Ken Allan, Global Advisory Cybersecurity Leader, EY, on the CIO’s role in helping organizations navigate cybersecurity obstacles
The digital world abounds with rapidly expanding opportunities for innovation. It helps organizations create new markets and products, understand consumers more thoroughly and find different ways of connecting with them. However, in the quest to serve customers better, organizations are often challenged to introduce robust information security systems to protect their customer data and IP.
According to EY’s recent Global Information Security Survey: “Creating trust in the digital world;” 88% of the organizations surveyed think their information security systems do not fully support the organization’s needs. This highlights the necessity for considerable improvement as the world becomes increasingly digital and attackers become more sophisticated and persistent. Thirty-six percent of all organizations surveyed say it is unlikely they would be able to detect a sophisticated attack.
CIOs are well placed to help guide organizations through many of the different layers of risks and threats. They can help set the risk appetite as well as being prepared to swing into decisive action in the event of a cyber incident – but as attacks become more complex, and the attackers continually develop new tactics, it is increasingly difficult for businesses and their CIOs to keep up, let alone get ahead.
Developing a proactive mindset
To create tailored, effective cybersecurity management strategies, organizations (and CIOs) prioritize:
- Viewing the organization through a cyber risk lens: CIOs can help identify what is critical to the organization, determine the cyber business risks and anticipate what information, if lost or compromised, would hurt most. More data is being stored in the cloud and with third parties, resulting in less control, increased risk and ultimately a more complex cyber ecosystem. It is therefore important to analyze every single activity in the organization through a cyber risk lens. Understanding the organization’s cyber ecosystem can put CIOs in a good place, and help prioritize precautions and create countermeasures around the most critical areas and likely attack scenarios.
- Early detection: Criminal explorations leave traces and cause tremors that are unfortunately very easy to miss. CIOs can help organizations detect cyber incidents at an early stage, placing extra attention on prevention and neutralization around the areas of most value and the highest risk.
- Constant state of high alert: An organization can only consider it has enough cybersecurity when it is always able to keep within the bounds of the established risk appetite. To get there, organizations have to maintain a constant state of high alert, detecting discrepancies and responding to the changing environment.
- The shift to active defense: Active defense helps in analyzing and assessing threats, and in neutralizing them before they damage the organization’s critical assets. CIOs can help enable the organization’s shift to active defense by establishing advanced security operations centers (SOCs) and using up-to-date cyber threat intelligence to send out intelligent feelers that look for potential attackers. In our survey, sixty-six percent of the organizations who had a recent cybersecurity incident that was not discovered by their SOC say that their SOC does not have a paid subscription to cyber threat intelligent feeds. CIOs can look at the performance of their SOC and encourage businesses to review the maturity of some of their critical defense functions, such as threat intelligence.
A robust cybersecurity strategy is vital to help put organizations on the road to success in today’s digital world. By establishing a proactive, holistic, responsive and resilient management strategy and framework, CIOs can help senior executives and the C-suite to identify attacks accurately, help mitigate against them and minimize the damage when they do occur. Today, when it is possible to calculate the damage that a cyber threat would have caused had the scenario played out to its worst case, every single averted incident is a reminder that the CIO’s role in keeping organizational assets safe in today’s risky cyberspace is more demanding than ever.