This year, we are delighted that more than 1,400 respondents have
taken the time to participate in our research — we are grateful to all of
you. EY analysis of the responses from CIOs, CISOs and other executives
shows that many organizations are increasing the resources they devote
to cybersecurity, but also that they remain deeply concerned about the
scale and severity of the threat.
That is as it should be. Cyber risks are evolving; any organization that
regards itself as safe from cyber attack is likely to be in for a shock.
This year’s GISS explores these themes in more detail. By sharing ideas
and leading practices, we can improve cybersecurity for all.
01 The future state of cybersecurity
03 Optimize cybersecurity
04 Enable growth
06 Survey methodology
After a year in which organizations have been rocked by a • Optimize cybersecurity. Focus on stopping low-value
series of large-scale cybersecurity breaches and ongoing activities, increasing efficiency, and reinvesting the funds
recriminations over state-sponsored interventions, in emerging and innovative technologies to enhance existing
this year’s EY Global Information Security Survey (GISS) protection.
shows cybersecurity continuing to rise up the board agenda. • Enable growth. Focus on implementing security-by-design as
Organizations are spending more on cybersecurity, devoting a key success factor for the digital transformations that most
increasing resources to improving their defenses, and working organizations are now going through.
harder to embed security-by-design.
These three imperatives must be pursued simultaneously.
However, the survey results also suggest that organizations need The frequency and scale of the security breaches all around
to do more. More than three-quarters (87%) of organizations the world show that too few organizations have implemented
do not yet have a sufficient budget to provide the levels of even basic security.
cybersecurity and resilience they want. Protections are patchy,
relatively few organizations are prioritizing advanced capabilities, However, even as they seek to catch up, organizations must also
and cybersecurity too often remains siloed or isolated. move forward, fine-tuning existing defenses to optimize security
and support their growth. As the digital transformation agenda
The challenge is for organizations to progress on three fronts: forces organizations to embrace emerging technologies and
• Protect the enterprise. Focus on identifying assets and new business models — often at pace — cybersecurity needs to
building lines of defense. be a key enabler of growth.
50% 2 million
The number of local authorities in England relying on The number of stolen identities used to make fake
unsupported server software3 comments during a US inquiry into net neutrality4
1,946,181,599 US$729,000
The total number of records containing personal and other The amount lost by a businessman in a scam combining
sensitive data compromised between January 2017 and “catphishing” and “whaling”6
March 20185
Enable g
1 Governance
2 What is at stake?
3 Protection
tim ity
ize cybersecur 4 Breaches
Our analysis suggests that significant numbers (77%) of 2. What is at stake? What do organizations fear most, and how
organizations are still operating with only limited cybersecurity do they regard the biggest threats they are facing?
and resilience. They may not even have a clear picture of what 3. Protection. The maturity of the cybersecurity of an
and where their most critical information and assets are — nor organization and the most common vulnerabilities are key.
have adequate safeguards to protect these assets.
4. Breaches. How breaches are identified and the way in which
That is why it is important for most organizations to organizations respond are critical issues.
continue to zero in on the very basics of cybersecurity. They
One overarching problem is skills shortages: estimates identify
should first identify the key data and intellectual property
a global shortfall of about 1.8 million security professionals
(the “crown jewels”), then review the cybersecurity capabilities,
within five years.9 Even in the most well-resourced sectors,
access-management processes and other defenses, and finally
organizations are struggling to recruit the expertise they need.
upgrade the shield that protects the company.
Financial services is one example. “The evidence in financial
Questions that organizations must consider: services is increasingly that the best graduates no longer want to
• What are our most valuable information assets? work in the industry, which is hampering efforts to recruit across
the sector,” says Jeremy Pizzala, EY Global Financial Services
• Where are our most obvious cybersecurity weaknesses?
Cybersecurity Leader.
• What are the threats we are facing?
• Who are the potential threat actors? Attracting more women and minorities into the cybersecurity
workforce — both to swell the numbers and to build a resource
• Have we already been breached or compromised?
better able to counter the threat — is a challenge in itself. “The
• How does our protection compare with our competition? industry needs to spearhead concerted efforts to fill the ranks,
• What are our regulatory responsibilities, and do we comply and do so properly, with women and minorities,” says Shelley
with them? Westman, a principal with Ernst & Young LLP cybersecurity
team. “Diversity is a business imperative. Diverse teams drive
In this chapter, we look at the four vital components of protecting better results across the organization. They are more innovative,
the enterprise: objective and collaborative. That’s critical in cybersecurity where
every day is a fight to stay a step ahead of the attackers.”
