Cyber Security Teams Side-lined From Business Decisions

Cyber security is slowly becoming a priority for many businesses. However, more steps could be taken to ensure cyber security becomes properly embedded in everyday business life.

However, according to EY’s ‘Global Information Security Survey’ (Giss), barely a third of digital business initiatives include the team responsible for cyber security. Having this lack of input in the beginning can lead to greater risks developing further down the line.

As part of their survey, EY spoke to almost 1,300 security leaders from across the globe as discovered the chasm between cyber security teams and those making business decisions.

The survey discovered that in 77% of cases, security spend was driven by defensive priorities risk and compliance as opposed to opportunities around innovation or digital transformation. This is cementing the traditional view that cyber security is an ‘add on’ and only focuses on an organisation’s compliance with rules and regulations, as opposed to being included from the outset on projects.

Kris Lovejoy, EY Global Cyber Security Lead, said:

“This is not a sustainable model. If we ever hope to get ahead of the threat, we must focus on creating a culture of security by design.

“This can only be accomplished if we successfully bridge the divide between the security function and the C-suite and enable the chief information security officer (CISO) to act as a consultant and enabler instead of a stereotypical roadblock.”

However, the relationship cyber security teams have with other departments in the business are paramount in ensuring everyone embraces them from the outset, as opposed to calling on them when things go horribly wrong.

The Giss discovered that security teams were on good terms with those departments they shared aspects of their work with, so IT, audit risk and legal departments all seemed to work well together.

75% of Giss respondents said their relationship with the marketing team was neutral at best, if not mistrustful. 64% also felt the same when it came to the research and development teams. Almost 60% of respondents revealed that their relationship with the finance department was also under strain.

Kris Lovejoy added:

“As companies undergo transformation, what’s needed is to build relationships of trust across every function of the organisation, starting at the board level so that cyber security is established as a key value enabler.

“Boards, senior management teams, CISOs and leaders throughout the business must collaborate to position cyber security at the heart of business transformation and innovation.”

These findings by EY, further re-iterate the advice that I mention regularly on Today’s Legal Cyber Risk.

Having a positive cyber culture that is embedded throughout an organisation, from the most senior member down to the most junior in an organisation helps to make everyone aware of their cyber responsibilities. In the article, I wrote about protecting your firm against phishing I mentioned the ‘golden triangle’ of things that should be implemented to help keep your firm safe regarding cyber security.

Having a positive cyber culture embedded is one of the steps you can take to reduce the risk. Involving the people who make the cyber security decisions in your organisation in meetings where key and strategic decisions are being discussed can help to ensure that the cyber security base is considered from the outset.