Cyber risk: Achieve security through simplification

The cyber threat environment continues to worsen. Organizations are facing an average of 44 significant cyber incidents a year, and detection and response times are slow, with three-quarters of organizations taking an average of six months or longer to detect and respond to an incident. Meanwhile, the known number of cyber attacks has increased by approximately 75% over the past five years[1], and ransomware costs are forecast to reach US$265 billion by 2031 up from US$20 billion in 2021.[2]?New, sophisticated adversaries are weaponizing the latest technology to increase the speed and scale of their attacks.? The impacts — financial, regulatory and reputational — are mounting.

In early 2023, the Global EY organization conducted research to better understand how companies are approaching their organization’s cybersecurity to prepare for the cybersecurity threats of today and tomorrow. We surveyed 500 C-suite and cybersecurity leaders across 19 different sectors and 25 countries covering the Americas, Asia-Pacific (APAC), and Europe, the Middle East, India and Africa (EMEIA). Respondents represented organizations with over US$1 billion in annual revenue.

We identified leading organizations with the most effective cybersecurity — we call this group “Secure Creators.” Compared to their lower-performing counterparts, “Prone Enterprises,” Secure Creators have fewer cyber incidents and are quicker at detecting and responding to incidents. They are also more likely to be satisfied with their cybersecurity approach today (51% vs. 36%) and more likely to feel prepared for the threats of tomorrow (53% vs. 41%).?

This blog, the first in a four-part series, dives into the key findings from our survey – and what we can learn from the outperformance of the Secure Creators group. A striking theme both from our study and our work with clients is that the complexity of the technology stack is itself becoming a risk factor. Cybersecurity tools and applications have improved in recent years in their sophistication, speed and effectiveness. This is driven in part by significant investment, with US$1.3 trillion invested in cybersecurity between 2010 and 2022, growing at a compound annual rate of 16.6%, according to Pitchbook. Our survey confirmed this, with 84% of organizations in the early stages of adding two or more new technologies to their existing suite of cybersecurity solutions.

But ironically, it’s the very scale and complexity of security measures that now pose the greatest threat to efficient cybersecurity because it limits visibility. The more cluttered the technology environment, the harder it is to pick up signals and get on top of issues quickly. Consolidating technology into a single platform and reducing the number of vendor products eases integration, allows telemetry to flow to the surface more easily, and helps security teams spot incidents more efficiently.

CISOs need to transform how cybersecurity technology is introduced across the enterprise, developing a more holistic technology strategy that rationalizes existing systems and addresses the cybersecurity needs of emerging business imperatives such as cloud and ecosystem partnerships and makes full use of automation.

Secure Creators do this; while 70% defined themselves as early adopters of emerging technology, they are focused on advanced solutions to simplify their environment, in particular by harnessing automation. They are more likely to use or are in the late stages of adopting artificial intelligence or machine learning (AI or ML) (62% vs. 45%) and Security, Orchestration, Automation and Response (SOAR) (52% vs. 37%). This gives them a seamless, organization-wide defense, and a clear line of sight to cybersecurity incidents.?

Secure Creators are more likely to say their approach to cybersecurity is also tied to improved adaptability as threats change (45% report a positive impact). On the other hand, just 34% of Prone Enterprises said the same while 36% report their approach has a negative impact on their adaptability. While the same emerging technology empowers organizations, cyber leaders need to ensure they have a cybersecurity technology strategy which provides security through simplification.

My key takeaway is that cyber leaders should simplify and rationalize existing cybersecurity technologies to reduce total cost of ownership and establish the platform for seamless operations at speed. They should review legacy systems that are duplicative or poorly integrated as part of technology modernization and adopt simplified and automated cybersecurity processes, rather than multiple independent configurations. They should also consider automation-led approaches including DevSecOps and SOAR and pursue co-sourcing and a managed services approach that simplifies infrastructure and increases visibility while generating cost efficiencies.

Stay tuned for the next blog in the series, which will dive into how companies can manage the growing attack surface that hackers can exploit, from cloud at scale to deepening digital supply chains.

?

The views reflected in this article are the views of the author and do not necessarily reflect the views of the global EY organization or its member firms.

[1] https://cissm.umd.edu/cyber-events-database

[2] https://cybersecurityventures.com/cybersecurity-almanac-2022/