1. Governance. Organizations should address the extent to
which cybersecurity is an integral part of the strategy of the
organization, and whether there is enough funding for the
necessary investment in defense.
1. Governance
Is cybersecurity part of the strategy?
And is it in the budget ?
How organizations’ total cybersecurity budget is set to change in
the next 12 months:
Stayed approximately the same (between +5% and -5%) 40% 31%
Decreased between 5% and 15% 4% 2%
Decreased between 15% and 25% 1% 1%
Decreased by more than 25% 1% 1% Have seen an increase
in their budget this year
h ec
wt t
2. What is at stake?
ente ise
What is the biggest fear?
And what are the biggest threats? Op
ize cybersecu
Top 10 most valuable Top 10 biggest cyber threats
information to cyber criminals to organizations
5. Customer passwords (11%) 5. Fraud (10%)
6. R&D information (9%) 6. Cyberattacks (to steal IP) (8%)
7. M&A information (8%) 7. Spam (6%)
8. Intellectual property (6%) 8. Internal attacks (5%) See phishing
9. Non-patented IP (5%) 9. Natural disasters (2%) as the biggest threat
10. Supplier information (5%) 10. Espionage (2%)
Rank espionage
as a threat
3. Protection
What are the riskiest vulnerabilities?
How mature is cybersecurity?
Vulnerabilities increase when it comes to third parties. Only 15% It’s still taking many months to pick up
of organizations have taken basic steps to protect against threats sophisticated attacks. The challenge in this space
coming through third parties; 36% are aware of the risks through is that identifying the right advanced threat
self-assessments (22%) or independent assessments (14%); detection and identification tools is difficult —
therefore 64% have no visibility on this issue. Among smaller organizations really struggle with the nuance of
companies, this rises to 67%. why one solution is more suitable than another.
As a result, relatively few have implemented
Larger companies are more mature than their smaller
counterparts. For example, 35% have a formal and up-to-date
threat intelligence program, compared with 25% of smaller Dave Burg
organizations, and 58% say their incident response program is up EY Americas Cybersecurity Leader
to date, compared with 41% of smaller organizations.
Vulnerabilities with the most increased risk exposure over the past 12 months
Related to smartphones/tablets 8%
34% 53%
• Threat intelligence
• Vulnerability identification
• Breach detection
• Incidence response
Of organizations see careless/unaware Have no program – or an obsolete one • Data protection
employees as the biggest vulnerability – for one or more of the following: • Identity and access management
h ec
wt t
4. Breaches
ente ise
How are breaches identified?
How do organizations respond? Op
ize cybersecu
Organizations concede that they would be unlikely to step up The really smart and forward-thinking companies
their cybersecurity practices or spend more money unless now have two budgets. They have their
they suffered some sort of breach or incident that caused very traditional budget for what they need to do
negative impacts. and the projects they are pursuing, but they
also have a contingency budget for unexpected
A breach where no harm was caused would not lead to higher
eventualities such as the emergence of a new
spending for 63% of organizations (in most cases harm has been
type of threat or a breach or compromise.”
done, but has not come to the surface yet). Many organizations
are unclear about whether they are successfully identifying Dillon Dieffenbach
breaches and incidents. Among organizations that have been EY Japan Cybersecurity Leader
hit by an incident over the past year, less than a third say the
compromise was discovered by their security center.
