How will your business bridge the cybersecurity divide?

By

Kris Lovejoy

EY Global Advisory Cybersecurity Leader

Cybersecurity guru. Married mother of four. Enjoys diving, hiking and refinishing furniture. Lives in McLean, VA.

4 minute read 16 Jan 2020

Show resources

Security leaders and their boards/C-suites are not always fully engaged on how to confront the systemic risks posed by cyber threats.

Almost two-thirds of companies are failing to incorporate cybersecurity at an early stage as they focus on tech-enabled transformation projects and innovation, new EY research reveals. Early findings from the latest EY Global Information Security Survey (GISS) reveals that just 36% of cybersecurity teams are asked to play an early and integral role in such initiatives.

The problem, which threatens to seriously undermine many organizations’ efforts to exploit digitalization and emerging technology, appears to stem from shortfalls in engagement, understanding and risk awareness between company boards, other functions of the business and the cybersecurity team. Without closing such gaps, cybersecurity teams will continue to find it difficult to secure the resources, support and status they need to properly protect their organizations.

Right now, while many organizations say that their cybersecurity teams have good relations with adjacent functions such as IT, audit, risk and legal, they are concerned about the lack of connection with other parts of the business. For example, 74% say that the relationship between cybersecurity and marketing is at best neutral, to mistrustful or non-existent; 64% say the same of the research and development team; 59% for the lines of business. Cybersecurity teams even score poorly on their relationship with finance on whom they are dependent for budget authorization, where 57% of companies say they fall short.

These findings are particularly concerning as this year’s GISS, which interviewed almost 1,300 businesses worldwide, underlines warnings that the threat level continues to rise. It reveals that 59% of companies have experienced an increase in the number of destructive attacks over the past 12 months. Of those, more than half have been hit by an increase of 10% or more.

That increase in attacks is one reason why CEOs now regard cybersecurity as one of the most urgent risks they face. The 2019 EY CEO Imperative Study  revealed that CEOs believe that national and corporate cybersecurity is the greatest threat facing the world economy over the next 10 years.

However, this year’s GISS reveals a gap between intent and practice, with many organizations failing to work sufficiently closely with their boards on cybersecurity.

Where to improve

While most companies say their boards have at least some involvement in establishing and approving the strategy, direction and budget of their cybersecurity programs, only a minority are completely engaged in this work.

One problem for many boards is that they do not feel equipped to understand the risks their organizations face or the measures that would mitigate those risks. The priority now for chief information security officers (CISOs) must be to give the business’s senior leaders a better understanding of cybersecurity.

They will be pushing at an open door: boards themselves are keen to improve in this area, with almost half of those where there is a knowledge shortfall now taking steps to remedy it. Only 25% of respondents to the GISS say that they are able to quantify risk in financial – or business – terms. Meanwhile, early findings from the EY Global Board Risk Survey suggests that only 20% of boards are extremely confident in their organizations’ cyber-attack mitigation measures.

EY Global Board Risk Survey

20%

of boards are extremely confident in their organizations’ cyber-attack mitigation measures.

The inability of the security team and leadership team to communicate effectively about the importance and value of security, coupled with a relationship deficit, helps explain the widespread failure to involve cybersecurity at the earliest stage of designing new, technology-enabled business initiatives. As any security professional will attest to, failing to design security and resilience inside initiatives from the beginning, as one would design safety equipment into a car before putting it on the road, is a recipe for failure.

In this context, the disconnect between cybersecurity teams and senior business leaders has the potential to be highly damaging. Many boards and C-suites do not fully appreciate the value of their cybersecurity programs or have not studied their needs in detail. Most importantly, they fail to see security as a strategic requirement which must be considered during the planning stages of any new initiative. CISOs who fail to build stronger relationships with their boards and C-suite partners will, therefore, continue to struggle in the role of “firefighter,” as opposed to strategic advisor who can help business leaders make important decisions about risk trade-offs.

A new role for the CISO?

How can the cybersecurity function address these issues? One challenge will be to set out in more detail the value it generates. For example, only 7% of companies are confident that they can quantify, in financial terms, the impact of a cybersecurity breach.

Raising the profile of cybersecurity issues at board level is also crucial. Almost a third of companies (32%) say that cybersecurity is a board agenda item only annually – or never. And at many companies, the issue makes it on to the agenda on only an ad hoc basis.

These data show that CISOs need to rethink their roles as they seek to protect their organizations from cybersecurity risk. While they will continue to need strong technical skills and expertise, their ability to forge stronger relationships at board level and with other functions is becoming more and more important.

Organizations in every industry are now confronted by the challenges of disruption and the rapid emergence of significant opportunities, and it is their CISOs that have an unparalleled opportunity to become agents of change. Those CISOs that raise their profiles, cement their position at the center of the enterprise and offer pre-emptive ways to mitigate risk will become key enablers of strategic transformation.

Summary

New EY research suggests not all company boards or C-suites understand the cyber risks their businesses face – as a result, many are failing to confront this issue. CISOs share the responsibility: they may now need to rethink their roles in order to tackle this issue.

About this article

By

Kris Lovejoy

EY Global Advisory Cybersecurity Leader

Cybersecurity guru. Married mother of four. Enjoys diving, hiking and refinishing furniture. Lives in McLean, VA.