EY helps clients create long-term value for all stakeholders. Enabled by data and technology, our services and solutions provide trust through assurance and help clients transform, grow and operate.
At EY, our purpose is building a better working world. The insights and services we provide help to create long-term value for clients, people and society, and to build trust in the capital markets.
Our latest 2021 EY Canada Global Information Security Survey (GISS) shows how cybersecurity can drive future growth.
In brief:
Canadian businesses stand to gain by better connecting cybersecurity to the rest of the business.
If Chief Information Security Officers (CISOs) can dismantle operational silos, cybersecurity can help build resiliency and drive future growth in every aspect of a business.
The Canadian highlights of the 2021 (infographic) GISS showcases how CISOs have the opportunity to make a difference by driving organization change.
2021 EY Global Information Security Survey (GISS) shows operational silos hold progress back. Legacy risk frameworks require fresh thinking. Internal disconnects continue to drive awareness gaps around the value that cybersecurity can bring. Even so, the opportunity remains.
The right strategy can empower CISOs to translate progress gained during the crisis into sustainable collaboration, more integrated operations and stronger relationships meant to generate long-term value in a market transformed.
CISOs now have a unique chance to bolster their presence and effectiveness in Canadian organizations.
The key is to harness the progress made over the course of the pandemic and work with stakeholders as a united leadership team to:
Our 2021 EY GISS showcases how this transformational opportunity can shape cybersecurity — and overall business results — for the better in an era when security, privacy and compliance will continue to be top of mind for internal and external stakeholders.
Take down operational silos so cybersecurity can create a connected path forward
Redrawing the organizational chart and making cybersecurity and privacy the connective thread between functional capabilities doesn’t only make your organization stronger. It can also support efficiency, cut down costs, and foster the kind of collaboration that speaks directly to internal and external calls for secure products, services and solutions.
Why?
Risk itself has changed. Our findings from the Global Information Security Survey show more than 40% of leaders have never been as concerned as they are now about managing cyber threats the business faces. You cannot tackle that increase in disruptive risk without drawing better connections between functional teams.
Innovation is happening everywhere. Cloud is now the foundation for emerging technology. Developers are building new code and defining the server to house it themselves. Yet nearly 40% of organizations view the relationship between security and product development/R&D teams as a neutral one, characterized by low levels of consultation. That prevents security and privacy by design from taking hold.
Cybersecurity and privacy are invited to the party late. Although many organizations are already looking beyond Cloud 2.0 and its focus on containerization to address serverless technologies and blockchain through Cloud 3.0, cyber resources remain disconnected from the planning process. Less than one quarter of Canadian organizations bring cyber and privacy in at the planning stage. This can lead to costly ramifications, sending designs back to the drawing board at the 11th hour because they were built without appropriate security safeguards and default privacy settings.
How can organizations take action now?
Set tone from the top
Cross-pollinate cyber resources
Draw a new R&D framework
Global Information Security Survey 2021
40%
Cyber leaders have never been as concerned as they are now about managing cyber threats
2
Chapter 2
Reshape cybersecurity and embrace a new way of managing risk
As markets and organizations evolve, there’s room to reshape the way cybersecurity and privacy teams operate, too. Assessing ways of working, embracing new models and reimagining required skillsets can help this critical function shift to better address the changing needs and demands of the business, as well as the customers and regulators these groups serve.
Why?
Regulatory expectations are changing. Half of Canadian execs say ensuring compliance in today’s regulatory landscape is the most stressful part of their job. Some 70% expect regulations to become increasingly fragmented, making them harder and more time consuming to manage. Internally, fragmented responses can hamper efforts further, exposing the organization to additional risk. By reframing regulatory requirements from a risk-based perspective, cyber and privacy teams can get ahead of changing regulations and initiate proactive relationships that serve the entire organization better.
Innovation is cycling more quickly than ever before. While most organizations feel cybersecurity protects the business, 73% say this function doesn’t actually enable innovation. That’s a missed opportunity. Innovation cycles are shorter than ever, magnifying the importance of security and privacy. Reframing the function’s focus to prioritize innovation alongside security and privacy can help businesses build solutions that are inherently more secure at a time when stakeholders are increasingly concerned about their privacy in a hybrid business world.
