Time for a relationships reboot
59%of organizations say that the relationship between cybersecurity and the lines of business are at best neutral, to mistrustful or non-existent.
- The relationship between cybersecurity and marketing is at best neutral, to mistrustful or non-existent, according to 74% of organizations; 64% say the same of the research and development team; 59% for the lines of business. Cybersecurity teams even score poorly on their relationship with finance on whom they are dependent for budget authorization, where 57% of companies say they fall short.
- About half of respondents (48%) say that the board does not yet have a full understanding of cybersecurity risk; 43%, meanwhile, say that the board does not fully understand the value and needs of the cybersecurity team.
- The EY Global Board Risk Survey reveals that boards lack confidence in their organization’s cybersecurity, with 50% – at best – stating they were only somewhat confident.
- Just 54% of organizations regularly schedule cybersecurity as a board agenda item.
- Six in ten organizations say that they cannot quantify the effectiveness of their cybersecurity spending to their boards.
3. The CISO becomes the agent of transformation
With stronger relationships at business and board level, a better understanding of the organization’s commercial imperatives, and the ability to anticipate the evolving cyber threat, CISOs can become central to their organizations’ transformation.
They will need a new mindset, as well as new skills in areas such as communication, negotiation and collaboration. The CISOs that will become powerful agents of change will be the ones who instead of saying “No” to new initiatives say “Yes, but…”
Cybersecurity function seen as an obstacle to innovation
7%of organizations would describe cybersecurity as enabling innovation; most choose terms such as “compliance-driven” and “risk averse.”
- Just 7% of organizations would describe cybersecurity as enabling innovation; most choose terms such as “compliance-driven” and “risk averse.”
- About half the organizations (48%) say that the primary driver for new spending is risk reduction, and 29% cite compliance requirements. Just 9% point to new business initiative enablement.
- Six in ten organizations do not have a head of cybersecurity who sits on the board or at executive management level.
EY recommendations in brief
Based on the findings from this year’s GISS, it is clear that there is now a real opportunity to position cybersecurity at the heart of business transformation and innovation. This will require boards, senior management teams, CISOs and leaders throughout the business to work together to:
- Establish cybersecurity as a key value enabler in digital transformation — bring cybersecurity into the planning stage of every new initiative. Take advantage of a Security by Design approach to navigate risks in transformation, product or service design at the onset (instead of as an afterthought).
- Build relationships of trust with every function of the organization — analyze key business processes with cybersecurity teams to understand how they may be impacted by cyber risks and how the cybersecurity team can help enhance the business function around them.
- Implement governance structures that are fit for purpose — develop a set of key performance indicators and key risk indicators that can be used to communicate a risk-centric view in executive and board reporting.
- Focus on board engagement — communicate in a language the board can understand; consider a risk quantification program to more effectively communicate cyber risks.
- Evaluate the effectiveness of the cybersecurity function to equip the CISO with new competencies — determine the strengths and weaknesses of the cybersecurity function to understand what the CISO should be equipped with and how.
In the Netherlands we see an increasing threat from cyber security incidents. In recent months, various incidents have been in the news in which cyber criminals have enriched themselves at the expense of Dutch organisations. For example, Maastricht University and the Wetsus research institute in Leeuwarden have fallen victim to a pishing attack (loot: 97,000 and unknown), the Rijksmuseum Twenthe has been hacked (loot: 2.66 million) and cyber criminals are eagerly exploiting the general interest in the Coronavirus. An increasing number of spam campaigns and malicious activities are exploiting the outbreak of the virus.
In addition to the technological aspects, it is important to pay a lot of attention to the security awareness of employees. Think about preventing malicious e-mails from being opened, internet links from being clicked on and sufficiently strong passwords from being used. Furthermore, setting up adequate monitoring and a regular cyber security health check is no superfluous luxury.
Local contact
Guill van den Boom
EY Netherlands Managing Partner Consulting, Cybersecurity Leader NetherlandsSummary
New EY research suggests that outside of the need for compliance, a gulf separates cybersecurity from the business. To bridge the chasm, CISOs need to prove their value in a language boards and C-suites can understand; and the business needs to embrace cybersecurity from the onset and through the lifecycle of every initiative.