Over two thirds (67%) of companies feel that cybersecurity concerns prevent them from adopting new technology to grow their business faster, according to a new report from EY that is based on a survey of 175 C-suite executives at UK-based organisations. Cloud computing and the internet of things (IoT) were the two technologies that were perceived to pose the greatest cybersecurity risks.
Mike Maddison, EMEIA Advisory Cybersecurity Leader, EY says: “There is pressure for companies to compete in the technology arms race, but cybersecurity fears are sometimes thwarting adoption in important areas such as cloud computing, blockchain, artificial intelligence and IoT. This is illustrated in the concerns of our survey respondents, as 42% of technology and business leaders feel that they are behind their competitors in the adoption of new technology.
“In recent years, the rate and pace of technological advances, regulatory change, cyber-attacks and data breaches have moved cybersecurity rapidly up the corporate agenda. Protection and prevention are still paramount yet, to stay ahead of these evolving trends, organisations need to start thinking differently about cybersecurity. Business leaders need to make the leap from seeing cybersecurity as only a protective measure, to it also being a strategic value driver.”
Furthermore, 83% of the surveyed organisations feel there is industry pressure to display good levels of cybersecurity. And, more than three-quarters (76%) believe that having a cyber secure brand is important for competitive advantage.
Divisions at board level around cybersecurity strategy
The report also finds that across many organisations, Chief Information Officers (CIO) and wider board member views around cybersecurity are not yet aligned. Business leaders such as the CEO, CFO and COO tend to be less confident about their organisation’s cybersecurity than those with direct responsibility for IT and technology such as the CIO and Chief Information Security Officer (CISO). In addition, technology leaders are more likely to believe it is important for competitive advantage to have a cyber-secure brand (82%) compared to only 68% of business leaders.
Furthermore, more than half (57%) of business leaders and exactly half (50%) of technology leaders cite a lack of business sponsorship as the biggest barrier to improving their organisation’s cybersecurity. Views differ further on how to secure and embed that engagement. Technology leaders are more likely to focus on accountability. A majority (58%) suggest that giving an individual board member overall responsibility for cybersecurity would have the greatest impact. Meanwhile, business leaders are more interested in strategy with 64% believing the biggest gains would come from making cybersecurity more of a strategic priority.
Cybersecurity levels vary across sectors
According to the survey, cybersecurity maturity levels vary significantly across sectors. The perceived value of cybersecurity was higher in the sectors with more direct interaction with consumers and where higher levels of personal data were held.
Respondents from the technology, media and telecoms (TMT) sector had the highest levels of board awareness, the largest investments in cybersecurity planned and the fewest concerns around cybersecurity as a barrier to adopting new technology to grow their business. In addition, 96% said they believe their boards know how to quantify cybersecurity risks and 80% have a board member with direct expertise in cybersecurity.
Survey respondents from the retail sector were unanimous in their belief that a cyber secure brand is important for competitive advantage. Evidence of this is that 80% of the retailers surveyed plan to increase cybersecurity spending by between 15%-25% over 2019.
Respondents from infrastructure companies are investing less money in cybersecurity than other sectors. Some 60% of infrastructure sector respondents invest 5% or less of their total IT budget in cybersecurity, with 56% not planning to raise spending during 2019.
Lack of accountability top barrier to improving cybersecurity
Mike Maddison adds: “One route to a sharper cybersecurity focus is to strengthen responsibility. According to our survey, more than half (57%) of organisations do not have a board member with direct expertise in cybersecurity, and nearly two thirds (67%) do not think one is needed. Although direct board expertise in cybersecurity may not be needed, board-level understanding of the risks to the business is needed for a stronger cybersecurity posture. In addition, for more than half (53%) of organisations surveyed, a lack of business ownership is seen as the biggest barrier to improving their cybersecurity.”