Cyber attacks are growing every year. There are all kinds of stats out there to verify this: 78% of organizations worldwide were hacked in 2019. Additionally, 60% of small businesses close 6 months after a data breach. With numbers like this, you would think security would play a key role in most organizations.
Sadly, statistics from the EY Global Information Security Survey (GISS) paint a different picture. While the study showed that almost 60% of organizations have faced an increased number of disruptive attacks in the past 12 months, only 36% of new, technology-enabled business initiatives include the security team from the beginning.
Kris Lovejoy, EY Global Cybersecurity Leader, Advisory, says: "Cybersecurity has traditionally been a compliance activity, bolted on by a checklist approach instead of built into every technology-enabled business initiative. This is not a sustainable model. If we ever hope to get ahead of the threat, we must focus on creating a culture of security by design. This can only be accomplished if we successfully bridge the divide between the security function and the C-suite and enable the chief information security officer (CISO) to act as a consultant and enabler instead of the stereotypical roadblock."
Dave Millier also wrote about the problems of using a “bolt-on” approach to security in his novel Breached! A Cautionary Tale of Cybersecurity and Intrigue. In the novel, a fast-growing gastro-pub chain discovers that their new application has been breached and customer credit card data has been stolen. The security team had only been brought in at the end of the Software Development Lifecycle to static test the app and check it off the list.
The EY survey also highlights the mistrust between departments. “The relationship between cybersecurity and marketing is at best neutral, to mistrustful or non-existent, according to 74% of organizations; 64% say the same of the research and development team; 59% for the lines of business. Cybersecurity teams even score poorly on their relationship with finance on whom they are dependent for budget authorization, where 57% of companies say they fall short.”
A better approach is to make the Cyber Security team an important partner in all departments of an organization, from Marketing and Innovation, to Finance and Legal. Rather than thinking of security as just another checklist item to achieving compliance, it needs to be thought of as a best practice to achieve corporate success.