Cyber risk is at elevated levels and UK chief information security officers (CISOs) are on high alert. That’s the picture painted by the recent EY Global Information Security Survey 2021, based on responses from over 1,000 C-suite and senior business leaders worldwide.
More than four in 10 UK CISOs say they have never felt as concerned as they do today about their ability to manage the growing cyber threat, while nearly half believe that cyber security is coming under more scrutiny than at any other point in their careers.
Those concerns are based on the challenging realities: 85% of UK CISOs reveal they experienced a higher number of disruptive attacks over the past 12 months, well above their global peers. This is despite the fact that UK CISOs are relatively well resourced, with six in 10 happy with the funding they receive for cyber security operations, again, well ahead of the global average.
So, what’s driving these findings and how can they be addressed?
Addressing supply chain vulnerabilities
Cyber risks within supply chains are a global issue for all CISOs, but our survey reveals that it is of most concern to UK-based businesses. This may reflect the number of supply chain-related attacks, often initiated through third parties, that UK organisations have experienced over the last 12 months.
A key driver in this is how Brexit, as well as Covid-19, has forced businesses to rethink their networks – and in doing so take on new exposures to cyber risk. As a result, less than half of UK CISOs (42%) are confident that their supply chain is secure in its ability to defend and recover against threats.
Given the potency of these external threats, it may seem counterintuitive to look within the organisation itself for the solutions, but the increasing need to do so is highlighted by our finding that many UK CISOs worry about the strength of their relationships with other key business functions. Moving closer to those operational areas of the business that initiate and maintain relationships with suppliers will be very valuable in this regard.
Clearly linked to this is the CISO’s role, or lack of it, in terms of strategic involvement within their organisations. Boards are well aware of cyber security issues, with a third of UK respondents (34%) saying they are on the boardroom agenda on a weekly or monthly basis, but a significant challenge remains.
To date, few CISOs have managed to shift the organisation’s perception of the key commercial role that cyber security plays, leaving them at risk of exclusion from the strategic conversation.
So much of the success of the cyber function comes down to how it is positioned within the organisation. A good way to think of it is to imagine an iceberg. Above the waterline are the attributes and insights that the business wants and needs to see. Below water is all the operational activity and effort.
Today’s CISO needs to understand the whole picture but, crucially, they must also be able to translate this into what is relevant to the business. Being seen “above water” as a leader that understands this will increase the value of the CISO and help to demonstrate the role of cyber security in future growth.
Adding value rather than defending it
Without that seat at the top table, CISOs risk remaining reactive and tactical. Just 16% of UK CISOs say they are included in discussions about new strategic investments at the planning stage, compared to 26% of US CISOs. And just one in 10 UK CISOs has a direct reporting line to their organisation’s CEO, versus 14% globally.
To win their place at the table, cyber security must secure a reputation within the business as a strategic enabler. That means embracing change, rather than risk being perceived as a blocker. Only a third of CISOs currently believe the executive team would describe cyber security as enabling innovation. Shifting those perceptions will help to ensure that CISOs are consulted on new ideas at the earliest possible stage.
From supranational regulations, such as GDPR, to national and sector-specific requirements, UK CISOs are facing an increasingly complex set of compliance challenges. No surprise then, that half of UK CISOs believe that compliance can be the most stressful element of their jobs.
In response, CISOs can get smarter about meeting compliance requirements. That means thinking carefully about the organisational structure – including the governance – of cyber security. For example, by implementing a centralised set of controls, security teams can streamline compliance and avoid the need to respond to myriad compliance requests. Designing structures around organisational risks rather than individual compliance requirements is another way to create a more efficient and business-friendly approach.
Talking of efficiency, better use of automation will enable cyber professionals to focus more attention on risk-based and value-added work. Although investing in new tools such as robotic process automation may seem the priority, the real challenge is often unlocking more value from existing tooling.
This snapshot of the cyber security industry shows that UK CISOs are in a strong position to support their business’ post-pandemic growth plans. But to do so they must first expand their strategic influence within the business, understand and fix vulnerabilities in the supply chain, and optimise compliance using the best approaches and technologies.
Gavin Cartwright is a partner and cyber security lead at EY UK&I