A new survey from professional services firm EY shows many organisations failing to integrate cyber security into technology planning despite a continued increase in cyber attacks. The problem: poor integration of security into important business functions. The answer: give more power to chief information security officers and build cyber security into technology project planning and lifecycle management.
According to EY’s annual Global Information Security Survey of 1,300 cyber security leaders released in February, only 36 per cent of organisations integrate cybersecurity into the planning process for new technology initiatives. This is despite the fact that 60 per cent of those organisations reported an increase in disruptive attacks in the past year.
A major reason for this apparent lack of urgency is that, for most organisations, cybersecurity measures are being implemented not out of any true recognition of the emerging threat, but out of a sense of obligation to align with compliance checklists. And while cybersecurity teams are generally in sync with adjacent functions such as IT, audit, risk, and legal, there is a disconnect with other business functions. For example:
· 74 per cent of respondents indicate the relationship between cybersecurity and marketing was neutral, mistrustful, or non-existent;
· 64 per cent say the same about the relationship between cybersecurity and R&D;
· 59 per cent say the same about cybersecurity within their lines of business; and
· 57 per cent say the same about their relationship with the finance department (which, by the way, provides their funding).
It’s clear that these cyber security professionals put much of the blame for this lack of urgency squarely on their organisations’ directors: nearly half say their board does not have a full understanding of cyber security risk, while 43 per cent believe directors do not fully understand the value and requirements of the cyber security team. According to the survey, 46 per cent of organisations do not even include cyber security as a board of directors agenda item.
EY has two key recommendations. First, enterprises should give the chief information security officer (CISO) a broader role beyond mere compliance officer by having them engage in a more meaningful way with the board and with individual lines of business. This, in turn, would enable the CISO to better understand commercial imperatives and prepare for cyber security concerns that might emerge.
Secondly, and more fundamentally, organisations should implement a security-first approach that builds cyber security concerns into both internal and customer-facing technology initiatives at the outset, and throughout the project lifecycle, rather than being an afterthought.
While “security by design” would seem like a no-brainer, the fact that only 36 per cent of respondents currently build cyber security into the planning stage shows how far most enterprises have to go.