20 minute read 4 Oct. 2023

Is your greatest risk the complexity of your cyber strategy?

Authors
Richard Watson

EY Global and Asia-Pacific Cybersecurity Consulting Leader

Public speaker. Trusted advisor on cyber risk and digital trust. Golfer, traveler and dad.

Richard Bergman

EY Global Cyber Transformation Leader

Cybersecurity leader. Forensics guru. Helping organizations face the future with confidence.

20 minute read 4 Oct. 2023
Related topics Cybersecurity Consulting

The EY 2023 Global Cybersecurity Leadership Insights Study shows how leaders are bolstering defenses while creating value. 

In brief
  • Organizations have increased cybersecurity investment, but threats have intensified as adversaries harness advanced technology and attack surfaces expand.
  • The most effective CISOs simplify their technology landscape, emphasize automation and communicate effectively across organizational tiers.
  • Improved cybersecurity not only reduces vulnerability; it creates value by optimizing technology spend, nurturing collaboration and building trust.

Despite the increasing threat of cyber-attacks and ever-rising investments in cybersecurity, just one in five Chief Information Security Officers (CISOs) and C-suite leaders consider their approach effective for the challenges of today and tomorrow.

Respondents to the EY 2023 Global Cybersecurity Leadership Insights Study also noted there was cause for concern. Organizations are facing an average of 44 significant cyber incidents a year, and detection and response times are slow with three-quarters of organizations taking an average of six months or longer to detect and respond to an incident. Meanwhile, the known number of cyber-attacks has increased by approximately 75% over the past five years1 and ransomware costs are forecast to reach US$265 billion by 2031 up from US$20 billion in 2021.2 New, sophisticated adversaries are weaponizing the latest technology to increase the speed and scale of their attacks.  The impacts — financial, regulatory and reputational — are mounting.

  • About the research

    In February and March 2023, the global EY organization conducted research to better understand how companies are approaching their organization’s cybersecurity to prepare for the cybersecurity threats of today and tomorrow. We surveyed 500 C-suite and cybersecurity leaders across 19 different sectors and 25 countries covering the Americas, Asia-Pacific (APAC), and Europe, the Middle East, India and Africa (EMEIA). Respondents represented organizations with over US$1 billion in annual revenue.

Using statistical modeling, we identified leading organizations with the most effective cybersecurity — we call this group “Secure Creators.” Compared to their lower-performing counterparts, “Prone Enterprises,” Secure Creators have fewer cyber incidents and are quicker at detecting and responding to incidents. They are also more likely to be satisfied with their cybersecurity approach today (51% vs. 36%) and more likely to feel prepared for the threats of tomorrow (53% vs. 41%). 

Secure Creators’ approach to cybersecurity both protects and creates value for their organization. They are significantly more likely to see positive impacts to their ability to respond to market opportunities and their pace of transformation and innovation. What sets Secure Creators apart is how they behave differently across three key areas:

  • They are quick to adopt emerging technology and utilize automation to orchestrate their cybersecurity technology and streamline processes.
  • They have specific strategies for managing complex attack surfaces across the cloud, on-premises and third parties.
  • They have integrated cybersecurity into all three levels of the organization, from the C-suite, to the workforce at large, and the cybersecurity team itself.
  • Identifying Secure Creators

    To help us identify companies with better cybersecurity outcomes, we asked leaders to evaluate their organization against a range of objective and subjective cybersecurity metrics: mean time to detect (MTTD), mean time to respond (MTTR), number of cybersecurity incidents, integration of cybersecurity within the organization, and cybersecurity’s impact on innovation and value creation.

    Through statistical modeling, we identified two segments — Secure Creators (high-performing organizations), which represented 42% of the survey sample and Prone Enterprises (lower-performing organizations), which represented 58% of the survey sample. 

Where Oceania companies should be spending their cyber dollars

In brief:

  • Cybersecurity is critical for the wellbeing of every Australian public and private organisation and citizen – and the competitiveness of our nation.
  • Australia is not where we need to be in our levels of cyber maturity given the increasing frequency of cyberattacks and their cost to the economy.
  • By learning from the best, companies can strengthen their cybersecurity by investing in simplification and automation.

For boards and executives in Oceania, the big cyber concerns right now are business disruption and data breaches. These leaders know the chances of a cyberattack materially affecting their organization are skyrocketing – and their ecosystem models and increasing reliance on cloud services are expanding their attack surface.

As a result, their willingness to invest in cybersecurity has increased. The question is: are these large cyber budgets being spent in the right place?

