While cybersecurity is pegged to be a $281.74bn industry by 2027, businesses are still seeing it as an afterthought, a study from EY claims.
The number of cyberattacks is increasing, with a study from Ponemon suggesting two-thirds of SMEs have been hit by a cyberattack and 58% have experienced a data breach in the past year.
However, a new study from EY claims only one-third of organizations state cybersecurity functions are involved at the planning stage of a new business initiative.
In its new Global Information Security Survey (GISS) it found 60% of firms have witnessed an increased number of disruptive attacks in the past 12 months.
The report, which is comprised of responses from 1,300 cybersecurity leaders worldwide, also found that activists were the second most successful cyber attackers with 21% of the successful incidents. The figure is just below organized crime groups, which were responsible for 23% of the attacks, and it is nearly double the level it was last year where activists only represented 12% of attacks.
While there are rising threat levels, only 36% of new, technology-enabled business initiatives have a security team from the start.
EY cybersecurity leader Kris Lovejoy said, “Cybersecurity has traditionally been a compliance activity, bolted on by a checklist approach instead of built into every technology-enabled business initiative. This is not a sustainable model. If we ever hope to get ahead of the threat, we must focus on creating a culture of security by design.
“This can only be accomplished if we successfully bridge the divide between the security function and the C-suite and enable the chief information security officer (CISO) to act as a consultant and enabler instead of the stereotypical roadblock.”
Inside the company, there is a consensus the cybersecurity teams have good relations with adjacent functions such as IT, audit, risk and legal. However, the survey claims there is disconnect with some areas of the business.
Just under three-quarters (74%) of respondents said the relationship between marketing and cybersecurity was neutral, if not mistrustful or non-existent. Similar opinions were held in regard to the research and development teams.
Copyright © 2018 RegTech Analyst