Seemingly so for 76 people surveyed in a global Ernst & Young (EY) study.

Despite the overall growth in cyberattacks last year, less than half of organizations (SEA 43%, global 36%) say the cybersecurity function is involved at the planning stage of a new business initiative, according to the EY Global Information Security Survey (GISS).

This year’s GISS surveyed almost 1,300 cybersecurity leaders at organizations worldwide, including 76 across SEA that covers Singapore, Malaysia, Philippines and Vietnam. The survey showed that 59% of organizations (SEA and global) have faced an increased number of disruptive attacks in the past 12 months.

Gerry Chng, EY ASEAN Risk Leader commented: “Security breaches on companies are now becoming commonplace and a determined perpetrator will be able to cause some form of disruption, directly or indirectly. Such disruptions today go beyond mere inconvenience. Enterprises could suffer short-term loss of revenue and longer-term impact on customer trust and brand equity.”

Moreover, cyber threats are increasingly driven by social activism (hacktivism) instead of traditional motives such as financial gain. Over the last year, in SEA, activists were responsible for 20% (global 21%) of successful cyber attacks, followed closely by organized crime groups at 19% (global 23%). Activist threats pose a new challenge to chief information security officers (CISOs), who now have to recognize and be ready to manage this new threat motive.

Says Kris Lovejoy, EY Global Cybersecurity Leader, Advisory, EY: “Cybersecurity has traditionally been a compliance activity, bolted on by a checklist approach instead of (being) built into every technology-enabled business initiative. This is not a sustainable model. If we ever hope to get ahead of the threat, we must focus on creating a culture of security by design. This can only be accomplished if we successfully bridge the divide between the security function and the C-suite and enable the CISO to act as a consultant and enabler instead of the stereotypical roadblock.”

Critical role of CISO

The survey found that board-level awareness and support for the cybersecurity agenda is higher in SEA markets, compared to the rest of the world. More than half (59%) of SEA organizations (global: 48%) believed that their boards have the required understanding to evaluate cyber risks.

As well, 76% of SEA organizations (global: 72%) agreed that their boards see cyber risk as significant. However, CISOs in this region—as well as globally—can do more to drive traction in board communications and work on gaining better representation on boards.

Less than half (47%) of SEA organizations (global: 54%) regularly schedule cybersecurity in their board agendas. Only in four in 10 organizations (SEA: 37%, global: 36%) have a Head of Cybersecurity who is also a member of the board or executive management team.

While CISOs need to drive engagement at the board level, they must not forget to invest in building relationships across the business. According to the survey, while cybersecurity teams generally have good relations with adjacent functions such as IT, audit, risk and legal, there is a disconnect with other parts of the business. Only 37% of SEA organizations (global: 59%) said that the relationship between cybersecurity and the lines of business is, at best, neutral, if not mistrustful or non-existent.

Forty-six (46%) of SEA respondents (global 57%) said the same for the finance function, on which they depend on for budget authorization, while 58% of SEA organizations (global: 74%) shared similar sentiments with the marketing team.

On how businesses and CISOs can work together to close the gap, Chng shared: “Deeper trust and meaningful dialogue will happen only when a common understanding and language is established between the business owners and CISOs. Both sides will need to put in the effort to see progress. Business owners need to truly appreciate technology’s benefits and value proposition to bring forth innovative approaches to address evolving customer expectations, while CISOs need to start understanding how to articulate the return on cybersecurity investments needed in business terms.”

In addition to relationship building, the report concluded that CISOs need to effectively manage operational issues. Currently, the most challenging aspect of managing cybersecurity operations is procuring or justifying budget (SEA 18%, global 17%), followed by proving to the board and C-suite that cybersecurity is performing in line with expectations (SEA 14%, global 22%).