Chapter 1
Mitigate risk, enable transformation
CISOs should seize the initiative and build a business case for investment aligned with the organization’s strategy.
In this year’s GISS, 51% of European respondents say ensuring compliance in today’s regulatory landscape can be the most demanding and challenging part of their job. And 61% believe regulation will continue to become more fragmented — and therefore more time-consuming — in the years to come.
No wonder. Europe presents a myriad of compliance challenges, with robust European Union-level requirements, such as General Data Protection Regulation (GDPR) and the upcoming Digital Operational Resilience Act, as well as growing national requirements, particularly on an industry level.
Evolution of regulation
61%of European respondents believe regulation will become more fragmented.
In the words of Alam Hussain , EY EMEIA Cybersecurity Consulting Leader: “If you are an international organization, how you manage these different and overlapping — but sometimes conflicting — regulations can be challenging, particularly as information becomes ubiquitous and travels internationally.”
In this environment, 58% of European respondents warn that cybersecurity compliance requirements do not always drive the right focus and behaviors.
“Across the board, regulators and governments are becoming more localized in how they assess organizations that operate within their jurisdictions,” says Kanika Seth, EY EMEIA Financial Services Third-Party Risk Management Solution Leader. “What we are dealing with is a global threat: somebody who is trying to get into your organization in an illegal way doesn’t care where your operational boundary sits.”
The tension continues to grow, with the turmoil of the past year and more months, exacerbating CISOs’ difficulties. Almost 6 in 10 (56%) European respondents fear that the COVID-19 pandemic, along with rapid changes to working practices, have increased their risk of non-compliance.
Localization also causes problems as organizations respond to new threats. “Incident response is a real challenge for multinational companies that don’t have a dedicated data center in one place,” warns Bodo Meseke, EY Germany Forensic & Integrity Services Chief Technology Officer. “Suddenly, they are facing multiple different data protection or data privacy regulations that are affected during a breach.”
EY’s experience suggests that managing local regulation in a global context requires both intensive compliance effort and forward-looking proactivity. “There is no single answer,” says Kanika Seth. “You end up having to look at it from a top-down perspective. How do you standardize all of this across jurisdictions? It’s tough, it’s not an easy thing to do.”
How, then, can organizations manage the conflict between localized regulation and globalized operations? Certainly, CISOs are going to have to accept that the answer will not simply be to demand ever more resources. Just one in five (19%) European respondents in this year’s GISS believe regulation is helping them make the case for additional cybersecurity spending.
The key will be to seize the initiative. Cybersecurity leaders should therefore take these key steps:
- Build a business case for investment in cybersecurity that is closely aligned to the enterprise’s strategic goals.
- Seize the upside of compliance and trusted data — for example, identify the revenue generation and cost-saving opportunities that the enterprise may enjoy when customers trust you with their data.
- Reposition the cybersecurity function as an enabler of transformation, innovation and business growth.
Chapter 2
Protect value across the ecosystem
CISOs must work with other parts of their organizations to track how third parties are evolving to support the business’s objectives.
The CISO’s role now reaches further than ever before. As organizations have moved to remote and flexible operating models, the pandemic has exposed them to new vulnerabilities. But this is only part of the broad ecosystem that organizations must consider and protect: businesses’ global supply chains are stretching the potential attack surface for bad actors to target.
In this context, 50% of European respondents agree that the third and fourth parties in their supply chains represent the greatest compliance risk to their business. Only 35% are confident that their entire supply chain is water-tight in its ability to defend and recover against bad actors.
Managing third-party risks
35%of European respondents say fixing vulnerabilities in their supply chains will be a clear post-pandemic priority.
“There is going to be a lot of effort in totaling up the broader ecosystem,” advises Kanika Seth. “The lines between an organization and its third parties are pretty blurred. So, when people say they want to strengthen that network, where are they drawing the line? What is the definitive boundary?”
Many organizations are determined to confront these questions: 35% of European respondents say fixing vulnerabilities in their supply chains will be a clear post-pandemic priority for the cybersecurity function.
