Computer security missing from corporate culture: study

The global EY study found that 59% of outfits which participated in the poll “have faced a material or significant incident in the past 12 months.” Of those that confirmed breaches, “59% say such attacks have become more frequent over the past 12 months, including 34% who report an increase of more than 10%.”

Despite the rising threats, “only 36% of organizations say cybersecurity is involved right from the planning stage of a new business initiative,” EY wrote. Digital security teams get involved in the design phase of the process 27% of the time or at a later stage 26% of the time, while 7% of respondents said cybersecurity was “never” involved in rolling out new projects.

Internal mistrust

More than half (59%) of outfits admitted “that the relationship between cybersecurity and the lines of business are at best neutral, to mistrustful or non-existent.” EY noted that the worst links were between cybersecurity and marketing departments. 74% of marketing departments said that engagement:

“... is no better than neutral--and in many cases they describe it as mistrustful or non-existent. Some 64% say the same of the function’s relationship with the product development and R&D teams.”

On the other hand, more than 50% of risk, legal, audit and IT departments reported “moderate” or “high” degrees of trust and consultation with their cybersecurity counterparts.

Not on all board agendas

EY also found that just “54% of organizations regularly schedule cybersecurity as a board agenda item,” 29% of boards of directors discussed cybersecurity on an “ad hoc” basis, while 7% of directors “never” do.

Thomas Koch, cybersecurity leader at EY in Luxembourg, said in a 5 March press release:

“Cybersecurity has traditionally been a compliance activity, bolted on by a checklist approach instead of built into every technology-enabled business initiative. This is not a sustainable model. If we ever hope to get ahead of the threat, we must focus on creating a culture of security by design. This can only be accomplished if we successfully bridge the divide between the security function and the C-suite and enable the chief information security officer (CISO) to act as a consultant and enabler instead of the stereotypical roadblock.”

The “EY Global Information Security Survey 2020” was released last month. EY said the report was based on “a survey of senior leaders at almost 1,300 organizations carried out by EY between August and October 2019.”