Businesses consider cybersecurity as afterthought despite growth in attacks

• EY survey finds 59% of organisations (SEA and global) saw more attacks in past year but only 43% in SEA (global 36%) involve cybersecurity function in early stages of new digital initiatives
• Six in ten (59%) of SEA organisations (global 48%) think their boards have the required understanding to really evaluate cyber risks 
• Activist attacks are top most common motive for cyber-attacks in SEA, second top motive globally

Despite the overall growth in cyber-attacks, less than half of organisations (SEA 43%, global 36%) say the cybersecurity function is involved at the planning stage of a new business initiative, according to the EY Global Information Security Survey (GISS).

This year’s GISS surveyed almost 1,300 cybersecurity leaders at organisations worldwide, including 76 across SEA that covers Singapore, Malaysia, Philippines and Vietnam. We believe Sri Lanka resembles SEA. The survey showed that 59% of organisations (SEA and global) have faced an increased number of disruptive attacks in the past 12 months. 

EY Asean Risk Leader Gerry Chng commented: “Successful security breaches on companies are now becoming commonplace and most have realised that despite the best efforts, a determined perpetrator will be able to cause some form of disruption, directly or indirectly. As enterprises leverage emerging technology to transform their businesses to meet customers’ evolving expectations for 24/7 on-demand services, such disruptions today go beyond mere inconvenience. Enterprises could suffer short-term loss of revenue and longer-term impact on customer trust and brand equity.”

Moreover, cyber threats are increasingly driven by social activism instead of traditional motives such as financial gain. Over the last year, in SEA, activists were responsible for 20% (global 21%) of successful cyber-attacks, followed closely by organised crime groups at 19% (global 23%). Activist threats pose a new challenge to chief information security officers (CISOs), who now have to recognise and be ready to manage this new threat motive.

Advisory Leader (Sri Lanka) Arjuna Herath says: “Cybersecurity has traditionally been a compliance activity, bolted on by a checklist approach instead of built into every technology-enabled business initiative. This is not a sustainable model. If we ever hope to get ahead of the threat, we must focus on creating a culture of security by design. This can only be accomplished if we successfully bridge the divide between the security function and the C-suite and enable the CISO to act as a consultant and enabler instead of the stereotypical roadblock.”

Critical role of CISO in engaging the board and rest of the business 

The survey found that board-level awareness and support for the cybersecurity agenda is higher in SEA markets, compared to the rest of the world. More than half (59%) of SEA organisations (global: 48%) believed that their boards have the required understanding to evaluate cyber risks. As well, 76% of SEA organisations (global: 72%) agreed that their boards see cyber risk as significant. 

However, CISOs in this region – as well as globally – can do more to drive traction in board communications and work on gaining better representation on boards. Less than half (47%) of SEA organisations (global: 54%) regularly schedule cybersecurity in their board agendas. Only in four in ten organisations (SEA: 37%, global: 36%) have a Head of Cybersecurity who is also a member of the board or executive management team. 

While CISOs need to drive engagement at the board level, they must not forget to invest in building relationships across the business. According to the survey, while cybersecurity teams generally have good relations with adjacent functions such as IT, audit, risk and legal, there is a disconnect with other parts of the business. 

Only 37% of SEA organisations (global: 59%) said that the relationship between cybersecurity and the lines of business is, at best, neutral, if not mistrustful or non-existent. Forty-six (46%) of SEA respondents (global 57%) said the same for the finance function, on which they depend on for budget authorisation, while 58% of SEA organisations (global: 74%) shared similar sentiments with the marketing team.  

Chng shares how CISOs and the business can work together to close the gap:  “It is only in the last few years that technology has started to be seen as an integral part of the business strategy. Deeper trust and meaningful dialogue will happen only when a common understanding and language is established between the business owners and CISOs. 

Both sides will need to put in the effort to see progress. Business owners need to truly appreciate technology’s benefits and value proposition, to bring forth innovative approaches to address evolving customer expectations, while CISOs need to start understanding how to articulate the return on cybersecurity investments needed in business terms.”

In addition to relationship building, CISOs need to effectively manage operational issues. Currently, the most challenging aspect of managing cybersecurity operations is procuring or justifying budget (SEA 18%, global 17%), followed by proving to the board and C-suite that cybersecurity is performing in line with expectations (SEA 14%, global 22%).