Chapter 1
Double trouble
Irish CISOs’ business partnering ambitions have been undermined way more than their global peers’.
“Our experience tells us that both the number and the severity of these incidents is increasing exponentially in Ireland,” says Carol Murphy, EY Ireland Consulting Partner and Head of Technology Risk. She adds: “This is due to Ireland being perceived as being less mature and, therefore, presenting more opportunity for vulnerabilities to be exploited by cyber criminals than some other markets.”
Irish CISOs’ business partnering ambitions have been undermined way more than their global peers’. More than two-thirds (68%) complain that their teams are sometimes consulted too late or even not at all when their organisations make strategic decisions. Globally, only 56% of respondents share this concern. In Ireland, many organisations still do not have a CISO or have only recently appointed one. “So, this role is still evolving. There is more work to be done to build awareness of the role of CISO and to articulate the value that can be delivered to the business through this role,” reflects Carol Murphy.
She warns that the attacks have increased in frequency as well as in sophistication and malicious intent: “These are complex, sophisticated attacks performed by organised criminals. There is nothing random or opportunistic about them.”
How, then, can CISOs in Ireland manage the threat, while redoubling their longer-term efforts to become a growth-enabling function? Which challenges do they face, preventing them from growing their influence in the business?
Chapter 2
A regulatory storm is brewing
Regulations are likely to become more complex and more time consuming to manage in the years ahead.
CISOs in Ireland are more likely than their international counterparts to feel overwhelmed by the burden of compliance. Their concerns mirror the ongoing fragmentation of international regulation, which has left many struggling to cope with evolving privacy and security regimes on a regional and national level as well as new industry-specific standards.
More specifically, the global scale of many Irish employers, reflecting the country’s attractiveness as a location for international business, is adding pressure.
“Ireland is the European hub for so many global organisations,” explains Carol Murphy. “It is their gateway to the rest of Europe and they are, therefore, navigating regulation across multiple geographies and divisions. That is a real challenge.”
More than four in 10 (42%) Irish respondents describe compliance requirements as the most challenging aspect of cybersecurity (see Figure 2). A more modest 29% of global respondents feel the same way.
There is little chance of a slowdown in regulation in the years to come. European Union regulation – such as the NIS Directive, its revised scope as covered by the NIS 2 Directive, and potential reforms to GDPR – is becoming more comprehensive.
Emerging technologies such as artificial intelligence, along with the ethical considerations around their use, will also spawn new regulation as businesses explore opportunities to create new value from data.
Many organisations are looking to digital workforce technologies such as RPA and intelligent automation. Ethics and security and controls need to be considered in the deployment of these technologies.
Against this backdrop, 60% of Irish CISOs expect regulation to become more complex and more time consuming to manage in the years to come. Already, more than half (54%) say that delivering compliance for their organisations can be the most stressful part of their jobs.
These sentiments stem, in part, from CISOs being excluded from the early stages of decision-making. “Where cybersecurity is involved from the start – focussed on security and privacy by design – there is an opportunity to work with regulation and compliance in mind from the beginning, rather than having to reverse-engineer it,” advises Carol Murphy.
Chapter 3
Forced to do more with less
Funding shortfall in Irish cybersecurity functions is becoming more visible.
Irish cybersecurity functions are underfunded. More than half of the respondents (52%) in Ireland flag that it is just a matter of time until they suffer a major breach that could have been avoided had they invested more wisely in cybersecurity.
The funding shortfall is also becoming more visible as the implications of COVID-19 become clear:
44%of Irish cybersecurity executives say their budget is lower than required to manage cybersecurity issues that have emerged in the past 12 months.
The key, suggests EY’s Carol Murphy, is to get away from a narrow boardroom discussion about numbers. “The way to think about this is about understanding your most critical assets,” she says.
Do boards really understand what you are trying to protect? Can you articulate the criticality of your data and your infrastructure in a business context, so that boards understand what level of protection or vulnerability those crown jewels have?
Increasingly, cybersecurity is tasked with managing risk that goes beyond the organisation into a broader ecosystem, which puts greater pressure on available resources. Relationships with stakeholders including customers, employees and suppliers introduce new vulnerabilities that must be accounted for.
The supply chain also presents considerable danger: a fourth or fifth party may be several times removed from the organisation, but it could still pose a cybersecurity risk. “You are only as strong as your weakest link,” notes Carol Murphy.
