Untrusted security teams being left out of business decisions

Despite the increasing occurrence of disruptive cyber attacks, barely a third of digital business initiatives include the security team from the outset, opening the door to even greater risks further down the line, according to EY’s latest Global information security survey (Giss).

EY spoke to almost 1,300 security leaders around the world and found that 60% reported an increased level of disruptive attacks against their organisations in the past 12 months, with almost half of them coming either from organised cyber criminal gangs or hacktivist groups.

However, it also identified a gulf between cyber security teams and the C-suite in particular, which it said was born out of the traditional view of cyber security as part of an organisation’s compliance activity, bolted on by a checklist approach rather than incorporated from the beginning.

In 77% of cases, EY reported that security spend was driven by defensive priorities, risk and compliance, and not by opportunities around innovation or digital transformation.

“This is not a sustainable model. If we ever hope to get ahead of the threat, we must focus on creating a culture of security by design,” said EY global cyber security lead, advisory, Kris Lovejoy.

“This can only be accomplished if we successfully bridge the divide between the security function and the C-suite and enable the chief information security officer [CISO] to act as a consultant and enabler instead of the stereotypical roadblock.”

“If we ever hope to get ahead of the threat, we must focus on creating a culture of security by design”

Beyond the C-suite, EY found security teams were generally on good terms with adjacent functions such as IT, audit, risk and legal, but they tended to disconnect from other parts of the business, particularly those that were inclined to be more innovative and risk-taking and those that have control over security budgets.

Three-quarters of respondents said their relationship with marketing teams was at best neutral, if not downright mistrustful, and 64% said the same of their research and development teams. Close to 60% said their relationship with the finance department was also strained.

“As companies undergo transformation, what’s needed is to build relationships of trust across every function of the organisation, starting at the board level so that cyber security is established as a key value enabler,” said Lovejoy.

“Boards, senior management teams, CISOs and leaders throughout the business must collaborate to position cyber security at the heart of business transformation and innovation.”

EY said that including security in new initiatives could be a key way to establish the cyber team as a digital enabler, but it also recommended several other steps that organisations ought to be taking.

Besides building more trusted relationships to help other departments better understand how security risks affect them, healthy businesses will move to implement fit-for-purpose governance structures, focus on increasing boardroom engagement with security, and audit the strengths and weaknesses of the security team to better understand what it needs to do its job most effectively.

For security teams, in particular CISOs, building better relationships with the rest of the business will also require that they become so-called “agents of transformation”, which will require a new mindset, and new skills in areas such as communication, negotiation and collaboration.

“The CISOs that will become powerful agents of change will be the ones who instead of saying ‘no’ to new initiatives say ‘yes but…’,” wrote the report’s authors.