EY Survey: Businesses Still Consider Cybersecurity an Afterthought

This year's GISS, which surveyed almost 1,300 cybersecurity leaders at organizations worldwide, showed that almost 60 percent of organizations have faced an increased number of disruptive attacks in the past 12 months, according to Kris Lovejoy, EY Global Cybersecurity Leader, Advisory. Moreover, over the last year, activists were responsible for 21 percent of successful cyber attacks—second only to organized crime groups (23 percent)—compared with last year's study, where just 12 percent of respondents considered activists as the most likely source of an attack.

Despite the increasing risk, only 36 percent of new, technology-enabled business initiatives include the security team from the beginning.

"Cybersecurity has traditionally been a compliance activity, bolted on by a checklist approach instead of built into every technology-enabled business initiative. This is not a sustainable model. If we ever hope to get ahead of the threat, we must focus on creating a culture of security by design," Lovejoy says. "This can only be accomplished if we successfully bridge the divide between the security function and the C-suite and enable the chief information security officer (CISO) to act as a consultant and enabler instead of the stereotypical roadblock."

According to the survey, while cybersecurity teams generally have good relations with adjacent functions such as IT, audit, risk and legal, there is a disconnect with other parts of the business. Almost three-quarters (74 percent) say that the relationship between cybersecurity and marketing is, at best, neutral, if not mistrustful or non-existent, while 64 percent say the same of the research and development team and 59% for the lines of business. More than half (57 percent) say their relationship with finance, on which they depend on for budget authorization, is also strained.