The supply chain is an area of concern for Irish businesses, but the research suggests that some may be overconfident in their abilities to secure it. More than two-thirds (70%) say they are confident they can ensure their entire supply chain is water-tight in its ability to defend and recover against threat actors. In comparison, only 33% international respondents feel the same.
As Irish organisations struggle to secure the resources they need to protect the business, complacency could cause serious issues.
Recent global events have shown that supply chains can come under increasing pressure and commitments are not always guaranteed. Supply chains are a key asset to business operations and it is, therefore, essential to ensure they are robust, resilient and sustainable in order to minimise disruption and ensure business continuity.
Chapter 4
Trust deficit holds back progress, distorts the picture
Irish CISOs’ overconfidence presents a need to look at cybersecurity more holistically.
CISOs’ best chance of securing a more strategic role in their organisations’ decision-making processes is to build stronger relationships with other functions. Right now, nearly half (44%) of Irish CISOs concede they have a poor relationship with their organisation’s business heads. At the same time, 48% and 42%, respectively, are disparaging about their relationships with HR and marketing functions.
There is a danger that poor relationships are preventing CISOs from fully assessing the threats facing their organisations, potentially fuelling a false sense of confidence. Irish CISOs are, for example, noticeably more confident than their global peers. Six in 10 say they are confident they understand and can anticipate new strategies used by threat actors, compared to only 48% of international respondents.
Similarly, while 70% of Irish CISOs say their employees sometimes share damaging disinformation about the company using its technologies, 62% feel positive about their ability to measure the extent to which staff are engaging with disinformation. Only 37% of global respondents show the same level of confidence.
Such overconfidence underlines the need to look at cybersecurity more holistically, argues EY’s Carol Murphy. “It is not just about your technology,” she says. “It is about being able to articulate the risk in a business context.
Ultimately, it is about moving from being a blocker of change to a participant in digital transformation who provides the organisation with the solutions it needs to innovate.”
Chapter 5
Next steps: How Irish CISOs should respond
Irish CISOs need to communicate better the scale of challenges to make a stronger case for compliance funding.
Facing long-standing and complicated challenges, Irish CISOs are battling to counter the escalating threat and to secure their roles as strategic partners.
Three responses may prove critical:
Make a stronger case for compliance spending
As regulation continues to fragment, cybersecurity teams in Ireland have yet to optimise how they manage compliance. It is also an area where funding is becoming harder to attain. Just 10% of Irish CISOs say that compliance needs are the primary driver for new funding.
It is increasingly vital to make a stronger case for new funds by communicating the scale of the challenge as well as the huge potential damage of a compliance breach. New technologies such as RPA and AI that automate manual compliance work will free up precious resources, new ways of working will deliver benefits, and greater regulatory experience and knowledge in the team will be important.
“The challenge for many organisations spans people, process and technology,” says Carol Murphy. “Currently, however, they are stuck with manual systems, sub-optimal processes and skills gaps.”
Test for overconfidence through self-evaluation
Organisations cannot be truly confident in their ability to manage cyber risk unless they consistently test their abilities to counter and respond to danger. Doing so requires regular crisis response exercises, the growing use of methods such as penetration testing, and critical evaluation of forensic security and other capabilities.
“Have CISOs thought about business continuity?” asks Carol Murphy. “How will they ensure the business can function? What are the workarounds and solutions for customers, suppliers and staff? Cybersecurity has to constantly question itself to be sure its confidence is not misplaced. It has to be Trust by Design.”
Build bridges and influence
Stronger relationships with other business units will ensure CISOs have a clearer picture of difficult challenges, such as the risk of disinformation, and are in a stronger position to defend the business.
More broadly, CISOs who work closely with colleagues across the organisation will have a better understanding of the business’ wider strategic imperative. An ability to talk the language of the business will enable CISOs to secure improved resources, while helping fulfill their potential as growth enablers.
“Aim to build a peer group or network, both within and outside your organisation, that you can learn from and share ideas with,” suggests Carol Murphy. “Build a reputation for being innovative and progressive, rather than someone who focuses on the reasons why the organisation can’t do something.”
Summary
Irish cyber leaders are striving to become enablers of growth. Their ambitions are achievable, but only if they can first overcome the pressure of compliance, secure more generous budgets, and build trust among their business colleagues.