By Uwe Michael Mueller, EMEIA Performance Improvement Leader, EY.
If you and I were talking right now, face to face and in a room full of CIOs, we would have a lot to discuss about cybersecurity. In the spirit of information sharing and collaboration against a common enemy who threatens us all, we would tell each other what we were doing, the tools we have, the size of the team and the budget, and we would commiserate with those who, despite having done everything seemingly right, still suffered a significant attack that threw their organization into chaos.
What CIOs want to know about our cybersecurity is: “Is it working?”, “Am I doing the right things?”, ”Is there some back door I have left open that I don’t know about?”. Maybe your organization is one that recognizes that cybersecurity is not just the responsibility of the CIO or CISO any more — it’s a shared responsibility. The board needs to support your efforts, and the employees need to learn — and try their best — to stay out of trouble and not open that email, or lose that device. Does that make you feel more confident? With the organization fully behind you, are you feeling more hopeful?
Probably not, if you are honest. So what’s missing? If the devil is in the detail (or in your network), then maybe your concerns are very specific; so let’s break it down.
Firstly, are you concerned about how sharp your senses are? Can you see the cyber attacker as he starts to prowl around your perimeter? Would you know if someone was beginning to dig a tunnel or launch a rocket over your fences? Would you spot him if he got into a disguise and then hid in the shadows?
Secondly, what if the attack was from a new weapon? A new, more sophisticated weapon that you hadn’t experienced before. Would your defenses be able to resist something new and more powerful?
Thirdly, would your organization know how to react to an attack? Do you have a plan and do you know what role you would play in it? What would be the first thing you would do?
EY’s latest Global Information Security Survey will be published by the end of this month. From studying the results of that survey, from listening to our clients day to day, and from watching the cyber risk and threat landscape evolve, our cybersecurity practitioners hear these questions all the time. They understand how critical it is that IT and cybersecurity leaders have the answers and are confident they know what to do.
The survey results will indicate where organizations are today in the strength and maturity of their cybersecurity capabilities. Last year, the survey indicated there had been some improvements, with more still needed, so will this year demonstrate that cybersecurity is improved again and organizations are closer to defeating the enemy? I suspect, since we all live in the real world, there will be some good news and some not-so-good news. What organizations need though is some hope, and a reminder they are doing a good job. Maybe not perfect, but they have come a long way and, if the survey can give them some guidance about where to get to next, then that provides something to work on.
I’m expecting to learn a lot from this year’s results. I understand that 1735 CIOs, CISOs and other cybersecurity professionals took part. Now I don’t know about you, but I’ve never been in a room with that many professionals before, all talking and sharing (anonymously of course!) precise information about their experiences, capabilities and concerns. So if you want to hear what they have to say, look out for the report. We will post it here when it comes out. Then we should talk again and keep the conversations going. Like the room, we are all in it together, so let’s continue to help each other out.