Contact Us

Cyber Security insights with Carol Murphy, EY Ireland Consulting Partner and Head of Technology Risk

Cyber Security | March 27, 2022
Carol Murphy

EY recently published their Global Information Security survey and I spoke to Carol Murphy EY Ireland, Consulting Partner and Head of Technology Risk about it. A Partner at EY Consulting, Carol is a Partner at EY Consulting and leads the Technology Risk practice, including cyber and data protection, IT governance and IT performance, as well as programme assurance and digital assurance services.

She is also the EY Lead for the Connecting Women in Technology Network. Carol has worked over the years with numerous clients on significant business and IT transformation programmes, providing oversight and assurance to key stakeholders

Tell me more about the Global Information Security survey.

Sure, well, this is a survey that we’ve done for over 20 years across global organisations. It was asking for the views of our clients mainly in the CFO, CTO CIO role, and their perspectives related to their technology risk landscape.

So, this year, I think we have some interesting findings, including a recognition of the huge challenge of the digital transformation that has happened over the last number of months, you know, in response to the global pandemic, some of the vulnerabilities and concerns that have emerged as a result of that.

So, we’ve clearly got some  good insights out of that now, in terms of, I suppose you know, both, you know, the volume and severity of incidents that are happening. And I suppose the challenges that our Irish CIO’s and global CIO’s are experiencing, in dealing with those challenges, both from a technical and a funding perspective. But also, in relation to I suppose really engaging with the business around those and getting the right support to, to be able to secure the right investments and build the right capabilities to respond.

Carol did you find that companies who have always been upgrading software and hardware are the ones that are more secure?

To an extent, we have seen lots of investment in technology. But also, I suppose, we have also seen that there has been bypassing of a lot of entities of security and privacy controls and technologies, you know, maybe with I suppose the rapid transition to remote working taking priorities. So, there’s a whole retrospective piece that needs to be done there in terms of remediating some of those issues, etc.

But of course, we have seen organisations really investing, you know, in their defences, and in their technology, from a security perspective, I suppose, you know, like anything, our recommendation is not only about the technology. It’s really to take a more integrated, realistic approach than that. To make sure that actually, you know, organisations are thinking not just about having the, you know, best in class, or fit for purpose, technical solutions. But they’re also thinking about that in the context of, you know, having good processes, having the right governance, and also, I suppose, encouraging the right behaviours, and the right awareness, in their people, because the biggest concern here is the human factor.

We always say you’re only as strong as your weakest link, and usually, your weakest link is something that happens by you know, somebody kind of inadvertently clicking on a link, or, you know, potentially somebody, you know, being, I suppose, coerced or, you know, collaborating with, you know, with malicious third parties or something to, exploit some of those vulnerabilities to commit fraud. So, really, we think there needs to be a big focus, not just on the technology, but much more broadly, on governance and people.

So, I guess education on how to keep yourself secure and make sure you don’t click on the wrong links, or open wrong emails, and also with governance, what do you recommend they do when it comes to governance?

I think we will expect to see more CSO’s and we also expect to see more CSO’s that potentially don’t report to the CTO or CIO. They will actually have a reporting line into a chief risk officer or a Chief Compliance Officer or in some cases, potentially even CEOs the most senior level management in the organisation. So, I think that’s something we’re going to see more evolution of, in the coming months and years, you know, and just really in recognition, I suppose of the priority that boards and audit committees are placing on cybersecurity as a top risk for them.

So, it’s on every corporate risk register that we see now, usually at the top five or top three. And then I think, you know, we’ll certainly see a lot more scrutiny around that. So, while I think that has been there for quite a while, what we’re seeing now is that boards and audit committees are asking questions of management, you know are they including their CIOs and CTOs and CISOs and not about what is our cyber security, posture, and what are we doing about it? It’s what would be our level of readiness, our level of preparedness if we were to experience an incidence.

So that conversation is really moving on now. It’s not just about you know, asking the question or ticking the box, but going a lot deeper in terms of, you know, if we were to be subjected to some kind of attack. How prepared would we be? How quickly would we detect it? How would we contain it? How would we prove we have the right capabilities to deal with it? And how would we continue to run the business?

And that’s where this is moving to, as well, from a governance perspective, and much less about, you know, the technology in terms of detecting or preventing an incident. It’s much more about recognising that because these incidents now are happening more frequently, they’re lasting longer, and they’re more severe in terms of the impact that organisations are now having to really look at.

How are we going to continue to run the business, so it becomes much more of a business continuity conversation, in terms of how do we prioritise our systems and our services and our customers and our suppliers? You know, what sequence of events would we need to implement? And how long is it going to take, because these incidents are not recoverable in a matter of hours or days anymore, they’re taking weeks or taking months, even if we think about what’s happened in our national health service, which was probably the most severe incidence in the history of the state, on our critical national infrastructure.

You know, that is taking, a huge amount of effort and many months to recover and respond to and in all that time, there is a need to continue delivering the services to patients, you know, at the community, which is a real challenge. So, we’re seeing lots more businesses, being very focused on business continuity, you know, in response to a cyber incident, which is a much broader conversation that we’ve seen happening up to now.

And, if you’re, you know, working on a cyber-attack, it’s hard to deal with, because you’re not dealing with integrating one or two, three buildings, it’s all over the world or country.

That’s it because you know, these incidents are obviously not limited to or contained within one space, there is a much broader ecosystem. And so, if these incidents are hitting enterprises, they’re hitting your infrastructure, they’re taking down your ability to collaborate, your email, you know, your team’s, your zoom, your ability to connect with people, that’s fundamental, and, you know, wide reaching. Of course, even if you manage to contain it, we’re still going to have a level of recovery to do and an awful lot of testing, and an awful lot of monitoring, etc. So, these things really take time, they’re really challenging for businesses to navigate.

See more Stories here.

This content was originally published here.