A new EY Board Survey has identified “technology disruption” as the number one strategic opportunity for organizations. The survey reveals that 48 percent of boards believe data breaches and cyber attacks will “more than moderately” impact the business in the next 12 months. However, only 36 percent of respondents in the survey indicated cybersecurity is a priority in the planning phase of any new business initiative.
At a “people” level, the survey highlighted the need to re-establish relationships between the security team and the various business lines, as a majority of respondents described the dynamic as neutral at best.
These findings support the reality that boards view technology transformation as a strategic imperative, evidenced by digital transformation efforts that permeate across companies of all sectors. Though an increasing number of board members expect a cyber attack to have a negative impact on the business in the near-term, less than a majority are proactively looking at ways to prioritize security as part of the business strategy process. By talking about and looking at cyber risks in financial terms rather than as security concepts (i. e. the dollar-value impact of good or bad cyber governance in terms of the share price and balance sheet), boards and C-suites can proactively address security in new business initiatives, rather than as an afterthought.
The cyber risks that have the greatest impact on the balance sheet—those that disrupt operations—are often a byproduct of a strategic business decision, such as a digital transformation effort or M&A transaction. This should not come as a surprise, but it is problematic and requires attention to minimize the likelihood of a costly cyber-related disruption. It can be corrected, in part, by resolving what Cyberhedge refers to as “the Trilemma” at an organizational level—finding the right balance between growth, cost savings, and security.
Finally, the less-than-healthy relationship between security teams and business lines highlighted in the survey is partly a reflection of weaknesses in “people, policy, and process,” an area that is the foundation of a company’s cyber governance. If leadership approaches cyber as a core business issue rather than as a compliance exercise, it can also positively impact the human dynamic that strengthens or erodes a company’s defenses.