Business-centricity is everyone’s responsibility. Only 20% of CISOs are confident they speak the same language as their peers across the business. But there’s a real business case for cybersecurity and privacy specialists to contribute to all functional areas. Progressive organizations want to see how cybersecurity teams are getting creative to secure new products, digital offerings and broader business improvement initiatives. As business units adopt agile ways of working, building “security and privacy by design” is becoming more realistic. Cybersecurity teams must also adapt to approach risk through a commercial lens to drive more efficient overall business outcomes.
How can organizations take action now?
Assess the skills you have
Realign the talent agenda
Shift regulator relationships
Global Information Security Survey 2021
70%
expect regulations to become increasingly fragmented, making them harder and more time consuming to manage
Privacy regulations are more than just another compliance exercise. They represent a way of holding organizations accountable for how they collect and process personal data and protect individuals’ right to privacy. The bigger objective is helping organizations create ethical business practices while gaining consumer trust.
Roobi Alam
EY Canada Privacy Leader
3
Chapter 3
Drive a cultural shift by cultivating internal awareness
Change is only as impactful as our ability to manage it meaningfully. If you’re taking down operational silos, or changing the way cybersecurity and privacy operates, the organization needs to know. Internal education and awareness building transforms cross-functional teams into stewards of privacy, data protection and cybersecurity. Succeeding on this front can unlock benefits for both the organization and its stakeholders while bolstering the bottom line.
Why?
New investments are creating new risks. In our latest survey, 45% of organizations said they planned significant investments in data and technology over the next 12 months. But fewer than 30% describe cybersecurity as an innovation enabler. Bridging that gap requires internal education around the specific capabilities and skillsets that security and privacy can bring to the innovation table so they’re considered earlier on in the process.
People don’t know what they don’t know. Only 34% of executive management teams say they’d describe cyber as flexible and collaborative. There’s no point in working to bring something new to the cybersecurity mix if the organization is holding on to legacy views of who you are and what you stand for. Creating opportunities to get to know the function better drives fruitful collaboration and profitable results.
Collaboration doesn’t always come naturally. Just over two thirds (68%) of CISOs say executive management wouldn’t describe the role of cybersecurity as commercially minded. Changing that perspective will require cybersecurity and privacy teams to show, not tell, what they’re capable of. Showcasing innovation stories centred on cross-functional teaming can bring people on board.
How can organizations take action now?
Make a plan for change
Focus on storytelling through internal channels
Celebrate wins without moving the goal posts
Global Information Security Survey 2021
27%
of Cyber leaders say executive management would describe the role of cybersecurity as enabling innovation
In a digitally transformed organization, cybersecurity and privacy functions cannot solely focus on risk reduction. In addition to value protection, they also need to enable value growth and optimization. This requires cybersecurity and privacy to transcend legacy paradigms and operating models. That means engaging and educating across functional lines on integrating cyber and privacy into their ventures from the outset. and transforming cyber and privacy
Ali Varshovi
EY Canada Financial Services Cyber Leader
What’s the bottom line?
In Canada and around the world, security functions are facing a critical inflection point. Seizing this moment to bring cybersecurity and the business closer together tells the market your security and privacy matter most. Start by dismantling operational silos, supporting a new view of risk, and driving meaningful internal culture change. Doing so now can bake security and privacy into everything you do and differentiate your organization in a sea of competition.
Our 2021 Global Information Security Survey (GISS) identifies the actions Chief Information Security Officers (CISOs) need to take to help drive organizational transformation during this critical time.
The data in this year’s GISS report is based on a survey of CISOs and other senior leaders at 1,010 organizations, including 71 Canadian respondents, carried out between March and May 2021. CISOs and other C-suite professionals comprised 50% of respondents; the others were C-1 cybersecurity professionals. Surveys were primarily conducted via telephone, with a minority completed online.
In today’s disruptive world, realizing your ambition and growing your business is an exciting challenge. EY has a long history of working alongside many of the world’s most ambitious CEOs, owners and entrepreneurs to support them to accelerate their journey to market leadership. Drawing on their successes, we have distilled these insights to create the EY 7 Drivers of Growth.
Using data and technology to help deliver efficient public services that meet citizens’ expectations is a priority for governments everywhere. Our teams advise public sector clients on a range of digital projects from small improvements to large-scale transformations.
New cyber risks are mounting as threat actors become increasingly mature. Consumers have come to expect security and privacy by design, even as innovation moves at the speed of light. Legacy frameworks and internal disconnects represent serious gaps that organizations must address now. Adapting risk management and creating meaningful culture change can help entrench cybersecurity in every aspect of your business, to build resiliency and drive future growth.