Why cybersecurity could be the missing link to growth

The COVID-19 pandemic was a turning point for cybersecurity teams. As organizations shifted overnight to remote and flexible ways of working, attackers seized the opportunity to exploit vulnerabilities in their defenses. At the same time, businesses implemented new technologies at pace, demanding security teams act quickly, identify weaknesses, and contain threats.

All this intensified pressure on the chief information security officer. Now, as firms step beyond the pandemic, CISOs have another critical role: enabling recovery and growth. Early findings from the latest EY Global Information Security Survey (GISS) suggest that the majority of cybersecurity leaders are choosing to see the crisis as an opportunity to raise their profile across the business. In this new world, CISOs can finally dispense with the perception that their function is a brake on innovation and change. But a balance must be struck.

“During COVID, businesses introduced technology to communicate with customers and support new ways of working, but those technologies weren’t secure,” says Kris Lovejoy, EY Global Consulting Cybersecurity Leader. “Hackers will attack vulnerabilities in the system for years to come. For cyber practitioners, the question needs to be: How can we ensure our business reaps the benefit of the technology, without leaving us open to attack.”

As the challenges of the crisis continue to evolve, CISOs are at a crossroads. Becoming an enabler of growth is essential, but it’s easier said than done. Our CISO Imperative series is designed to help you on that journey, providing critical answers and actions to reframe the future of your organization. In this introduction to the themes of GISS 2021, we highlight four barriers CISOs must first overcome.

1. Cybersecurity has bridges to fix and build 

At the height of the pandemic, cybersecurity teams came under scrutiny as businesses responded to the changing environment. “There was a need for speed and a get-it-done attitude,” says Mike Maddison, EY EMEIA Consulting Cybersecurity Leader. “But did cybersecurity teams bring forward solutions to act as an enabler? Unfortunately, in many cases, they were very much seen as the blocker.”

Emerging findings from this year’s GISS suggest cybersecurity’s relationship with other functions has deteriorated over the last 12 months. One point of concern is that the decline in relationships is most pronounced among functions taking the lead in the growth agenda. Approximately half of respondents judge their relationship with the marketing function to be negative, for example, up from 36% a year ago, while a higher proportion than last year also say the same of product development.

A challenge is these outward-facing functions have taken control of their technology renewal programs and can bypass cybersecurity. “Many teams have introduced cloud-based platforms during the pandemic, introducing new risk without discussing the changes with cybersecurity,” says Lovejoy.

In turn, around four in 10 respondents say a key priority after COVID-19 is to address risks introduced as their organization responded to lockdown. Moreover, our findings suggest the problem is becoming more entrenched over time, with CISOs increasingly excluded from the earliest stages of strategic transformation: approximately 50% say they are brought in at the planning or design stages of new business initiatives, down from 63% a year ago.

2. Regulatory fragmentation is adding an extra layer of stress for CISOs

Faced with competing demands for their time and resources, CISOs are increasingly preoccupied with privacy and security regulation. For global businesses, whose operations span multiple jurisdictions, the ongoing fragmentation of regulation is an additional pressure.

Around one in two respondents says compliance can be the most stressful part of their job, and approximately 55% expect regulation to become even more fragmented and time-consuming in the years to come. “It creates an enormous amount of overhead – you’re answering the same question in a variety of different ways,” says Dave Burg, EY Americas Consulting Cybersecurity Leader.

To add to the problem, it is becoming harder for CISOs to access the resources they need to manage regulation. Almost six in 10 say COVID-19 has increased the risk of non-compliance, but CISOs say regulation is less effective as a lever to secure new funding. Less than one in five describes regulation as an effective way for them to make the case for budgets, down from 29% in 2020.

“Regulations are fragmenting, but the primary need of today’s business is to transform,” says Lovejoy. “If a CISO says, ‘I need more money for regulation,’ it doesn’t carry as much weight as it did.”

3. The scale and complexity of the cybersecurity threat continue to grow

CISOs are determined to focus on growth and business enablement, but they are also mindful of the increasingly sophisticated threats they face. The vulnerabilities introduced by pandemic-era technology are only part of the story, with bad actors seeking to exploit a range of new entry-points.

“Attacks have become commoditized,” says Richard Watson, EY Asia-Pacific Consulting Cybersecurity Leader. “You can buy a ransomware program cheaply and easily on the dark web. Viruses have been democratized.”