After polling almost 1,300 organizations, EY found that only 36% of organizations take cybersecurity into account when planning new ventures. In its "Global Information Security Survey 2020," the firm reports that the uptick in activist attacks — which the report pegs as the second-most common source of significant or material breaches — illustrates why the cybersecurity needs to be part of every aspect of the business. CISOs who aren't frequently interacting with senior company leaders will likely be overshadowed, potentially resulting in the launch of new products or services that are vulnerable to cyber threats.
Unfortunately, CISOs aren't there yet, and cybercrime increases by the day. According to EY, six in 10 organizations have weathered a significant cyber incident in the past 12 months, and 48% of boards suspect that cyberattacks and data breaches will affect their business in the coming year. About 21% of the attacks were traced to "hacktivists" — tech-savvy political and social activists — who are second only to organized crime (23%).
Boards Still Working in the Dark
Most boards understand that they need to pay closer attention to cybersecurity. This fact was underlined in the EY report, which indicates that 72% of boards see cyber-risk as "significant." Moreover, CEOs expect widespread corporate cyberattacks will pose the biggest threat to the global economy over the next decade.
But while boards acknowledge cyber-risk exists, just about half (52%) of respondents say that their board is fully up to speed on the nature of those risks. Further, 43% say their board doesn't fully appreciate the value and needs of the cybersecurity team. This should not startle anyone because in 60% of organizations the cybersecurity chief has no official board or executive management role, and only 54% of organizations make cybersecurity a regular item on the board agenda. A mere 32% of security leaders discuss strategic issues and drive change with the board.
This scenario needs to change — but how? A good start would be for CISOs to reconsider the way they communicate with their boards. For example, in the EY report, only a quarter of the respondents could put a dollar figure on the value of their cybersecurity spending in addressing critical business risks.
Cybersecurity Remains an Afterthought
Because activists are waging cyberattacks and digital transformation is now driving the business agenda, the cybersecurity department can't continue to play its traditional reactive role. It has to be on the offensive.
As mentioned earlier, only 36% of the EY respondents say their cybersecurity team plays a part in planning new business initiatives. Instead, the security team should be an integral member of the product planning team rather than being summoned later. EY calls this "Security by Design," where cybersecurity is a central consideration right from the get-go of any new project. If security protection is continually treated as a product retrofit, the result will be expensive, less-than-perfect solutions and clunky implementations. Today, when almost every organization is revising its products, services, operational processes, and organizational structures to align with the realities of digital business, treating cyber threats as an afterthought during product development is a nonstarter.
That said, organizations have a long way to go. The EY report shows they are spending on business as usual, not on new initiatives. In fact, some 17% of organizations spend 5% or less of their cybersecurity budget on new initiatives; 44% spend less than 15%. And while artificial intelligence — currently the best way to combat cyberattacks — is playing a bigger part in organizational decision-making, operations, and customer communications, only 5% cite an increased focus on artificial intelligence.
Agents of Transformation
CISOs are now in a position where they must — somehow — reinvent how they work and how they are perceived within their organizations. Historically, they have been the company's risk-averse first line of defense against cyberattacks, and have been viewed as such. But this state of affairs needs to evolve.
"CISOs cannot afford to be seen as blockers of innovation; they must be problem-solvers," says Kris Lovejoy, EY Global Advisory Cybersecurity Leader, in EY's report. "The way we've organized cybersecurity is as a backward-looking function, when it is capable of being a forward-looking, value-added function. When cybersecurity speaks the language of business, it takes that critical first step of both hearing and being understood. It starts to demonstrate value because it can directly tie business drivers to what cybersecurity is doing to enable them, justifying its spend and effectiveness."
But do current CISOs have the right skills and experience to work in this new way and serve in a more proactive and forward-thinking role? That's an open question, and the answer will probably demand a new breed of CISO whose job is not driven mainly by threat abatement and compliance. In addition to technical skills, the new CISO will need commercial knowhow, solid communication skills, and the ability to work collaboratively.
Living up to this new job description will require the cybersecurity leader to adapt to new modes of working. It'll be disruptive in the short term, but worth it. It's an opportunity for cybersecurity to become an essential business partner at core of the organization's value chain, one that leads transformation and continually demonstrates its value.