Balancing Transformation and Security

​Boards, business units, and cybersecurity functions aren't all on the same page about protecting the organization's digital initiatives.

Comments Views

The rush to digital transformation is creating a tension between cybersecurity and innovation. Six out of 10 corporate directors say they are willing to compromise cybersecurity to meet business objectives, according to the 2019–2020 National Association of Corporate Directors (NACD) Public Company Governance Survey.

"Boards must work with their management teams to reconcile the need to transform themselves digitally with the need to ensure underlying data assets are properly secured," says NACD CEO Peter Gleason.

In short, security must be part of the design of digital transformation, a new EY report advises. Yet, only 36% of new technology initiatives include security from the start, according to the EY Global Information Security Survey 2020 (PDF).

That shortcoming is despite the growing recognition that security incidents are increasing, notes the survey of cybersecurity leaders from 1,300 organizations. About six out of 10 respondents say their organization has had a material or significant cybersecurity incident in the past 12 months.

A Transformation Roadblock

The problems are multifold, the EY survey finds. For starters, only 7% say their organization sees cybersecurity as enabling innovation. In most organizations, cybersecurity is considered the opposite — compliance-driven and risk-averse. Just 9% of new cybersecurity spending is for new business initiatives, with greater focus on defensive priorities.

That approach isn't sustainable, says Kris Lovejoy, EY global advisory cybersecurity leader. Instead, organizations need a "security by design" culture that can "bridge the divide between the security function and the C-suite," she says. In such a culture, the chief information security officer (CISO) must become the agent of transformation, "instead of the stereotypical roadblock."

To get there, cybersecurity functions will need to win over mistrustful business units. EY reports that 59% of respondents say their function's relationship with business units is neutral, mistrustful, or nonexistent. That percentage rises for key innovators such as the research and development function and marketing.

To shift the culture to security by design, EY recommends that organizations:

  • Establish cybersecurity as a "key value enabler" of digital transformation initiatives, beginning at the planning stage.
  • Build trust relationships between cybersecurity and every business function.
  • Implement governance structures that support a "risk-centric view" in board and executive reporting.
  • Focus on board engagement by using understandable terms to communicate about cyber risks.
  • Evaluate the cybersecurity function's strengths and weaknesses.


The Board and Cyber Risk

Acting on those recommendations may be challenging, though, particularly where the board is involved. About half of respondents say their board doesn't understand cyber risk. EY's recent Global Board Risk Survey reports that half of boards are only somewhat confident in their organization's cybersecurity and just 54% discuss it regularly.

Board directors responding to the 2019–2020 NACD Public Company Governance survey have a higher assessment of their cybersecurity understanding. Nearly 80% say their board's understanding of cyber risk has improved significantly over the past two years, according to the survey of 500 directors, released in December.

Two-thirds say their board is confident that the organization can respond effectively to a materially significant incident. And almost two-thirds say they are confident in the board's ability to provide effective oversight over cyber risk.

Oversight Principles

The NACD has teamed with the Internet Security Alliance (ISA) to issue new board guidance, Cyber-risk Oversight 2020 (PDF). This third edition of the NACD's handbook on cyber risk describes five guiding principles for addressing those risks:

  • Cybersecurity as a strategic risk — rather than an IT risk. Technology and data are "center stage as critical drivers of strategy," the handbook notes.
  • Legal and disclosure implications. Directors need to know the legal implications of cyber risks, including what they must publicly disclose and the potential for lawsuits.
  • Board oversight structure and access to expertise. Boards need adequate expertise about cybersecurity and should discuss cyber-risk management regularly.
  • An enterprise framework for managing cyber risk. Directors should expect management to put in place an enterprisewide cyber-risk management framework.
  • Cybersecurity measurement and reporting. The board and management should identify and quantify financial exposure to cyber risk, and determine which risks to accept, mitigate, or transfer.

In addition to the principles, the NACD handbook includes 13 tools for board directors, which map back to individual principles. These tools include questions directors should ask about cybersecurity, a self-assessment of the board's cyber-risk oversight effectiveness, and an overview of insider threats and third-party risks. Other tools cover incident response, cybersecurity metrics, due diligence for mergers and acquisitions, dashboards, and U.S. government resources.

Set the Tone

"Digitalization and digital transformation have enhanced exposure to cyber risk across the enterprise, making cybersecurity a strategic risk," says Larry Clinton, president of ISA and lead author of the NACD handbook. He says boards must help set "a tone for security." More and more, boards, management, cybersecurity functions, and business units all must ensure that initiatives address both the risks and opportunities.

Tim McCollum
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author



Tim McCollumTim McCollum<p>​​​​Tim McCollum is <em>Internal Auditor</em> magazine's associate managing editor.​​</p>


Comment on this article

comments powered by Disqus
  • Galvanize-September-2020-Premium-1
  • FSE-September-2020-Premium-2
  • Auditboard-September-2020-Premium-3