Long Road Ahead or Unbridgeable Chasm? Lessons From the EY ‘Global Information Security Survey’

If it appears to you that 2017 was a dismal year for cybersecurity, join the club: According to the latest edition of EY’s “Global Information Security Survey,” most security leaders feel they are more at risk today than they were 12 months ago.

The report surveyed chief information officers (CIOs), chief information security officers (CISOs) and other executives from 1,200 organizations around the world. More than 50 percent of survey responses came from small and midsized organizations with fewer than 2,000 employees. Although the top five sectors by respondents were banking and capital markets, consumer products and retail, government, insurance, and technology, other sectors, such as health, power and utilities, and real estate, were also included.

The report shed light on the state of cybersecurity and resilience, which is especially relevant since the global cost of cybersecurity breaches is estimated to reach $6 trillion by 2021. Cyberattacks are becoming more sophisticated, and new and disruptive technologies such as the Internet of Things (IoT) are rapidly increasing the level of connectedness across organizations, thus increasing the attack surface.

The Global Information Security Communication Chasm

While cybersecurity is becoming a regular topic of discussion in the C-suite and boardroom, the frequency and quality of interactions between security leaders and directors is a key factor in determining the organization’s cyber readiness and resilience. Given how much of our lives and businesses depend on technology, it doesn’t bode well that only 4 percent of organizations said they have “fully considered” the cybersecurity implications of their business decisions and are tracking relevant risks and threats. If there isn’t a strong enterprise risk management (ERM) effort already in place, this would be an excellent time to consider the Committee of Sponsoring Organizations (COSO) of the Treadway Commission’s ERM framework, which was updated this year.

When it comes to readiness at the top, the findings from the report provided a mixed view. While 24 percent of organizations said that the CISO or equivalent sits on the board — a number similar to that reported in PwC’s own “Global State of Information Security Survey” — only 50 percent are reporting to the board on a regular basis and 63 percent still have the cybersecurity function reporting to IT. More troubling, 43 percent of respondents said they lack a communication strategy or plan to respond to an attack.

Technical Readiness and Maturity

While cyber risks aren’t just an IT issue, many attack vectors depend on weaknesses and vulnerabilities in technology to steal data or hold it for ransom. It is more important than ever for organization to look at the effectiveness of their controls and the overall maturity of cybersecurity activities. According to the survey, 75 percent of respondents rated the maturity of their vulnerability identification as very low to moderate, pointing out the strong link between maturity and resilience.

Many organizations worry about their legacy systems, with 46 percent of security leaders listing outdated security controls or architecture as one of the top two factors increasing their risk exposure. In terms of threats, the top two were malware and phishing. Meanwhile, somewhat surprisingly, 35 percent of respondents described their policies regarding data protection as “ad hoc or nonexistent.”

Finally, about 1 in 10 organizations does not have a breach detection program in place. This, combined with management’s failure to implement a pre-approved and well-tested breach response plan, is likely to spell disaster in the event of a breach.

Solutions Are Within Reach

The good news is that the solutions to remedy the problems mentioned above are within reach. Unless your organization has already achieved a high degree of maturity in its cybersecurity projects, this means working on the basics. Greg Young, research vice president at Gartner, estimated that “through 2020, 99 percent of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year.”

For most organizations, it’s critical to focus on simple, time-tested controls, such as regularly applying patches and testing incident response plans. As Roger Grimes wrote for CSO Online, “The two most likely reasons you will get exploited is due to unpatched software or a social engineering event where someone is tricked into installing something they shouldn’t. These two issues account for nearly 100 percent of the risk.”

For those with limited budget and staff, patching systems and providing effective security awareness training should be the priority. Of course, this means identifying what matters most to the organization and creating or seeking educational programs that have an appropriate tone and focus.

From a technical maturity perspective, organizations should ensure that their information security controls and IT architecture are not outdated. Security teams must be regularly tested on their ability to detect and respond to malware and phishing attacks. Organizations should also implement a breach detection program supported by appropriate metrics to help improve the effectiveness of incident detection and response, as well as recovery of business functions. More advanced organizations may consider creating a security operations center (SOC) and developing their threat intelligence capabilities.

In many organizations, the executives need to increase the frequency and quality of interactions with the CISO and adopt a more hands-on approach to improving the way cyber risks are managed and governed. In companies where the cybersecurity function still reports to IT, dotted lines of reporting should be created to ensure direct access to top leadership.

The results of the EY report suggest that we still have a long road ahead — but it is indeed a road, not an unbridgeable chasm. Don’t wait to create your cyber risk management life cycle. Be determined to put your organization on the path toward cyber resilience.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

Christophe Veltsos

InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

Chris Veltsos is a professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches Information Security and Information Warfare classes. Beyond the classroom, Chris is also very active in the security community, engaging with community groups and advising business leaders on how to best manage information security risks.