The average annual organizational spend on cybersecurity in 2023 was US$35 million – but that figure still falls short of what most businesses will need to invest to build their cyber defenses and safeguard their operations.

Just one out of every five companies is future-ready when it comes to cybersecurity, according to the latest EY 2023 Global Cybersecurity Leadership Insights Study. This is despite the World Economic Forum ranking cybercrime among its biggest risks for the next decade.

EY professionals asked 500 global cybersecurity leaders how they were navigating the complex landscape. They explained that known cyberattacks have increased by 75 percent in the past five years – and yet it takes most companies more than six months to respond to an incident.

Adversaries are using next-generation capabilities, such as automation and AI, to launch cyberattacks. Around 450,000 new malicious programs, or malware, are created every day. Digitized processes encourage scams; AI makes them even easier to execute. Consequently, the global cost of cybercrime is expected to grow by 15 percent each year, topping US$8 trillion in 2023, up from US$3 trillion in 2015.

The world’s best cybersecurity defenses will be worthless if your employees don’t understand and respond to the risks.

There are simply too many attack surfaces for any cyber team to deal with. When each internal alert demands human investigation, the task can be overwhelming.

The cybersecurity research found 84 percent of organizations are at the initial phases of integrating two or more additional technologies into their current cybersecurity solutions. But ironically, every new technology imposes an additional cybersecurity threat.

Organizations with labyrinthine, legacy technology are catnip to cybercriminals. The more cluttered your technology stack, the harder it is to pick up suspicious activity.

Ensuring employees aren’t leaving the doors open to cyberattacks is another daunting challenge. The world’s best cybersecurity defenses will be worthless if your employees don’t understand and respond to the risks. Overlay that with the fact that every organization is now inextricably and digitally linked to businesses in their supply chains, and the challenges seem insurmountable.

What does all this tell us? It tells us that the perimeter of any company’s cybersecurity problem is not where they think it is. Cyber criminals take a “one-to-many” approach, targeting the weakest link to tap into thousands of enterprises. Most business leaders – even those who thought they had led from the front on cybersecurity – are on the back foot.

Mind the confidence gap

A CEO who is not worried about cybersecurity hasn’t heard the warning bells.

The EY Global Board Risk Survey found only four out of every 10 boards meet with their CTO on a less-than-quarterly basis. A similar number of board leaders are confident that they understand the biggest cyber risks confronting their organization. And just a third of directors are very confident that they are spending enough time exploring cyber risk.

Eighty-two percent of CEOs surveyed for the EY July 2023 CEO Outlook Pulse expected technological disruptions – notably cyber risks – to impact their business over the next 12 months.

Despite this, the cyber research has found that the C-suite is more likely to be satisfied with the effectiveness of their organization’s approach to cybersecurity than the person who knows best – their chief information security officer. Around half of C-suite leaders (48 percent) are satisfied with their cybersecurity strategy, compared with around a third (36 percent) of cybersecurity professionals.

EY teams also asked CEOs where their heads were in 2023 and what they saw on the horizon. Eighty-two percent of CEOs surveyed for the EY July 2023 CEO Outlook Pulse expected technological disruptions – notably cyber risks – to impact their business over the next 12 months.

Speak the language of business

With the help of machine learning and statistical modeling, EY teams have identified several key characteristics shared by the most cybersecure organizations around the globe. We call this group “Secure Creators” because they have fewer cyber incidents than their counterparts, the “Prone Enterprises”, and they behave in different ways than their peers.

Secure Creators are quick to adopt emerging technology and use automation to streamline processes. They have clear strategies to manage complex attack surfaces. They also build bridges across their organization – the C-suite, the cybersecurity team and the broader workforce – by speaking the language of business.

This isn’t always easy. Most CEOs can’t talk about cybersecurity with confidence. They aren’t technologists by trade, but usually leaders who have risen through their ranks because of their financial acumen, business savvy or people skills.

We have seen a simple graph capture the board’s attention and bolster a cyber budget in a matter of minutes.

We’ve found, through the research and work with countless clients, that CEOs who bring their natural skills to the cyber conversation add weight to the discussion and create a compelling case for change.

For instance, some Secure Creator businesses build actuarial models to quantify their cybersecurity risks and communicate those clearly with their stakeholders. If a threat materializes, what is the dollar impact of systems going offline? How does that translate into lost customers, brand damage, regulatory fines or lower transaction revenue? Asking and answering these questions brings clarity to cybersecurity strategy.

Another way that leaders in Secure Creator businesses evaluate and communicate cyber risk is by benchmarking against industry peers. A big gap between a business and best practice can be perceived as a dereliction of duty, especially if investors and regulators start asking questions in the wake of a cyber incident. We have seen a simple graph capture the board’s attention and bolster a cyber budget in a matter of minutes.

Catalyzing value creation

Done well, cybersecurity is not just about value protection. It is also about value creation. What does this look like? Rather than retrofitting security tools around existing systems or ticking off items from compliance checklists, cybersecurity is embedded into every new initiative from the outset. We call this “Security by Design”, and this approach builds trust, which in turn creates new value.

The cybersecurity function is clearly in catch-up mode. But the skills the CEO must depend upon are diverse. It’s true, every business needs good technology specialists. But it also needs experts in the development and delivery of change management programs. CEOs need people who are adept at educating and training teams. They need great communicators. And they need people who can see the value that cybersecurity can create.

Whatever the value, CEOs who establish the guardrails and protections are those that will allow business functions to focus on new ideas.

This new value may be brand equity as customers and suppliers feel confident to transact. It may be cost savings through streamlined operations and optimized processes. It may mean getting products to market faster, attracting top talent or innovating with the backing of an ecosystem of partners.

Whatever the value, CEOs who establish the guardrails and protections are those who will allow business functions to focus on new ideas. In doing so, these CEOs will stop seeing cybersecurity as a cost center and start seeing it as a value creator.

Written in collaboration with Jeremy Pizzala, EY Asia-Pacific Cybersecurity Consulting Leader.

The views reflected in this article are the views of the authors and do not necessarily reflect the views of the global EY organization or its member firms.