Is your greatest risk the complexity of your cyber strategy?

Secure Creators are more likely to say their approach to cybersecurity is also tied to improved adaptability as threats change (45% report a positive impact). On the other hand, just 34% of Prone Enterprises said the same while 36% report their approach has a negative impact on their adaptability. While the same emerging technology empowers organizations, cyber leaders need to ensure they have a cybersecurity technology strategy which provides security through simplification. Cyber leaders should:

• Simplify and rationalize existing cybersecurity technologies to reduce total cost of ownership and establish the platform for seamless operations at speed.
• Review legacy systems that are duplicative or poorly integrated as part of technology modernization.
• Adopt simplified and automated cybersecurity processes, rather than multiple independent configurations.
• Adopt emerging capabilities faster without introducing new risks or complicating the overall technology environment.
• Consider automation-led approaches including DevSecOps and SOAR.
• Pursue co-sourcing and a managed services approach that simplifies infrastructure and increases visibility while generating cost efficiencies.

“Too many attack surfaces” was the most cited internal challenge to organizations’ cybersecurity approach. Within the organization, the transition to cloud computing at scale and the Internet of Things (IoT) have increased openings for cyber breaches. Moreover, an ecosystem-led approach to business today, while helping drive value, also presents a significant cybersecurity challenge. All told, 53% of cyber leaders agree there is no such thing as a secure perimeter in today’s digital ecosystem. Most dangerous of all are supply chains, responsible for 62% of system intrusion incidents in 2021.³

Reducing risks for cloud and IoT implementation

Three in four respondents rank cloud and IoT as the biggest technology risks in the next five years. Through cloud adoption, attack surfaces have increased exponentially. The pace of change continues to accelerate, and companies are trying to keep up. These rapid changes have the potential to expose organizations to data loss, breaches, and disruption when organizations onboard cloud and IoT without sufficient design and planning around the cloud interfaces and environment. To overcome this complexity, organizations need to harness automation. For instance, half of CISOs from Secure Creator organizations report their organization currently uses or is in the late stages of implementing cloud orchestration and automation in their approach to cybersecurity.

Additionally, companies can’t assume that all their cyber risks are being handled by the cloud provider. “Cloud security is a shared responsibility especially when it comes to identity and access,” says Carolyn Schreiber, Partner, Cybersecurity Consulting, Ernst & Young LLP. “We often see misconfigurations and advise that more setup is required than just “lifting and shifting” to the cloud. Key areas to consider include privilege access management to avoid privileged escalation, secrets management and avoidance of lateral movement. From our clients, we are seeing the most secure organizations reading the fine print in the contract and leaning in, requiring their cloud service providers (CSPs) to support the same security standards as mandated by their organizations. Holding both internal teams and CSPs accountable is a way to transition without increasing risk security controls in their cloud platforms and containers.”

Cyber risk quantification is an emerging area where automation and data analytics can add insight and aid risk prioritization. Executive committees and boards are asking more questions about cyber and digital risk. Cyber leadership should aspire to have a business dialog with stakeholders and explaining cyber risk in dollar value terms is far more powerful and enables better decision-making, than the technical updates CISOs have traditionally provided.  

Supply chains: engage early and monitor continuously

All organizations are now inextricably and digitally linked to businesses in their supply chain. In searching for the weakest links, cyber attackers harness a “one-to-many” strategy, tapping into thousands of organizations. “We have seen threat actors really target supply chains in the last five years. If they can compromise a key software supply chain player that is critical to 30,000 organizations, then they are inside those 30,000,” says Richard Bergman, EY Global Cybersecurity Transformation Leader.

Yet despite the danger, Prone Enterprises are more focused on financial risk (52% vs. 41% of Secure Creators) while Secure Creators are almost twice as likely to be highly concerned about the risks the supply chain pose (38% vs. 20%) and related risks such as intellectual property protection (38% vs. 24%). While awareness is the first step, CISOs should seek to streamline their organization’s supply chains to gain visibility into the resiliency of vendors on a continuous basis, not just as a one-off. Deeply partnering with Chief Operating Officers (COOs) and other operation leaders is critical to ensure visibility across all attack surfaces in the supply chain. In more mature organizations, security functions are involved in vendor selection decisions, and higher levels of assurance are put in place and managed continuously. COOs and CISOs can find themselves in conflict, with COOs held back from growth opportunities by cybersecurity worries, for instance, and CISOs feeling under-valued as protectors of the organization. But only by working together can true resilience be achieved.⁴

Secure Creators build bridges across the organization. At three distinct levels of the organization – the C-suite, the cybersecurity team, and the workforce at large — they excel in communicating with different stakeholders and explicitly recognizing the “human factor” in cybersecurity.