But delivering on this goal will be challenging if CISOs approach it as an abstract problem, rather than working more closely with other functions across the business. That includes other buyers, including the chief information officer and the chief technology officer, but also leaders across the entire enterprise. “The way the security function manages this is by being as reflective of the operating model of their own business as possible,” argues Alam Hussain. “If you try and rub against the grain of that, that’s when you see the tensions and the challenges.”
CISOs must now work with their colleagues in areas such as procurement, finance, compliance and operations to track how supply chains and working practices are evolving to support the business’s objectives. They should:
- Map the organization’s supply chains and ecosystems to decide what is in scope.
- Identify the additional compliance exposures created by such relationships.
- Evaluate the resilience and vulnerability of the enterprise’s networks.
- Assess the risk and plan for mitigation.
- Collaborate across the enterprise with all stakeholders to identify areas of weakness.
Related article
Chapter 3
Build new skill sets
CISOs will improve their position in the organization when broadening their skill sets.
One question preoccupying many CISOs is whether cybersecurity possesses the right skills to manage the shifts being demanded of the function. As they seek to manage local compliance, support a global enterprise, and enable value, 32% of European respondents say improving the skills base will be a key priority in the wake of the pandemic crisis.
The ability of CISOs and the wider cybersecurity function to work in unison with the rest of the enterprise will be a particular focus. Right now, just one fifth of European respondents believe cybersecurity is regarded as a commercially minded function by the broader organization; only a quarter believe colleagues in other functions would say cybersecurity “speaks the language of the business.”
A need for change in the function
32%of European respondents say improving the skills base will be a key priority.
This must change. From a resourcing perspective, CISOs who can articulate the business case for allocating increased budget to cybersecurity will find it easier to secure the support they need. From a compliance viewpoint, cybersecurity will meet localized requirements through closer engagement across the enterprise. Most crucially of all, CISOs seeking to become strategic enablers and value drivers will succeed if they lead a cybersecurity function that is seen to be working to facilitate business transformation.
The time to deal with this issue is now, says Alam Hussain. “In the COVID-19 environment, there was such a need for speed and a ‘just get it done’ attitude that we didn’t always question whether teams had the right skills,” he says. “The question now is whether they have the capacity to be highly agile and to respond to all the business requests? Do they have the right culture? Are they seen as compliance or the ‘just say no’ team, rather than the people who bring forward effective solutions to act as enablers?”
Equipping cybersecurity for the broader and more engaged role that it must now play is a task that starts at the top of the function. Here are the next steps:
- Redefine the role of the CISO and reassess the competencies required.
- Develop an operating model for meeting this role definition.
- Build out the skills base across the cybersecurity function, with an emphasis on business engagement as well as technical skills for all.
It may be that a new leadership structure is the right way forward. In the words of Kanika Seth: “To find the breadth and depth of skills that a CISO now requires in one person is difficult, so maybe the answer is to split the role somehow.”
This is exactly what some organizations in Europe are doing, observes Alam Hussain. “Many CISOs come from a technology background, so for them to get into managing highly complex regulation with overlaps and conflicts, as well as driving the commercial agenda, is quite a challenge,” he says. “It has been interesting to see the extent, particularly in more mature markets, to which organizations are appointing CISOs who understand the business from another area of technology, or even from another part of the enterprise altogether.”
Chapter 4
Engage in the boardroom
CISOs with a value-focused mindset will be able to solve some of the usual function’s difficulties when engaging with their boards.
It is not only to the rest of the business that CISOs must reach out, but also to their boards. The evidence of this year’s GISS is that pitching for additional budget on regulatory and compliance grounds alone looks increasingly futile, even in the face of fragmentation. Yet it is clear boards recognize the threat. Board members participating in the EY EMEIA Board Barometer 2021 believe that cybersecurity is a highly relevant issue, with digital threats as the number one challenge.