In early 2023, the global EY organisation surveyed 500 C-suite and cybersecurity leaders across 25 countries, including Australia and New Zealand. From their responses, we identified two segments: high-performing organisations, “Secure Creators”; and lower-performing organisations, “Prone Enterprises”. Compared to their lower-performing counterparts, Secure Creators have fewer cyber incidents and are quicker at detecting and responding to incidents.

In Oceania, our sample was split equally between the two groups. The survey results suggest that, while 50% of local organizations are pushing their cyber spend in the right direction, others are not.

Find out which group your organization falls into and the key areas where cybersecurity spend delivers the most value. Read about the research here.

Using statistical modeling, we identified leading organizations with the most effective cybersecurity — we call this group “Secure Creators.” Compared to their lower-performing counterparts, “Prone Enterprises,” Secure Creators have fewer cyber incidents and are quicker at detecting and responding to incidents. They are also more likely to be satisfied with their cybersecurity approach today (51% vs. 36%) and more likely to feel prepared for the threats of tomorrow (53% vs. 41%). 

Secure Creators’ approach to cybersecurity both protects and creates value for their organization. They are significantly more likely to see positive impacts to their ability to respond to market opportunities and their pace of transformation and innovation. What sets Secure Creators apart is how they behave differently across three key areas:

  • They are quick to adopt emerging technology and utilize automation to orchestrate their cybersecurity technology and streamline processes.
  • They have specific strategies for managing complex attack surfaces across the cloud, on-premises and third parties.
  • They have integrated cybersecurity into all three levels of the organization, from the C-suite, to the workforce at large, and the cybersecurity team itself.
Bright lights illuminate pedestrian walkway over highway at night
(Chapter breaker)
1

Chapter 1

Adopting emerging technology: security through simplification

Organizations are rushing to build their cyber tech stack, increasing clutter; the most effective harness automation to reduce complexity.

Secure Creators are more likely to say their approach to cybersecurity is also tied to improved adaptability as threats change (45% report a positive impact). On the other hand, just 34% of Prone Enterprises said the same while 36% report their approach has a negative impact on their adaptability. While the same emerging technology empowers organizations, cyber leaders need to ensure they have a cybersecurity technology strategy which provides security through simplification. Cyber leaders should:

  • Simplify and rationalize existing cybersecurity technologies to reduce total cost of ownership and establish the platform for seamless operations at speed.
  • Review legacy systems that are duplicative or poorly integrated as part of technology modernization.
  • Adopt simplified and automated cybersecurity processes, rather than multiple independent configurations.
  • Adopt emerging capabilities faster without introducing new risks or complicating the overall technology environment.
  • Consider automation-led approaches including DevSecOps and SOAR.
  • Pursue co-sourcing and a managed services approach that simplifies infrastructure and increases visibility while generating cost efficiencies.
  • Energy firms saddled with fragmented IT environment

    On an industry basis, our survey reveals that energy firms in particular are struggling with cybersecurity, with only 35% saying their organization is well-positioned to take on the threats of tomorrow, compared to 48% of all other industries. Additionally, they are more likely than other industries to take a “wait until technology is tried and tested” approach and point to not prioritizing emerging technology integration as the biggest internal cybersecurity challenge.

    Only 22% are satisfied with their non-IT workforce’s adoption of best practices.

    “The energy industry has ramped up investment in cybersecurity in recent years. Its status as critical national infrastructure has led to tightening regulatory and compliance pressures to ensure resilience against attacks and failures,” says Clinton Firth, EY Global Cybersecurity Lead, Energy. The pressure to transition to renewable energy is forcing a shift from legacy operational technology toward more distributed networks, including through the Internet of Things (IoT). The cybersecurity technology offerings have improved significantly, helping energy firms efficiently identify vulnerabilities and develop key controls like privileged access management, threat detection and response.

    However, the industry has major structural challenges. Oil and gas companies are global, but cybersecurity standards and regulations are localized. Cybersecurity functions often struggle to collaborate effectively with plant managers who control the operational assets, and original equipment manufacturers and legacy operational technology environments are obstacles to change.

    “In the last few years, a number of energy companies have been investing similar amounts in cyber to financial services, but they have more fragmented IT environments,” says Alam Hussain, EY EMEIA Cybersecurity Leader. “Energy companies are spider-like. It’s difficult to put in solutions that cover all areas of cyber risk.”

Engineer in a modern and clean control room
(Chapter breaker)
2

Chapter 2

Secure Creators gain coverage of the entire attack surface

“Cloud at scale” and deeper supply chains are increasing attack surfaces.

