Cyber Security insights with Carol Murphy, EY Ireland Consulting Partner and Head of Technology Risk

EY recently published their Global Information Security survey and I spoke to Carol Murphy EY Ireland, Consulting Partner and Head of Technology Risk about it. A Partner at EY Consulting, Carol is a Partner at EY Consulting and leads the Technology Risk practice, including cyber and data protection, IT governance and IT performance, as well as programme assurance and digital assurance services.

She is also the EY Lead for the Connecting Women in Technology Network. Carol has worked over the years with numerous clients on significant business and IT transformation programmes, providing oversight and assurance to key stakeholders

Tell me more about the Global Information Security survey.

This is a survey that we’ve done for over 20 years across global organisations. It was asking for the views of our clients mainly in the CFO, CTO CIO role, and their perspectives related to their technology risk landscape.

This year, we have some interesting findings including a recognition of the huge challenge of the digital transformation that has happened over the last number of months, in response to the global pandemic. Including some of the vulnerabilities and concerns that have emerged as a result of that.

We’ve got some good insights out of that, in terms of both the volume and severity of incidents that are happening. The challenges that our Irish CIO’s and global CIO’s are experiencing, in dealing with those challenges, both from a technical and a funding perspective. This is in relation to really engaging with the business and getting the right support, to be able to secure the right investments and build the right capabilities to respond.

Carol did you find that companies who have always been upgrading software and hardware are the ones that are more secure?

To an extent, we have seen lots of investment in technology. We have also seen that there has been bypassing of a lot of entities of security and privacy controls and technologies, such as with the rapid transition to remote working taking priorities. There’s a whole retrospective piece that needs to be done there, in terms of remediating some of those issues.

But of course, we have seen organisations really investing in their defences, and in their technology, from a security perspective. Like anything, our recommendation is not only about the technology, it’sreally to take a more integrated, realistic approach than that. To make sure that organisations are thinking not just about having the best in class, or fit for purpose, technical solutions. But they’re also thinking about that in the context of having good processes, having the right governance, and also encouraging the right behaviours, and the right awareness, in their people, because the biggest concern here is the human factor.

We always say you’re only as strong as your weakest link, and usually, your weakest link is something that happens by somebody inadvertently clicking on a link, or potentially somebody beingcoerced or, collaborating with malicious third parties, to exploit some of those vulnerabilities to commit fraud. So, we think there needs to be a big focus, not just on the technology, but much more broadly, on governance and people.

So, I guess education on how to keep yourself secure and make sure you don’t click on the wrong links, or open wrong emails, and also with governance, what do you recommend they do when it comes to governance?

I think we will expect to see more CSO’s and we also expect to see more CSO’s that potentially don’t report to the CTO or CIO. They will actually have a reporting line into a Chief Risk Officer or a Chief Compliance Officer or in some cases, potentially even CEOs the most senior level management in the organisation.

I think that’s something we’re going to see more evolution of in the coming months and years, and just really in recognition of the priority that boards and audit committees are placing on cybersecurity as a top risk for them.

It’s on every corporate risk register that we see now, usually at the top five or top three. We’ll certainly see a lot more scrutiny around that. While I think that has been there for quite a while, what we’re seeing now is that boards and audit committees are asking questions of management, including their CIOs and CTOs and CISOs, not about what our cyber security is, posture, or what we are doing about it.Instead asking about our level of readiness, our level of preparedness if we were to experience an incidence.

That conversation is really moving on now. It’s not just about asking the question or ticking the box but going a lot deeper in terms ofbeing subjected to some kind of attack. How prepared would we be? How quickly would we detect it? How would we contain it? How would we prove we have the right capabilities to deal with it? And how would we continue to run the business?

That’s where this is moving to, as well, from a governance perspective, and much less about, the technology in terms of detecting or preventing an incident. It’s much more about recognising that because these incidents now are happening more frequently, they’re lasting longer, and they’re more severe in terms of the impact that organisations are now having to really look at.

How are we going to continue to run the business, so it becomes much more of a business continuity conversation, in terms of how do we prioritise our systems and our services and our customers and our suppliers? What sequence of events would we need to implement? And how long is it going to take, because these incidents are not recoverable in a matter of hours or days anymore, they’re taking weeks or months, even if we think about what’s happened in our national health service, which was probably the most severe incidence in the history of the state, on our critical national infrastructure.

That is taking a huge amount of effort and many months to recover and respond to and in all that time, there is a need to continue delivering the services to patients at the community, which is a real challenge. So, we’re seeing lots more businesses, being very focused on business continuity in response to a cyber incident, which is a much broader conversation that we’ve seen happening up to now.

And, if you’re working on a cyber-attack, it’s hard to deal with, because you’re not dealing with integrating one or two, three buildings, it’s all over the world or country.

These incidents are obviously not limited to or contained within one space, there is a much broader ecosystem. If these incidents are hitting enterprises, they’re hitting your infrastructure, they’re taking down your ability to collaborate, your email, your team’s, your zoom, your ability to connect with people, that’s fundamental, and wide reaching.

Of course, even if you manage to contain it, we’re still going to have a level of recovery to do and an awful lot of testing, and an awful lot of monitoring, and so on. These things really take time, they’re really challenging for businesses to navigate.

See more Stories here.