After polling some 1,000 senior cybersecurity leaders, EY found that CISOs and other security leaders are struggling with inadequate budgets, regulatory fragmentation, and disconnection with the functions that need them the most. The results are detailed in the results of EY's Global Information Security Survey 2021 (GISS).
The survey found that CISOs' relationships with their organizations are also more under stress than before, and therefore exposing many companies to greater cyber-risks. As if that wasn't enough, budget restrictions are making it hard for CISOs to bridge the gap between needs and funding.
The picture is likely to worsen before it improves. Organizations want to put money into technology and innovation for the post-pandemic era and need to prepare for the next major disruption. Still, many haven't even addressed the risks they shrugged off and the potential vulnerabilities that crept in during their transformation efforts at the pandemic's peak.
This is a milestone moment for CISOs. To deal with the multifaceted and exhausting problems they face, they need to act quickly. The following sections outline what cybersecurity leaders need to know about their operating environment and steps they must take to transform it.
Rapid Transformation Introduces New Risks
Over the past 18 months, every business has adapted to disruption in one way or another. Within unheard-of time frames, forward-looking organizations implemented new customer-facing technology and cloud-based applications that supported remote work and kept the wheels of the market rolling.
But the accelerated change exacted a heavy toll. Many businesses failed to consider cybersecurity in their decision-making, and new vulnerabilities entered an already fast-moving environment. These continue to threaten businesses everywhere.
The risks of pressing on without paying attention to the issues are real and urgent. More than three in four respondents to this year's GISS report said they've seen more disruptive attacks, such as ransomware, over the last year.
CISOs Remain Unheard
The survey also found that many CISOs are having trouble getting others to listen to them. Most respondents (56%) admit that they're not consulted, or are consulted too late, when company leaders make serious strategic decisions. Worse, business leaders are leaving cybersecurity out of critical discussions. Around six in 10 (58%) of CISOs say their organizations implement new technology on tight schedules that preclude appropriate cybersecurity assessment or oversight.
There's more: Regulation is eating up a lot of precious CISO time. Half of CISOs say that ensuring compliance can be the most stressful part of their role. Fifty-seven percent of them predict that regulation will become more diverse, time-intensive, and chaotic in coming years. Since so many CISOs have to fight to get the resources they need, it's no wonder they're thinking about the effect of future regulations on their stress levels.
An Opportunity in Crisis
The CISOs that can reduce risk while supporting their organization's growth and technological aspirations have a bright future. Most of them (57%) understand that the pandemic is a golden opportunity for cybersecurity to sharpen its profile and gain attention.
One opportunity involves how corporate budgets are planned and allocated. Six in 10 (61%) respondents say their security budget is a smaller part of a larger corporate expense, such as IT, and 19% say this amount is fixed and defined cyclically. More than a third of GISS respondents (37%) say the entire organization shares cybersecurity costs, but only 15% of organizations do it dynamically, according to how resources are deployed.
Increasing Board Awareness
Senior leaders are already worried about their security department's ability to protect their organization, and more than half (55%) of the GISS respondents say cybersecurity is coming under more scrutiny from above than ever before. Four in 10 (39%) organizations are putting cybersecurity on their board agendas quarterly, up from 29% in 2020.
Still, CISOs need to break down communication barriers by talking to boards in less technical language, and by becoming more commercially minded. Not even half of respondents (44%) are confident in their team's aptitude to speak the same language as their peers, and just 26% believe that upper management would use tech terms to describe the function. Only one out of four (25%) respondents thinks senior leaders would describe cybersecurity as a commercial concern.
Budgets Are Out of Sync
The EY report also sheds light on some major funding issues, suggesting that resource allocation toward cybersecurity was disproportionate. The companies surveyed had, on average, revenues of approximately $11 billion last year but spent an annual average of only $5.28 million, or 0.05% of the total, on cybersecurity.
The picture varies across sectors. At one extreme, in the highly regulated financial services and technology, media and entertainment, and telecommunications (TMT) sectors, the average GISS respondent spent an average of $9.43 million and $9.62 million, respectively, on cybersecurity last year. Energy companies spent an average of $2.17 million. Company size made a difference: The smallest businesses dedicated more of the budgets proportionally on cybersecurity than their larger counterparts.
Many CISOs have met the present security challenge and can prove that their role is growing more strategically important every year. However, they ought to zero in on the traits of cybersecurity where many have been weaker in the past. Specifically, they should seek to bolster stakeholder engagement, ensure their efforts align with core business goals and objectives, and assess their business partners' satisfaction with the performance and delivery of security services.
CISOs know the principle of "shifting left," or bringing cybersecurity into the transformation and product development life cycle earlier on. One challenge here is that the spectrum of skills needed in today's CISO role is expanding in several directions simultaneously. Today, no "standard" cybersecurity profile exists. CISOs need people with advanced technical skills and the ability to forge interdepartmental relationships. In terms of relationship-building, CISOs must ensure their staff have greater exposure to marketing, innovation, and other relevant business units.