“Too many attack surfaces” was the most cited internal challenge to organizations’ cybersecurity approach. Within the organization, the transition to cloud computing at scale and the Internet of Things (IoT) have increased openings for cyber breaches. Moreover, an ecosystem-led approach to business today, while helping drive value, also presents a significant cybersecurity challenge. All told, 53% of cyber leaders agree there is no such thing as a secure perimeter in today’s digital ecosystem. Most dangerous of all are supply chains, responsible for 62% of system intrusion incidents in 2021.3

Reducing risks for cloud and IoT implementation

Three in four respondents rank cloud and IoT as the biggest technology risks in the next five years. Through cloud adoption, attack surfaces have increased exponentially. The pace of change continues to accelerate, and companies are trying to keep up. These rapid changes have the potential to expose organizations to data loss, breaches, and disruption when organizations onboard cloud and IoT without sufficient design and planning around the cloud interfaces and environment. To overcome this complexity, organizations need to harness automation. For instance, half of CISOs from Secure Creator organizations report their organization currently uses or is in the late stages of implementing cloud orchestration and automation in their approach to cybersecurity.

Additionally, companies can’t assume that all their cyber risks are being handled by the cloud provider. “Cloud security is a shared responsibility especially when it comes to identity and access,” says Carolyn Schreiber, Partner, Cybersecurity Consulting, Ernst & Young LLP. “We often see misconfigurations and advise that more setup is required than just “lifting and shifting” to the cloud. Key areas to consider include privilege access management to avoid privileged escalation, secrets management and avoidance of lateral movement. From our clients, we are seeing the most secure organizations reading the fine print in the contract and leaning in, requiring their cloud service providers (CSPs) to support the same security standards as mandated by their organizations. Holding both internal teams and CSPs accountable is a way to transition without increasing risk security controls in their cloud platforms and containers.”

Cyber risk quantification is an emerging area where automation and data analytics can add insight and aid risk prioritization. Executive committees and boards are asking more questions about cyber and digital risk. Cyber leadership should aspire to have a business dialog with stakeholders and explaining cyber risk in dollar value terms is far more powerful and enables better decision-making, than the technical updates CISOs have traditionally provided.  

  • Cloud at scale and cyber risk in APAC, EMEIA and the Americas

    APAC survey respondents are more likely to see cloud at scale as one of the top threat-enabling technologies (81% vs. 74% of Americas and 63% of EMEIA). Regulators have been slower to permit cloud services in APAC, which may have caused a lag in adoption or put the region behind Europe and the Americas in terms of confidence to transition to cloud.

    On the other hand, EMEIA puts more weight on the risks posed by AI/ML (49% vs. 38% of Americas and 34% of APAC). 

Supply chains: engage early and monitor continuously

All organizations are now inextricably and digitally linked to businesses in their supply chain. In searching for the weakest links, cyber attackers harness a “one-to-many” strategy, tapping into thousands of organizations. “We have seen threat actors really target supply chains in the last five years. If they can compromise a key software supply chain player that is critical to 30,000 organizations, then they are inside those 30,000,” says Richard Bergman, EY Global Cybersecurity Transformation Leader.

Yet despite the danger, Prone Enterprises are more focused on financial risk (52% vs. 41% of Secure Creators) while Secure Creators are almost twice as likely to be highly concerned about the risks the supply chain pose (38% vs. 20%) and related risks such as intellectual property protection (38% vs. 24%). While awareness is the first step, CISOs should seek to streamline their organization’s supply chains to gain visibility into the resiliency of vendors on a continuous basis, not just as a one-off. Deeply partnering with Chief Operating Officers (COOs) and other operation leaders is critical to ensure visibility across all attack surfaces in the supply chain. In more mature organizations, security functions are involved in vendor selection decisions, and higher levels of assurance are put in place and managed continuously. COOs and CISOs can find themselves in conflict, with COOs held back from growth opportunities by cybersecurity worries, for instance, and CISOs feeling under-valued as protectors of the organization. But only by working together can true resilience be achieved.4

Group Of Businesspeople Having a Meeting At Their Company
(Chapter breaker)
3

Chapter 3

Speaking the language of the business

The most effective CISOs communicate effectively across the organization, speaking the language of the C-suite and the workforce.

Secure Creators build bridges across the organization. At three distinct levels of the organization – the C-suite, the cybersecurity team, and the workforce at large — they excel in communicating with different stakeholders and explicitly recognizing the “human factor” in cybersecurity.

