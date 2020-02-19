GlobalData is the market leader in providing actionable insight into the technology industry. With market analysts in 18 countries around the world, along with a team of researchers and consultants, we can provide you with the reliable, in-depth industry information you need.

A new survey from professional services firm EY shows many organizations failing to integrate cybersecurity into technology planning despite a continued increase in cyberattacks. The problem: poor integration of security into important business functions. The answer: give more power to chief information security officers and build cybersecurity into technology project planning and lifecycle management.

According to EY’s annual Global Information Security Survey of 1,300 cybersecurity leaders released in February, only 36% of organizations integrate cybersecurity into the planning process for new technology initiatives. This is despite the fact that 60% of those organizations reported an increase in disruptive attacks in the past year.

A major reason for this apparent lack of urgency is that, for most organizations, cybersecurity measures are being implemented not out of any true recognition of the emerging threat, but out of a sense of obligation to align with compliance checklists. And while cybersecurity teams are generally in sync with adjacent functions such as IT, audit, risk, and legal, there is a disconnect with other business functions. For example:

· 74% of respondents indicate the relationship between cybersecurity and marketing was neutral, mistrustful, or non-existent;

· 64% say the same about the relationship between cybersecurity and R&D;

· 59% say the same about cybersecurity within their lines of business; and

· 57% say the same about their relationship with the finance department (which, by the way, provides their funding).

It’s clear that these cybersecurity professionals put much of the blame for this lack of urgency squarely on their organizations’ directors: nearly half say their board does not have a full understanding of cybersecurity risk, while 43% believe directors do not fully understand the value and requirements of the cybersecurity team. According to the survey, 46% of organizations do not even include cybersecurity as a board of directors agenda item.

EY has two key recommendations. First, enterprises should give the chief information security officer (CISO) a broader role beyond mere compliance officer by having them engage in a more meaningful way with the board and with individual lines of business. This, in turn, would enable the CISO to better understand commercial imperatives and prepare for cybersecurity concerns that might emerge.

Secondly, and more fundamentally, organizations should implement a security-first approach that builds cybersecurity concerns into both internal and customer-facing technology initiatives at the outset, and throughout the project lifecycle, rather than being an afterthought.

While ‘security by design’ would seem like a no-brainer, the fact that only 36% of respondents currently build cybersecurity into the planning stage shows how far most enterprises have to go.