CISOs transition into a more strategic role and could also be vital for supplier risk management. Moving closer to those operational areas of the business that initiate and maintain relationships with suppliers will be very valuable in this regard.
Train the board on how to interpret cyber risk — and cyber teams on telling the story
Some 57% of UK CISOs say that their boards sometimes make decisions on cybersecurity without having the technical understanding needed to fully understand the threat. This suggests there is more work to do to educate boards on what constitutes cyber risk and the potential response. Equally, the onus is on CISOs to provide information and analysis to boards in the most accessible, relevant and impactful ways. An overly technical approach to communication is unlikely to have cut-through, and CISOs may need help to articulate a narrative that really resonates with the board.
Summary
UK CISOs are in a strong position to support their businesses’ recovery from the global pandemic and future growth plans. But to do so they must first expand their strategic influence within the organisation, understand and fix vulnerabilities in the supply chain, and optimise compliance using the best approaches and technologies.