Speaking to the C-suite

While the CISO role was once primarily operational and technical, in more mature organizations, cybersecurity operates as a department and function in itself and has a seat at the senior management table. Our survey finds that, thanks to their increasingly prominent role, CISOs have been broadly successful in securing the resources necessary in today’s high-risk environment. Budget, once a top internal challenge, was only ranked sixth out of eight in a list of obstacles in this year’s survey. Cybersecurity is increasingly recognized as a fundamental business resilience, reputation and compliance issue and being equipped with ample support.

While budgets are a critical component, cybersecurity needs to be embedded throughout the organization. This requires buy-in from senior leaders, bridging knowledge gaps, and close communication between CISOs and the C-suite. However, our survey reveals these groups aren’t always on the same page. Compared to the C-suite, CISOs were less likely to be satisfied with the effectiveness of their organization’s overall approach to cyber (36% versus 48% of C-suite) and with their ability to take on the threats of tomorrow (38% vs. 54% of C-suite).

Perception gaps between the CISO and C-suite are much smaller for Secure Creators, who are more satisfied with C-suite integration of cybersecurity into key business decisions, suggesting more effective communications with senior leaders creates a shared understanding of risk and improves cybersecurity performance. Aligned perceptions of performance are a marker of more secure companies. Organizations that have cybersecurity operations embedded with core business priorities and strategies have higher odds of experiencing fewer incidents. The most effective CISOs translate the narrative into a storyline that resonates in terms of risk buydown, business impact and value creation.

Effective support for the workforce

The broader integration priority is the wider workforce. Human error continues to be a major enabler of cyber-attacks, and weak compliance to best practices beyond the IT department was the third biggest internal challenge in our survey.

Only half of cybersecurity leaders say their cyber training is effective and just 36% are satisfied with non-IT adoption of best practices, raising questions on how effective this training truly is. However, Secure Creators are more satisfied with cybersecurity best practice adoption than Prone Enterprises (47% vs. 27%). Being brilliant at the basics should be the focus. Organizations must simplify best practices asked of the workforce and create guardrails in their processes to limit risk rather than rely on compliance. More mature organizations have incremental regular training and leverage the latest automation and preventative tools. Making cybersecurity second nature by embedding it into the psyche of every person in the organization will help ensure more effective training and adherence.

Talent: thinking outside the org chart

Within the cyber workforce, talent is a recurring challenge as the cybersecurity workforce gap grows more than twice as fast as worldwide cyber workforce in the past year.Cybersecurity is stuck in a skills catchup, and upskilling is the main focus for most organizations in our study. But Secure Creators are approaching this challenge more creatively. For instance, they are twice as likely to be significantly prioritizing recruiting or reskilling workers not currently in the cybersecurity field (28% vs. 14% of Prone Enterprises). Non-traditional hires can emerge from a range of backgrounds, including coming from other functional areas where automation has reduced workloads significantly, such as finance and general IT, and from non-traditional backgrounds including apprenticeships.

Leaders think more flexibly about how to shape the operating model of their cybersecurity function by outsourcing more of their security operations (a median of 25% vs. 15%) and being more likely to outsource additional functions and capabilities to third-party specialists in the future (46% vs. 31%). Outsourcing can simplify internal cybersecurity functions by allowing for specialized third parties to focus on specific cybersecurity functions their internal workforce may not be equipped to handle. Secure Creators are also prioritizing standardizing and automating security process to reduce staffing needs (35% vs. 26%), further simplifying their organizational structure.

While companies are becoming more inclined to outsource the “people and process” aspects of cybersecurity work, they are more circumspect about the technology itself. Rather than a multi-tenanted technology solution hosted by an outsourcer, organizations generally want to own the technology in their cloud, configured for their specific needs and risk appetite, while benefiting from the capacity that outsourcing or co-sourcing provides in terms of skills and people. They can also benefit from access to the third-party outsourcer’s intellectual property.

A further creative capacity strategy is formulating individual roles to coordinate business and cyber teams. A “consulting” capability acts as a liaison between cyber teams and the wider business, by understanding requirements and incorporating cyber considerations into the business. Some companies are experimenting with a “pod” approach in which a team of cyber consultants manages a “lift and shift” process into the organization over a period of six or nine months where they might run a secure development cycle, training the relevant personnel and then move on. This can infuse new skills and allow the in-house team to learn by doing.

Aerial view of car entering highway tunnel
(Chapter breaker)
4

Chapter 4

Five ways Secure Creators accelerate value

Leaders harness automation and orchestration to simplify the technology environment and communicate effectively across the organization.

