Editorial

EY: Despite more and more attacks, businesses still see Cybersecurity as an ‘afterthought’

Its latest Global Information Security Survey also reveals that over the last 12 months, activists were responsible for 21% of successful cyber attacks – second only to organised crime groups (23%) – compared with last year’s study, where just 12% of respondents considered activists as the most likely source of an attack

Posted 19 February 2020 by

Only a third of organisations responding to a poll from Big 4 leader EY say the Cybersecurity function is involved at the planning stage of a new business initiative.

That’s one of the main findings of this year’s just-released annual EY Global Information Security Survey (GISS).

Reflecting the answers of over 1,300 Cybersecurity leaders at organisations all over the world, the data also shows that almost 60% of organisations responding have faced an increased number of disruptive attacks in the past 12 months.

It also reveals that over the last 12 months, activists were responsible for 21% of successful cyber attacks – second only to organised crime groups (23%) – compared with last year’s study, where just 12% of respondents considered activists as the most likely source of an attack.  

Even so, despite the increasing risk, only 36% of new, technology enabled business initiatives include the security team from the beginning, it warns. 

Commenting on the results, Kris Lovejoy, EY Global Cybersecurity Leader, Advisory, notes that the reason may be that Cybersecurity has traditionally been a compliance activity, bolted on by a checklist approach instead of built into every technology-enabled business initiative.

However, she goes on to warn, “This is not a sustainable model.

“If we ever hope to get ahead of the [IT security] threat, we must focus on creating a culture of security by design.

“This can only be accomplished if we successfully bridge the divide between the security function and the C-suite and enable the chief information security officer (CISO) to act as a consultant and enabler instead of the stereotypical roadblock.”

According to the survey, while Cybersecurity teams generally have good relations with adjacent functions such as IT, audit, risk and legal, there is a disconnect with other parts of the business.

Plus, three-quarters (74%) say that the relationship between cybersecurity and marketing is, at best, neutral, if not actually “mistrustful” or even “non-existent”, while 64% say the same of the research and development team and 59% for the lines of business.

Finally, more than half (57%) say their relationship with finance, on which they depend on for budget authorisation, is also strained.  

“As companies undergo transformation, what’s needed is to build relationships of trust across every function of the organisation, starting at the board level so that cybersecurity is established as a key value enabler,” Lovejoy warns.

“Boards, senior management teams, CISOs and leaders throughout the business must collaborate to position Cybersecurity at the heart of business transformation and innovation.”