Security remains an "afterthought" for businesses

A hand reaching out to touch a holographic padlock, which floats above a phone screen displaying green code

Only a third of new business initiatives bring in the security team right at the beginning, according to research from EY.

The analyst firm's annual Global Information Security Survey revealed that only 36% of business plans and projects bring in the security department at the start — despite six in ten saying their organization had seen an increase in attacks over the past year.

"If we ever hope to get ahead of the threat, we must focus on creating a culture of security by design," says Kris Lovejoy, EY Global Cybersecurity Leader. "This can only be accomplished if we successfully bridge the divide between the security function and the C-suite and enable the chief information security officer (CISO) to act as a consultant and enabler instead of the stereotypical roadblock."

Indeed, the EY research suggested a disconnect between the wider business and cyber security teams. While security teams work well with the wider IT department, as well as connected areas such as legal, risk and auditing, that's not true for other departments. According to the survey of 1,300 security leaders around the world, three quarters say the relationship between their own teams and marketing is at best neutral, with two-thirds saying the same with research. Perhaps more worrisome is that 57% report a strained relationship with finance — problematic when seeking budget.

"Cybersecurity has traditionally been a compliance activity, bolted on by a checklist approach instead of built into every technology-enabled business initiative," says Lovejoy. "This is not a sustainable model."

The solution, she said, is building trust. "As companies undergo transformation, what's needed is to build relationships of trust across every function of the organization, starting at the board level so that cybersecurity is established as a key value enabler," says Lovejoy. "Boards, senior management teams, CISOs and leaders throughout the business must collaborate to position cyber security at the heart of business transformation and innovation."

The research also uncovered a shift in the source of such attacks against organizations. While organized crime groups are still responsible for most cyber security incidents, at 23%, activism climbed to 21% of successful attacks from 12% the year before.