Cybersecurity is not just about asset-protection. Done well, it can also support and accelerate innovation and value creation across the enterprise. From our clients, we have seen the best organizations have cyber weaved into the fabric of the firm. Making cyber integral to every part of the organization and operating model shifts the function from an inhibitor to a value driver.

Secure Creators are much more likely to say their cyber approach positively impacts the organization’s pace of transformation and innovation (56% vs. 25% of CISOs from Prone Enterprises), ability to rapidly respond to market opportunities (58% vs. 29%) and ability to focus on creating value rather than protecting value (63% vs. 42%). Value creation can take many forms. Cyber-secure organizations win greater trust from customers and suppliers who will be more confident transacting with them. Re-designing technology architectures can improve communication, collaboration and workforce productivity and improve spend efficiency.

For example, heightened security risks led one retail giant to pursue a cyber reform initiative that enhanced value beyond reduced vulnerability, important though that is. This included more efficient technology spending, the removal of obsolete and redundant tools, optimized manpower and refined roles and responsibilities, more efficient collaboration, and strengthened trust in its over one-billion-strong customer base.  

  • Open image description#Close image description

    Data visualization bar chart showing the impact cybersecurity has on creating value, responding to market opportunities, and the pace of transformation and innovation for Secure Creators and Prone Enterprises.

Our study shows Prone Enterprises are more likely to struggle with balancing security and the speed required to innovate (55% vs. 42% of Secure Creators), revealing a further example of how cyber effectiveness is a platform for value and innovation and its absence, a hindrance. Ecosystems have become a fundamental business strategy to create value, whether that is through multiple brands, wholly owned or majority owned subsidiaries, partnerships or joint ventures. To fully leverage the benefits of ecosystems, cybersecurity needs to be embedded from the start. CISOs need to ensure that cybersecurity criteria are included when evaluating potential partners by standardizing tech integration protocols. They also need to communicate effectively with business decision-makers to appropriately manage the risk that comes with expansion. An acquisition, for instance, may bring cyber risks but if the figures are dwarfed by the opportunity, it becomes a business risk decision like any other and need not necessarily mean abandoning a pursuit. Companies need to live with a “reasonable” level of risk.

Actions for a more effective and value-driven cybersecurity strategy

The EY 2023 Global Cybersecurity Leadership Insights Study returned sobering findings, with C-suite leaders grappling with a range of present and anticipated threats. But it also offers reassurance that organizations experience very different outcomes partly as a result of their cybersecurity strategy. By learning from the best, companies can strengthen their cybersecurity by emphasizing simplicity, holistic thinking and integration of cybersecurity considerations across the organization. None of these are beyond the reach of the Prone Enterprises. Key action points emerging from the survey include:

  1. Simplify the cyber technology stack to reduce risk and improve visibility. Automation and orchestration can reduce clutter in the technology environment, allowing you to detect signals faster and respond more effectively.
  2. Utilize standardization and automation to reduce supply chain entry points for hackers, improve cyber vigilance and continuously monitor performance without adding undue bureaucracy. This also ensures that security teams are involved early in vendor selection.
  3. Translate your narrative into a storyline that resonates with the business in terms of risk buydown, business impact and value creation.
  4. Combine incremental and well-designed training with automation and prevention tools to make the workforce cyber-secure by design.
  5. Weave cybersecurity into the fabric of your organization, not viewed as an inhibitor. It drives value, instills the confidence necessary to innovate and opens new revenue and market opportunities. 

With special thanks to AnnMarie Pino, Mike Wheelock, Bhavnik Mittal – EY Research Institute; Aino Tan – Business Insights; and Vanessa Lobo – Global Technology Consulting, for their contributions to this article.

Direct to your inbox

Subscribe here to receive future cyber related insights.

Subscribe

Summary

Organizations face a worrying wave of cyber threats. While security has become a C-suite priority, backed with growing financial support, the risks are intensifying. Attack surfaces continue to expand through supply chains and cloud computing at scale, and adversaries are harnessing capabilities like AI to mount more effective attacks.

The EY 2023 Global Cybersecurity Leadership Insights Study explores how organizations are responding to today’s challenges. Through segmentation analysis, we identify the common traits and behaviors that define the most successful, from how they simplify their technology architecture to their ability to communicate across the organization. 

About this article

Authors
Richard Watson

EY Global and Asia-Pacific Cybersecurity Consulting Leader

Public speaker. Trusted advisor on cyber risk and digital trust. Golfer, traveler and dad.

Richard Bergman

EY Global Cyber Transformation Leader

Cybersecurity leader. Forensics guru. Helping organizations face the future with confidence.

Related topics Cybersecurity Consulting