The EY Global Board Risk Survey 2021 finds, however, that just 7% of European respondents are extremely confident that the cybersecurity risk mitigation measures presented to them can protect the organization from major cyberattack. At the same time, 46% of European respondents expect cyberattack or a data breach to severely impact their organization during the next five years.
The imperative, says Alam Hussain, is to explain to the board how to meet this challenge with a strategic response focused on enablement, rather than making the pitch in compliance terms. “Forward-looking CISOs are really starting to think, ‘I’ve got to find ways to add value rather than just providing compliance and using that as the stick.’ ”
Requiring a better connection to the board
64%of European respondents believe that when making the case for increased funding, the board may have trouble understanding their arguments.
A value-focused mindset around value creation and transformation — not just value protection and recovery — will resolve some of the difficulties that CISOs run into when engaging with their boards. Just 42% of European respondents believe their board and executive management team always fully understands the value and needs of the cybersecurity team function; 64% believe that when they make the case for increased funding, the board may have trouble understanding their arguments.
But regulation, security and resilience are only part of the conversation. “Your CISO should be your partner, not a compliance exercise, and while that cultural shift is happening in some organizations, it is happening very slowly,” says Kanika Seth.
The result is that the cybersecurity function is not getting involved as much as it should be in transformation. In this year’s GISS, 24% of European respondents say the board regularly makes decisions on cybersecurity without having the technical understanding to fully understand the threat; and 32% warn that their cybersecurity teams are frequently not consulted or are consulted too late when urgent strategic decisions must be made.
Resetting the partnership between the board, the wider business and cybersecurity is crucial and increasingly urgent. “The CISO role can evolve into one that is no longer regarded as hindering new business but is seen as an enabler, as cybersecurity is adding confidence to innovation. This supports the organization to engage in business improvement,” says Bodo Meseke. CISOs therefore must:
- Ensure their boards understand their role in setting cybersecurity in the broadest sense.
- Reach consensus on cultural shifts such as security by design and, in the context of flexible and remote working, zero trust.
- Build a business value case for cybersecurity budget and resourcing1.
- Run boardroom pilot risk exercises, alongside the CIO; these exercises might stimulate a cybersecurity breach or other incident, to illustrate the risk and demonstrate the plans in place to manage it2.
Prepare for growth
The evidence of this year’s GISS is that CISOs across Europe face a dilemma: they must cope with a regulatory environment that is fragmenting fast, while working with boards that do not see compliance as a justification for writing ever larger checks. To square the circle, will require the cybersecurity function to think about how to play its part in business growth.
This will require CISOs to build much stronger relationships with other business leaders, particularly in areas such as product development, sales and marketing. Right now, only 24% of European respondents characterize their relationship with marketing as very positive, with 40% regarding it as negative.
CISOs have made much more progress with colleagues such as the chief risk officer and the chief financial officer, with 63% and 41% of European respondents pointing to relationships of high trust and consultation with risk and finance respectively. Now they must reach out to the rest of the enterprise.
Critically, this engagement will help CISOs meet the challenges of localized regulation. The key will be to build operating structures with common standards, which nonetheless mirror the way in which the business has developed.
This is not to understate the scale of the task that lies ahead. With threat levels elevated, CISOs must map the exposures and resilience of their entire ecosystems, build compliant structures that mitigate risk and prepare for response, and focus on enabling growth. This will require cybersecurity to acquire a broader skill set and to consider new leadership structures.
The prize for those CISOs who rise to the challenge is a valuable one. They will not only retain their status as protectors of the organization’s data and security, but also become trusted enablers of value creation and transformation.
Related articles
Summary
CISOs across Europe face a regulatory environment that is fragmenting fast and boards who don’t always see compliance as a justification for increased investment. While they must create internal compliance structures with common standards aligned to the way their businesses have developed, CISOs also need a clear view of exposure and resilience across external ecosystems to mitigate risk and prepare for response. In order for CISOs to shift from protecting data to enabling transformation and growth, what should they focus on?