Make cybersecurity key to digital transformation

THIS year's Singapore International Cyber Week's theme: Living With Covid19 - Reimagining Digital Security Risks And Opportunities reflects the critical need for organisations to address the impact of the Covid-19 crisis on their cyber resilience.

Over the last year, organisations have accelerated their digital transformation plans to cope with the fast-changing business landscape amid the pandemic.

Yet, the stop-gap technology solutions deployed during the initial stages of lockdown might have also inadvertently introduced potential vulnerabilities and organisations could find current levels of defences inadequate for the security needs of the new normal.

According to the 2021 EY Global Information Security Survey (GISS), about three in four (73 per cent) Asia-Pacific businesses highlighted that they have seen an increase in the number of disruptive attacks over the past year, compared to just 47 per cent in the previous year.

The Singapore Cyber Landscape 2020 report by the Cyber Security Agency of Singapore (CSA) revealed that cyber crimes accounted for just under half (43 per cent) of overall crimes in Singapore.

In particular, 2020 saw a 154 per cent increase in ransomware cases from 2019, as well as increases in the number of cases related to phishing, computer misuse and cyber extortion, due to the en masse move to remote working and rapid digitalisation.

GET BT IN YOUR INBOX DAILY

Start and end each day with the latest news stories and analyses delivered straight to your inbox.

Sign UpVIEW ALL

As the cyber threat grows, can organisations afford to downplay cyber issues while continuing the digitalisation path (and potentially create more risks), or should they leverage the transformation agenda to embed security by design across the organisation?

Clearly, the latter must be the way forward but organisations that embark on the cyber transformation journey must be prepared to overcome key challenges in plugging talent gaps, adopt flexible funding models and embrace cybersecurity as a value-driver.

PLUGGING TALENT GAPS

Given the sophisticated nature of today's cyber attacks, organisations need cybersecurity professionals with advanced technical skills. At the same time, there is a growing need for the cybersecurity function to expand the range of soft skills and professional qualifications that can build interdepartmental relationships and facilitate conversations on cyber transformations.

Hiring talents with such breadth and depth of skills is a tall challenge, which is compounded by the shortage and high turnover rates of sought-after cybersecurity talent in the market. Governmental efforts can help to address this but the road is long.

The CSA has been actively attracting new and training existing cyber talents through a range of schemes. This includes its Cyber Security Associates and Technologists Programme for IT professionals to acquire cyber skills as well as the SG Cyber Talent initiative launched in March 2020, which aims to nurture 20,000 cybersecurity talents at a young age.

Beyond governmental support, bridging the cyber skills gap will take the effort of all. Organisations will need to adopt an end-to-end talent approach by improving hiring, retention, capability building, people development, as well as leveraging technologies to automate manual and labour-intensive tasks to free up the capacity of cyber teams. Organisations will also need to broaden their view to consider how employees play a critical role in their cyber defence, since threat actors are increasingly deploying tactics such as phishing campaigns.

ADOPT FLEXIBLE FUNDING

Despite the growing threat of cyber attacks, the abovementioned EY survey found that cyber spend of Asia-Pacific businesses remains low - at just 0.05 per cent of their annual revenue. Chief information security officers (CISO) are struggling to scale their functions' efforts as they work with inflexible budgeting models, where they are either allocated a fixed portion within a larger corporate expense or cybersecurity costs are shared across the organisation.

Organisations need to adopt a more flexible budgeting model given the need for cybersecurity to respond quickly to the fast-moving cyber threat landscape, and to build in agility for organisations to realign their cybersecurity spend to their transformation initiatives.

REIMAGINE CYBERSECURITY'S VALUE

Tackling these challenges is not just the responsibility of the CISO or technology leader but requires commitment and support of the board and management.

The issue isn't a lack of leadership support. While cybersecurity is increasingly recognised as a business priority, it is viewed as a compliance or risk concern, rather than a strategic growth driver.

This perception continues to be reinforced if cybersecurity teams focus on the escalating problems without offering solutions, leading to the shutdown of new initiatives that are too cyber-risky.

Therefore, there is a possibility that cybersecurity is conveniently left out from the decision-making process in innovation initiatives, for fear that the lack of solutions may jeopardise the implementation of these innovations.

CISOs need to help the business understand the strategic value of cybersecurity as an enabler - rather than a roadblock - of growth.

It is important to better quantify the commercial value that investing in cybersecurity brings; build relationships to better communicate cyber risks in non-technical terms with the aim to become solution providers; and continue to engage with all functions on managing emerging cyber risks.

Transforming cybersecurity amid funding and talent challenges is neither a straightforward initiative nor an ambition that can be achieved in the short term.

However, accelerated digital transformation has made it an opportune time for organisations to review ways of working and integrate cybersecurity considerations earlier into decision-making.

Often, in the aftermath of a cyber breach, many organisations realise belatedly why cybersecurity must not be an afterthought; indeed, it does not have to be the case.

• The writer is EY Asean cybersecurity leader. The views here are the writer's and do not necessarily reflect the views of the global EY organisation or its member firms.