Board-business dynamic contributing to cyber risk: survey
Disconnect leading to one-third of Canadian organizations unable to articulate potential threats
TORONTO – A disconnect between cybersecurity efforts and business functions is putting more Canadian organizations at risk as information gaps leave leaders with a limited understanding of potential threats and how to mitigate exposure.
The 2020 EY Global Information Security Survey finds that 34% of Canadian organizations have yet to fully articulate their cybersecurity risk, compared to 16% of global peers.
“With more businesses moving — and potentially staying — online or working remotely, organizations are increasingly vulnerable to cyberattacks,” said Yogen Appalraju, EY Canada cybersecurity leader, in a prepared statement. “Amid the immense pressure felt from COVID-19, a cyberattack — and its ramifications on brand, reputation and financials — is the last thing an organization wants to happen while they’re already navigating significant disruption. Bridging the divide between the security function, lines of business and the board can be an enabler to proactively address heightened risks and help advance digital transformation.”
The EY survey finds that just 21% of Canadian boards understand how to fully evaluate their organization’s cybersecurity risks, compared to 48% globally. Meanwhile, 43% are unable to quantify cybersecurity effectiveness in financial terms, compared to 24% of global respondents.
“Cybersecurity teams must learn to speak the board’s language to better communicate the severity and business impact of different risks,” said Appalraju. “Increased education and engagement among this group should trickle down into the business to drive awareness, while helping to secure the buy-in for funding and resources needed to address growing threats.”
The survey finds that cybersecurity teams need to develop better alliances across all business functions of the organization. Right now, only 10% of Canadian survey respondents say there’s a high level of trust and consultation between cybersecurity teams and the broader business.
“Cybersecurity needs to be present at the development stage of any product, service or initiative as businesses look to make greater digital investments to support an online transition in this new environment,” said Appalraju.