Report Shows Major Disconnect Between Cybersecurity and Cyber Everywhere in Digital Transformation
In order to survive and thrive in the future, companies around the world are adopting digital transformation as part of the fourth industrial revolution. It is leading to a new ‘cyber everywhere’ environment where digital technology encompasses the business, its employees, its workspaces, its production facilities and the products it makes — and, of course, the Internet.
Deloitte queried 500 C-level security leaders (100 CISOs CSOs, CTOs, CIOs and CROs) to examine whether companies are taking advantage of the opportunities — and accounting for the dangers — inherent in this new cyber everywhere world. It came away encouraged in some areas, but with the overall conviction that companies are not yet doing everything they need to do. For example, it concludes that organizations are tackling various aspects of security, such as data, application, identity, infrastructure and response, but are not doing so well in aligning cyber initiatives to executive management’s digital transformation priorities.
The result, suggests Irfan Saif, cyber innovation leader and principal in Deloitte Risk and Financial Advisory at Deloitte & Touche LLP, is that “With finite budgets and resources, and lack of prioritization by executive management, organizations are going to be tested to keep up with the cyber demands of digital transformation.”
One encouraging result from the survey is that 43% of surveyed CISOs indicate that they report directly to the CEO. The security reporting structure remains a contentious issue. Traditionally CISOs have reported to the CIO; but as cybersecurity has become both more important and more complex, there is an increasing demand that it should be stand-alone.
“This is an important shift to note, as access and influence are imperative in helping executives prioritize and understand what is needed to propel the enterprise forward in the realm of cyber everywhere,” comments Deloitte. Nevertheless, it finds the figure somewhat surprising. In its own experience among its own customers, this figure would be nearer 20%.
One area where cybersecurity everywhere shows that it may not yet be receiving the priority it should is on the board. Almost half of the respondents indicated their company has cybersecurity on the board agenda at least quarterly. While this is good, and indicates an improving environment, it is still well short of optimum. It equally indicates that half of the organizations do not consider security to be worth automatic discussion on at least a quarterly basis. With digital transformation and cyber everywhere it could be argued that security should be a constant on board agendas; but only 4% of the respondents indicated that it was a monthly topic.
Deloitte likens the process of digital transformation to trying to build a new plane while already flying it. “Executive management,” it says, “will need to reconsider how they achieve their business outcomes, reengineer strategies for addressing cyber risk, and create new ‘flight plans’ without skipping an operational beat. With each evolving challenge will come extraordinary opportunity.”
It remains concerned, however, that organizations are not doing all they can to avoid skipping that operational beat. According to the survey respondents, only 14% of cyber budgets are allocated to securing transformation efforts. And the long experienced disconnect between existing cyber security and business will likely increase with cyber everywhere — less than 20 percent of organizations currently have security liaisons embedded within business units to foster greater collaboration, innovation and security.
“There’s a whole new way of thinking that has to occur with how organizations are going to achieve their business outcomes, and that is with a cyber everywhere mindset,” comments Deloitte’s advise and implement leader, Emily Mossburg. “What surprised me most about the survey findings was how nascent this concept is in adoption.”
Deloitte draws five conclusions from its survey. Firstly, cyber requires more executive attention, budget, prioritization, people, tools, processes, governance, and overall collective thought than it currently gets.
Secondly, it needs a leader with the authority to drive change. Whether that is a business-savvy CISO or CIO, or a cyber-savvy business leader isn’t specified — the key point is the authority to drive change.
Thirdly, cyber will require organizations to become nimbler, more flexible, and more collaborative as they work to secure their organizations, their employees, their customers, and partners.
Fourthly, data complexities will continue to challenge many organizations, and solutions will need to be found.
And finally, automation, speed, and insights will power the future of cyber.
“As organizations embrace digital transformation and are shifting to the cloud, simplifying technology infrastructure and outsourcing workload to third parties,” warns Mossburg, “they are also expanding their cyber risk. Cyber will become more prolific across systems, platforms, and people — employees, customers, and partners — and enterprise leadership has to correlate all of that to stay ahead of the adversary and protect the organization’s most valuable assets.”