Although much depends on the work of information security managers, their role is still underestimated by many companies, according to EY’s global survey. Due to the accelerated digital transformation, the situation of CISOs should also be urgently changed, for which the consulting firm recommends action.
While the number of serious attacks increased in more than three quarters of organizations, EY Survey 2021), 56 percent of respondents admitted to circumventing cyber security processes at their company in order to create the conditions for teleworking more quickly, and 39 percent also reported that they lack the financial framework to meet new challenges. All of this significantly increases the risks, which we asked Mihály Zala, Head of Technology Consulting and Cyber Security Services at EY
Computerworld: How has the role of security and CISO changed in the epidemic?
Mihály Zala: Under COVID-19, all companies had to adapt to change. Progressive organizations have introduced new customer-side technologies to support telecommuting and keep business channels open. However, a quick transition can come at a serious cost, as companies have often ignored security in their decision-making in a situation of urgency. . And over time, there is also an increasing risk that companies that retain new ways of working will move on without remedying the problems. Recent extortion virus attacks highlight the critical importance of immediate action.
CW: What challenges do CISOs face in this situation?
ZM: Many of the cyber attacks that became significantly more frequent during a pandemic could have been avoided with security controls developed at the design stage. By incorporating security, CISOs can play a business-enhancing role in companies, but they need to address three key challenges in terms of funding, compliance, and leadership.
Cybersecurity is a major underfunded area, our GISS research according to companies, they spend only 0.05 percent of their annual revenue on it, which is a global average, and the rate may be even worse at home. (C)
The fragmentation of the compliance environment, compliance with local, regional and global and industry regulatory requirements entails additional work which, in the absence of development, will lead to additional resources.
According to our survey, in more than half of the companies, the business and IT side preparing investments and developments do not always consult the cybersecurity team in time. In order to improve risky practices, CISOs should therefore establish a closer relationship with senior management.
CW: How can CISOs respond to these challenges and create value in the future
ZM: Due to the tight budget, CISOs are forced to compromise between investing in new initiatives and managing existing cyber risks. Moreover, their framework remains unchanged at a time when security should serve the dynamic needs of companies. To improve the situation and support transformation, the costs of cyber security should be shared across the enterprise, which is currently done by only 15 percent of organizations, and this will be achieved through the coordination of business objectives, new financial, accounting and communication mechanisms.
To address issues arising from the complexity of the regulatory environment, it is necessary to understand where compliance is on the stakeholder map. CISOs follow the principle of “push left”, striving to involve cybersecurity in processes as early as possible, but to do so they need to understand how the four key groups can successfully navigate – management, engineers, product managers and customers, compliance lawyers and actors in the supply chain. None of them have a specific focus on security, priorities should be set by CISO
More information on the EY Global Information Security Study . Read Mihály Zala’s opinion article on EY.hu>>>
It is necessary for information security managers to appear as consultants in decision-making in the earliest stages, but the relationship between cybersecurity and other corporate functions lacks interoperability. Four out of ten CISOs say they have a bad relationship with marketing and HR, although these areas should work with cybersecurity to evaluate and implement new technologies and working methods.
To solve this problem, CISO by surveying human resources, you need to find the most suitable people for the different tasks, but don’t expect the impossible. The range of skills essential to the profession is expanding simultaneously in all areas. The best approach, therefore, is to build a team that balances the combination of skills with all their strengths and weaknesses.
How can cybersecurity become a function of corporate growth? You can get an answer to this at EY’s October event. Sign up for their newsletter and attend their events. Subscribe>>>
Hardware, software, tests, curiosities and colorful news from the IT world by clicking here!