EY helps clients create long-term value for all stakeholders. Enabled by data and technology, our services and solutions provide trust through assurance and help clients transform, grow and operate.
At EY, our purpose is building a better working world. The insights and services we provide help to create long-term value for clients, people and society, and to build trust in the capital markets.
Transformation strategy of the information security function
Due to the crisis events, companies rapidly implement new technologies to meet new business challenges. When implementing them, 58% of respondents to the EY Global Information Security Survey claim that the time frame was too tight to implement adequate information security measures, and 56% do not always know whether they are sufficiently protected against new hacker strategies. As companies implement new transformation initiatives, the risk of cyberattacks increases. In turn, CISO have the opportunity to demonstrate the strategic importance of their role and transform information security together with the business.
We offer our clients to develop and implement an information security strategy based on a cost-effective risk-oriented approach, taking into account the threat landscape specific to the organization.
This approach will allow information security to become a strategic business partner that supports new initiatives aimed at achieving the goals of the organization and its mission, while at the same time ensuring the appropriate level of security and preventing losses from the realization of risks.
The main advantages of the strategy implemented according to this approach:
Effective distribution and use of resources and activities of the entire organization in the field of information security
Adaptability to changes in the business environment
Increased attention to compliance with regulatory requirements
Transparency of investments in information security
Effective planning and implementation of initiatives
Qualitative and quantitative performance measurement and proper reporting will increase job satisfaction of the function
What we do
We analyze the current status of information security and develop the target state of all components of the Operational Model of the information security function - a set of all factors that affect the ability of the function to achieve the goals set by the organization:
Information security goals and their compliance with business goals
Subordination of the function at the level of senior management
The structure of collegial bodies, where issues of InfoSec are considered
Interaction with other departments and senior management
InfoSec reporting and its format
The structure of regulatory documentation and its completeness to cover the activities of the InfoSec function
The process of managing documented information on information security
Existing InfoSec processes and their maturity to support operational activities
Processes that are not performed, or performed inefficiently or partially
Necessary, economically feasible technical means of protection against threats inherent in the organization
Tools for automating and increasing the efficiency of InfoSec processes
The structure of the information security unit and its compliance with the business strategy and sustainable development strategy
The main roles and responsibilities, and the efficiency of their distribution
Drivers of the number of personnel for the implementation of current and prospective tasks
Competence structure of InfoSec function employees
The process of training and development of employees' competencies
The process of managing employee motivation
Main InfoSec risks of the organization and key risk indicators for their measurement
Key Performance Indicators (KPIs), both for individual roles and divisions and the function as a whole
After agreeing on the target state and the ways to achieve it with the customer's representatives, we develop a roadmap for transformation projects. If necessary, we help our clients implement the transformation program or its projects.
Also, we can focus on individual components of the Operating Model, according to the client's needs.
Why EY?
Our team has vast experience in the implementation of various information security projects, including the development of a strategy for the transformation of the InfoSec function. The Ukrainian team has completed more than 10 such projects over the past 5 years for leading local and international companies in their field. To form our approach, we use leading practices of information security, in particular, ISO 27001, NIST Cybersecurity Framework, SANS CIS Controls, and others.