Speaking to the C-suite

While the CISO role was once primarily operational and technical, in more mature organizations, cybersecurity operates as a department and function in itself and has a seat at the senior management table. Our survey finds that, thanks to their increasingly prominent role, CISOs have been broadly successful in securing the resources necessary in today’s high-risk environment. Budget, once a top internal challenge, was only ranked sixth out of eight in a list of obstacles in this year’s survey. Cybersecurity is increasingly recognized as a fundamental business resilience, reputation and compliance issue and being equipped with ample support.

While budgets are a critical component, cybersecurity needs to be embedded throughout the organization. This requires buy-in from senior leaders, bridging knowledge gaps, and close communication between CISOs and the C-suite. However, our survey reveals these groups aren’t always on the same page. Compared to the C-suite, CISOs were less likely to be satisfied with the effectiveness of their organization’s overall approach to cyber (36% versus 48% of C-suite) and with their ability to take on the threats of tomorrow (38% vs. 54% of C-suite).

Perception gaps between the CISO and C-suite are much smaller for Secure Creators, who are more satisfied with C-suite integration of cybersecurity into key business decisions, suggesting more effective communications with senior leaders creates a shared understanding of risk and improves cybersecurity performance. Aligned perceptions of performance are a marker of more secure companies. Organizations that have cybersecurity operations embedded with core business priorities and strategies have higher odds of experiencing fewer incidents. The most effective CISOs translate the narrative into a storyline that resonates in terms of risk buydown, business impact and value creation.

Effective support for the workforce

The broader integration priority is the wider workforce. Human error continues to be a major enabler of cyber-attacks, and weak compliance to best practices beyond the IT department was the third biggest internal challenge in our survey.

Only half of cybersecurity leaders say their cyber training is effective and just 36% are satisfied with non-IT adoption of best practices, raising questions on how effective this training truly is. However, Secure Creators are more satisfied with cybersecurity best practice adoption than Prone Enterprises (47% vs. 27%). Being brilliant at the basics should be the focus. Organizations must simplify best practices asked of the workforce and create guardrails in their processes to limit risk rather than rely on compliance. More mature organizations have incremental regular training and leverage the latest automation and preventative tools. Making cybersecurity second nature by embedding it into the psyche of every person in the organization will help ensure more effective training and adherence.

Talent: thinking outside the org chart

Within the cyber workforce, talent is a recurring challenge as the cybersecurity workforce gap grows more than twice as fast as worldwide cyber workforce in the past year.⁵ Cybersecurity is stuck in a skills catchup, and upskilling is the main focus for most organizations in our study. But Secure Creators are approaching this challenge more creatively. For instance, they are twice as likely to be significantly prioritizing recruiting or reskilling workers not currently in the cybersecurity field (28% vs. 14% of Prone Enterprises). Non-traditional hires can emerge from a range of backgrounds, including coming from other functional areas where automation has reduced workloads significantly, such as finance and general IT, and from non-traditional backgrounds including apprenticeships.

Leaders think more flexibly about how to shape the operating model of their cybersecurity function by outsourcing more of their security operations (a median of 25% vs. 15%) and being more likely to outsource additional functions and capabilities to third-party specialists in the future (46% vs. 31%). Outsourcing can simplify internal cybersecurity functions by allowing for specialized third parties to focus on specific cybersecurity functions their internal workforce may not be equipped to handle. Secure Creators are also prioritizing standardizing and automating security process to reduce staffing needs (35% vs. 26%), further simplifying their organizational structure.

