The The 22nd edition of the annual EY Cybersecurity study finds that threats are more present than ever, with increasingly innovative techniques and with very diverse motivations. The RSSIs must establish close relationships with the other trades to anticipate the risks.
Based on responses from more than 1,300 organizations, EY indicates that boards and branches are increasingly engaged in responding to threats.
But there is still a lot of work to be done, especially to monitor these constantly evolving risks and adapt to ever faster innovations.
“Faced with these growing threats, cybersecurity functions must become real catalysts for change and set up integrated security, where new relationships are established between information security officers (RSSI or CISO), management and all functions of the company ”, indicates this cabinet.
The growing number of activist cyber hackers, who represent the second most common source of significant attacks, demonstrates the need for the cybersecurity function to have a much deeper understanding of their business environment.
This means that CISOs, the management committee and leaders must work closely with the rest of the business, so that cybersecurity is integrated at a much earlier stage in the life cycle of new business initiatives, and to develop a culture integrated security from their conception.
“Establishing stronger relationships with the rest of the company and the management committee, a better understanding of business imperatives, and an ability to anticipate cyber risks, would allow RSSIs to be at the heart of the transformation of their business”, EY believes.
To do this, they must adopt a new mindset, and acquire new skills in areas such as communication, negotiation and collaboration. But for now, the goals seem to be opposite.
The CISOs who will then become powerful catalysts for change will be those who, instead of refusing new initiatives, will accept them by defining the security conditions.
Cybersecurity at the heart of the innovation process
It is essential that organizations develop reporting structures and ways to quantify the value of cybersecurity that resonate with the board.
A key step is to implement a program to qualify the impacts, or even quantify cyber risks for better communication on this subject and to gain momentum in the speeches of the management committees.
They should reconsider hierarchical relationships, budgetary control and responsibility in order to disseminate the new role of cybersecurity at the heart of the innovation process.
Once these elements have been defined, develop a set of key performance and risk indicators that can be used to communicate a risk-based vision in the reports of executives and management committees.
These indicators, consolidated in the form of tables, should allow management committees and management teams to verify the effectiveness of cybersecurity projects undertaken on an ongoing basis.
Cybersecurity should be transformed into a key catalyst in digital transformation. EY insists on integrating cybersecurity into business processes using a “Security by Design” approach. Finally, cybersecurity managers must have a business sense, an ability to communicate in a language that the company understands, and a willingness to find solutions to security problems rather than saying “no”.