In the latest EY Global Information Security Survey (GISS), only 36% of respondents said that cyber security teams were in the loop in the opening stages of digital initiatives.
Additionally, one in five respondents said that less than 5% of their cyber security budget is being spent on digital initiatives.
These findings come despite threats to company systems and data rising, with 60% declaring an increase in cyber attacks within the past 12 months.
And the industry sector most vulnerable to cyber attacks goes to… (drum-roll, please!)… Finance
Organised crime groups were responsible with the largest proportion of cyber attacks (23%), while attacks by activists, coming in second, saw a leap in prominence from 12% last year to 21% this year.
“Cyber security has traditionally been a compliance activity, bolted on by a checklist approach instead of built into every technology-enabled business initiative,” said Kris Lovejoy, global cyber security leader at EY. “This is not a sustainable model. If we ever hope to get ahead of the threat, we must focus on creating a culture of security by design.
“This can only be accomplished if we successfully bridge the divide between the security function and the c-suite and enable the chief information security officer (CISO) to act as a consultant and enabler instead of the stereotypical roadblock.”
In regards to the relationship between cyber security staff and other areas within the business, the survey results state that while those with IT, risk and legal employees are decent, 74% find their relationship with marketing teams to be neutral at best, non-existent, or consist of a lack of trust.
Meanwhile, 64% held a similar view of in-house research teams, 59% said this about lines of business, and 57% about finance teams.
“As companies undergo transformation, what’s needed is to build relationships of trust across every function of the organisation, starting at the board level so that cybersecurity is established as a key value enabler,” Lovejoy continued. “Boards, senior management teams, CISOs and leaders throughout the business must collaborate to position cyber security at the heart of business transformation and innovation.”
Why is it important to build increasingly diverse security teams?
Rob Norris, vice-president, head of enterprise and cyber security EMEIA at Fujitsu, described the apparent disconnect between cyber security teams and other areas of the business when it comes to starting new digital initiatives as ‘worrying’.
“Security should not be a tick-box exercise, but rather a part of an organisation’s culture and strategy, with everyone from the c-suite down understanding the importance of a strong cyber security backbone,” he said. “This is all part of the evolving role of the CISO throughout an organisation.
“While their role is much newer than many positions on the board, it is equally important. If security teams are to be more involved in the business decision-making process, then CISOs need to act more like business managers than IT managers to solidify their place in the boardroom; that’s everything from reputational defence right through to customer retention.
“To be successful in a world where technology is central, businesses should take digital oversight seriously and build a risk management framework that helps to retain customer trust.”
EY’s study surveyed nearly 1,300 cyber security leaders worldwide.