While companies are becoming more inclined to outsource the “people and process” aspects of cybersecurity work, they are more circumspect about the technology itself. Rather than a multi-tenanted technology solution hosted by an outsourcer, organizations generally want to own the technology in their cloud, configured for their specific needs and risk appetite, while benefiting from the capacity that outsourcing or co-sourcing provides in terms of skills and people. They can also benefit from access to the third-party outsourcer’s intellectual property.

A further creative capacity strategy is formulating individual roles to coordinate business and cyber teams. A “consulting” capability acts as a liaison between cyber teams and the wider business, by understanding requirements and incorporating cyber considerations into the business. Some companies are experimenting with a “pod” approach in which a team of cyber consultants manages a “lift and shift” process into the organization over a period of six or nine months where they might run a secure development cycle, training the relevant personnel and then move on. This can infuse new skills and allow the in-house team to learn by doing.

Cybersecurity is not just about asset-protection. Done well, it can also support and accelerate innovation and value creation across the enterprise. From our clients, we have seen the best organizations have cyber weaved into the fabric of the firm. Making cyber integral to every part of the organization and operating model shifts the function from an inhibitor to a value driver.

Secure Creators are much more likely to say their cyber approach positively impacts the organization’s pace of transformation and innovation (56% vs. 25% of CISOs from Prone Enterprises), ability to rapidly respond to market opportunities (58% vs. 29%) and ability to focus on creating value rather than protecting value (63% vs. 42%). Value creation can take many forms. Cyber-secure organizations win greater trust from customers and suppliers who will be more confident transacting with them. Re-designing technology architectures can improve communication, collaboration and workforce productivity and improve spend efficiency.

For example, heightened security risks led one retail giant to pursue a cyber reform initiative that enhanced value beyond reduced vulnerability, important though that is. This included more efficient technology spending, the removal of obsolete and redundant tools, optimized manpower and refined roles and responsibilities, more efficient collaboration, and strengthened trust in its over one-billion-strong customer base.  

Our study shows Prone Enterprises are more likely to struggle with balancing security and the speed required to innovate (55% vs. 42% of Secure Creators), revealing a further example of how cyber effectiveness is a platform for value and innovation and its absence, a hindrance. Ecosystems have become a fundamental business strategy to create value, whether that is through multiple brands, wholly owned or majority owned subsidiaries, partnerships or joint ventures. To fully leverage the benefits of ecosystems, cybersecurity needs to be embedded from the start. CISOs need to ensure that cybersecurity criteria are included when evaluating potential partners by standardizing tech integration protocols. They also need to communicate effectively with business decision-makers to appropriately manage the risk that comes with expansion. An acquisition, for instance, may bring cyber risks but if the figures are dwarfed by the opportunity, it becomes a business risk decision like any other and need not necessarily mean abandoning a pursuit. Companies need to live with a “reasonable” level of risk.

Actions for a more effective and value-driven cybersecurity strategy

The EY 2023 Global Cybersecurity Leadership Insights Study returned sobering findings, with C-suite leaders grappling with a range of present and anticipated threats. But it also offers reassurance that organizations experience very different outcomes partly as a result of their cybersecurity strategy. By learning from the best, companies can strengthen their cybersecurity by emphasizing simplicity, holistic thinking and integration of cybersecurity considerations across the organization. None of these are beyond the reach of the Prone Enterprises. Key action points emerging from the survey include:

1. Simplify the cyber technology stack to reduce risk and improve visibility. Automation and orchestration can reduce clutter in the technology environment, allowing you to detect signals faster and respond more effectively.
2. Utilize standardization and automation to reduce supply chain entry points for hackers, improve cyber vigilance and continuously monitor performance without adding undue bureaucracy. This also ensures that security teams are involved early in vendor selection.
3. Translate your narrative into a storyline that resonates with the business in terms of risk buydown, business impact and value creation.
4. Combine incremental and well-designed training with automation and prevention tools to make the workforce cyber-secure by design.
5. Weave cybersecurity into the fabric of your organization, not viewed as an inhibitor. It drives value, instills the confidence necessary to innovate and opens new revenue and market opportunities. 

With special thanks to AnnMarie Pino, Mike Wheelock, Bhavnik Mittal – EY Research Institute; Aino Tan – Business Insights; and Vanessa Lobo – Global Technology Consulting, for their contributions to this article.