A survey of 500 CISOs (chief cybersecurity officers) in more than 25 countries, conducted by EY, yields shocking results on the state of global corporate cybersecurity.
Only 20% of CISOs believe that their business cybersecurity strategies are being carried out effectively.
First, what is a CISO? CISO is the acronym for Chief Information Security Officer . The CISO is a C-level executive in an organization, and their main function is to oversee and direct information security strategies and policies.
The CISO is thus responsible for protecting the company’s information assets against internal and external threats, guaranteeing the confidentiality, integrity, and availability of the company’s data.
Given this, how do CISOs themselves view enterprise cybersecurity strategies?
Well, EY’s “Global Cybersecurity Leadership Insights 2023” report reveals that only 20% of respondents in cybersecurity management consider their organizations’ approach to cyber threats to be effective.
This figure, obtained from a survey of 500 cybersecurity managers in 25 countries, including Spain, raises questions about global corporate information security strategies and policies.
Cyberattacks cost companies more and more every year
On the topic of incident frequency, the study reveals that organizations experience, on average, 44 cybersecurity incidents per year. This is not only a threat to information security, but also has a significant financial impact.
However, despite the average annual investment of $35 million in cybersecurity, we see a 12% increase in the average cost of security breaches, reaching $2.5 million by 2023. This suggests that current investments are failing to effectively mitigate risks.
In this sense, the state of cybersecurity in Spain seems to be aligned with the state of cybersecurity worldwide.
CISOs believe cyberattacks ‘take too long’ to detect
Regarding detection and response to cybersecurity incidents, in the study,76% of respondents indicated that their organizations take an average of six months or more to address threats.
This delay highlights the importance of improving monitoring and response processes in enterprise cybersecurity to prevent attacks from persisting for extended periods of time.
EY’s analysis also classifies organizations into two categories: “Secure companies” and “Vulnerable companies”. The former stand out for having more efficient cybersecurity strategies, experiencing fewer incidents, and showing faster detection and response to threats.
These organizations, which embrace emerging technologies such as artificial intelligence, machine learning, SOAR, cloud, and DevSecOps, are considered more prepared and satisfied with their strategies, setting the industry standard.
Looking ahead: The challenges facing CISOs
The study highlights common concerns regarding cybersecurity challenges for both categories of organizations. The second-most frequently mentioned challenge is the difficulty of balancing innovation and security, revealing the constant pressure to adopt new technologies and processes to drive efficiency and competitiveness while safeguarding digital assets.
While both “Secure Businesses” and “Vulnerable Businesses” share common cybersecurity concerns, such as financial, technology infrastructure, and reputational risks, there are differences.
“Vulnerable Companies” focus more on financial risks, while “Secure Companies” consider technology infrastructure to be a more significant threat. In addition, a gap in the perception of risk in the supply chain is evident.
Cybersecurity training and awareness: The best way to stay protected
Finally, the study indicates that half of the participants express uncertainty about the effectiveness of cybersecurity training for their staff.
In fact, only 36% of CISOs surveyed were satisfied with the implementation of best practices by teams outside the IT department.
“Secure Companies” highlight the vital importance of cybersecurity training at all levels of the organization, creating a cybersecurity culture that influences their transformation, innovation, and ability to respond nimbly to market opportunities.
Still not convinced about how low the level of cybersecurity awareness and training among employees in business organizations remains? Stick around for more information.
A report entitled “Companies and Cybersecurity,” the result of a collaboration between the LEET Security evaluation agency, the Club de Excelencia en Gestión (CEG), and the research firm Inmark, provides enlightening data:
Strikingly, only 40% of companies carry out an ongoing assessment of the security levels of their external suppliers throughout their business relationship. This is surprising given that 47.6% of suppliers access internal company networks and 46% handle sensitive information.
Despite this, an overwhelming majority of companies in Spain (77.5%) show a positive interest in a standardized system to verify the security of their suppliers’ systems.
Zepo: train your employees, build a human firewall
Register your employees.
You can do this manually or through a CSV.
You can create groups of employees based on their level of knowledge and awareness of cyberattacks.
Launch attacks and test your teams.
You will be able to check in real time who falls into the trap.
We create customized templates for your campaigns based on the banks and suppliers you work with. No one will know that it is a simulation.
Train your staff in cyberattack prevention.
Create customized courses on prevention. 3 minutes per month.
No more boring mandatory courses. With Zepo, you will learn and have fun at the same time.