Chapter 1
Is the board losing confidence in the CISO and cybersecurity team?
TMT CISOs appear, at first glance, to be well connected. Almost one in four says they report directly into the CEO.
This is well above the 12% average across other sectors. Similarly, 43% say their boards include cybersecurity on their agendas on a weekly or monthly basis; just 21% of other organizations do the same.
Despite their regular dealings with the senior leadership team, TMT CISOs may be falling out of favor. In the EY Global Board Risk Survey 2021, just 7% of TMT board members express high levels of confidence in their businesses’ cyber risk mitigation measures. Not only is this figure below the cross-sector average, but it also represents a deterioration since last year’s survey, when 23% of TMT boards felt very confident in the cybersecurity function.
TMT leaders are feeling the pressure. Just under half (46%) say they have never come under as much scrutiny as they do today, and they worry that boards are questioning their team’s value for money: 62% admit that their boards do not always see the case for additional cybersecurity funding.
Investing in cyber budgets
62%of TMT CISOs admit the case for further funding is not always understood.
In this context, the relationship between TMT CISOs and the board may need a reset. “From an oversight perspective, boards need to ask where cybersecurity fits within the transformational perspective,” says Kris Lovejoy.
Chapter 2
Are cyber teams making the best use of a decent budget?
Security teams in TMT are relatively well-resourced, therefore could they be doing more?
The average TMT cyber function in this year’s GISS has an annual budget of US$9.6m, compared with US$5.3m across other sectors. At the same time, 65% of TMT respondents have more than 20 full-time equivalent members of staff, while, across all sectors, just 39% of organizations have comparable headcounts.
The question for TMT CISOs is whether they are making these additional resources count. In a sector where organizations are continually rolling out new digital initiatives, is cybersecurity delivering security by design?
The short answer is no. Less than half of TMT CISOs (42%) are confident that their business’ new digital initiatives are secure by design – and just 20% are typically brought in at the planning stage of new projects.
CISOs should make a virtue out of necessity, argues Andy Ng, EY EMEIA Data Protection & Privacy Consulting Leader. “By maintaining visibility of your crown jewels, and enforcing policy, you are able to move faster with more confidence. That’s the opportunity,” he says. “It is about changing the narrative from a focus on compliance and preventing data loss – both important, to one that is based on enabling collaboration and innovation.”
Another challenge for TMT CISOs is how to deploy their resources efficiently as the attack surface of their organizations expands. “TMT companies are more subject to third-party supply chain risk than any other industry,” notes Lovejoy. “They are ingesting technology from third-party providers and also building and delivering technology to others.”
This year’s GISS suggests there is an urgent need to make the supply chain more secure, with CISOs flagging high levels of concern about the exposures created by third parties. Just one in three (34%) is confident their third parties will disclose in good time if they have suffered a breach; a disappointing 14% are very confident in their ability to protect the supply chain.
Chapter 3
Why is security by design so hard to achieve?
TMT businesses are excluding cybersecurity from the planning stage of new initiatives.
More than half of TMT cyber leaders (58%) say their organizations roll out new technology to timescales that do not allow for suitable assessment or oversight from a cybersecurity perspective.
Many TMT CISOs also report that their organizations sidestep cybersecurity when making transformations at speed. The shift to remote operations provides a good example: 55% of sector respondents acknowledge that business teams bend cyber processes to facilitate new requirements around flexible working.
CISOs might blame other business functions for being inflexible or working to unrealistic deadlines, but blame will not fix the issue. “There is distrust with business units, and what this suggests is that CISOs are not fully integrated,” says Lovejoy.
A more effective approach would be to reach out and build bridges across the organization. Few CISOs in TMT enjoy strong relationships with key functions. Approaching half (48%) characterize their relationship with marketing as poor, while 56% complain of negative interactions with HR. Meanwhile, 33% have unsatisfactory relationships with product development. In such a scenario, expecting to be consulted at the planning stage of new initiatives is likely to be a false hope.
CISOs should be prepared to take the initiative in improving these relationships, and there is reason to believe that they are acknowledging the need to do so. Half say their top priority after COVID-19 is to embed a culture that embraces security by design.
Rising to the challenge: How TMT CISOs can respond
As threat actors step up attacks on the sector, TMT CISOs are under pressure to act. Three responses may prove critical.
1. Look beyond compliance for cross-functional leverage
In the past, CISOs have frequently used compliance as a justification for rolling out cybersecurity measures. Telling peers that they must adopt a cyber policy “because regulation says so” does not, however, carry as much weight as it did. Nonetheless, the research suggests that CISOs are relying heavily on regulation, with 94% agreeing that compliance drives the right focus and behaviors.
In practice, the key to stronger relationships lies in engaging on the issues that are front of mind for business partners, with a focus on commercial and strategic drivers. “The most important aspect of a CISO’s job is being able to tell the story”, argues Andy Ng. “You have to speak to the corporate narrative in addition to the security and technical one. The role is arguably that of the ‘Chief Information Soapbox Officer.’”
2. Invest in new skills development
Less than half of TMT CISOs (42%) are confident that they have access to the skills they need. These skills must extend beyond technical competency: effective cybersecurity increasingly relies on commercially minded team players who can engage positively with the rest of the business, especially if they are relying less on regulation as a driver.
Right now, however, little less than half (43%) of CISOs in the sector are confident that their teams speak the same language as peers across the business.
Communicating with the business
43%of TMT CISOs think their teams speak the same language as the rest of the business.
“There’s a real problem to be resolved,” says Lovejoy. “CISOs in TMT are confident their organizations see them as protecting the enterprise, but they accept they are not regarded as flexible, collaborative or enabling of innovation.”
3. Deepen awareness of threat actors’ evolving strategies
Threat actors have adapted their strategies in recent years, such as by finding new ways to infiltrate the supply chain. Cynical crime groups are likely to target TMT businesses with ransomware, recognizing that disrupting operations will have a societal impact.
TMT CISOs are, however, still building their defenses against these strategies. Less than one in three (27%) is confident they can measure the extent to which employees are engaging with disinformation. Much less than half (37%) are confident in their ability to make the supply chain watertight.
“These industries are at the nexus of the transformation on which our society and economy depend,” concludes Kris Lovejoy. “I don't think we can overestimate the need for a top-down intervention.”
Summary
The TMT industries are dynamic, constantly innovating and the pace is only getter faster. It is important for CISOs to be involved early in the cycle of development for new products and services. They need to build relationships for themselves and their teams, with peers across the business – telling a positive story about the role of security in the wider corporate narrative.