SOC Other
46% Business function Have not had a significant incident
Third party
6% 8%
Of organizations report a list of breaches
Had no incidents
Increased their cybersecurity budget
in their information security reports (or don’t yet know about them) after a serious breach
In the spotlight
The healthcare sector is having to store increasing quantities of • Governance. Half of healthcare and Government & Public
personally identifiable and sensitive information. This year’s GISS Sector organizations say they have increased spending on
suggests that the sector’s awareness of cyber risks is increasing, cybersecurity over the past 12 months, while 66% plan to
and many organizations are determined to put stronger spend more over the next 12 months.
protections in place. Progress has been made, but more work • What is at stake? 17% of companies in the healthcare
is necessary. sector say that customers’ personal and identifiable
information is most valuable to cyber criminals, while 25%
The healthcare sector has seen a number of cybersecurity
say that malware has most increased their risk exposure.
incidents and alerts in recent months. In one incident, the health
records of almost 100 million patients worldwide were put at • Protection. Careless or unaware employees are seen by
risk by security bugs found in one of the world’s most widely healthcare companies as the vulnerability that has most
used patient and practice management systems.10 In another, increased their risk exposure over the past 12 months
information such as the full names, dates of birth, insurance (cited by 33%).
information, disability status, and home addresses of 2 million • Breaches. Only 18% of healthcare companies are very
patients in Central America were exposed by a security failure.11 confident that they would be able to detect a sophisticated
attack on their organization.
Healthcare data is extremely valuable on the “dark web”, which
makes healthcare organizations attractive to attackers. One
in 3 US healthcare organizations have suffered a cyberattack,
and 1 in 10 have paid a ransom.12
In the spotlight
The energy sector is an increasingly sophisticated user of EY research suggests that energy companies now recognize
emerging technologies, but this means it is facing more and these imperatives and are determined to protect themselves:
more vulnerabilities in its information technology and operational • Governance. Over half (57%) of energy companies have
technology. Successful attacks on this sector have the potential increased spending on cybersecurity over the past 12
to cause devastating consequences, depriving communities of months, and 68% plan to spend more over the next 12
power and even jeopardizing citizens’ safety. months.
There is plenty of evidence to show that energy companies • What is at stake? 15% of companies in the sector regard
are on the radar of cyber criminals — including the most customers’ personal and identifiable information as
sophisticated ones. In one recent case, security researchers most valuable to cyber criminals, but 14% say corporate
found evidence of Russian hackers seeking to infiltrate US power strategic plans are; 27%, meanwhile, say that phishing has
companies.13 In another, electricity companies were targeted in a most increased their risk exposure.
spear phishing14 scam thought to originate from North Korea.15 • Protection. About 3 in 10 energy companies (29%) say
that careless or unaware employees are the vulnerability
The threat has prompted regulators in Europe and elsewhere that has most increased their risk exposure. About the
to look into new regulation to encourage the sector to focus on same proportion (28%) cite outdated information security
protecting enterprises.16 controls or architecture.
• Breaches. More than 4 in 10 energy companies (42%)
say they have not had a significant cybersecurity incident
in the past 12 months.
03 Optimize cybersecurity
th t
Enable g
2 Investment priorities
3 In-house or outsourced
tim rit
This year’s GISS suggests that 77% of organizations are now In this chapter, we look at the four vital components of optimizing
seeking to move beyond putting basic cybersecurity protections cybersecurity:
in place to fine-tuning their capabilities. 1. The status today. To what extent is an organization’s
information security function currently able to meet its
These organizations are continuing to work on their
cybersecurity needs?
cybersecurity essentials, but they are also rethinking their
cybersecurity framework and architecture to support the 2. Investment priorities. Where is investment needed to update
business more effectively and efficiently. Part of that effort is capabilities to the standard required?
considering and implementing artificial intelligence, robotic 3. In-house or outsourced? What is the best way to develop new
process automation, analytics and more to increase the security cybersecurity capabilities and who should take the lead?
of their key assets and data. 4. Reporting. How well is the organization able to evaluate its
own capabilities and report back to key stakeholders?
Questions these organizations must focus on include:
At the moment, there is significant room for improvement.
• What is our cybersecurity strategy — what are our
Fewer than 1 in 10 organizations say their information security
“crown jewels”
function currently fully meets their needs — and many are
• What is our tolerance and appetite for risk? worried that vital improvements are not yet under way.
• Are there any low-value activities we could do more quickly
or more cheaply? Smaller companies are more likely to be lagging behind. While
78% of larger organizations say their information security
• How could technologies such as robotic process
function is at least partially meeting their needs, that falls to just
automation, artificial intelligence, and data analytics
65% among their smaller counterparts.
tools help us?
• Where do we need to strengthen our capabilities further? Cyber criminals are raising their game, and the price of failure is
• What can we stop doing, and how do we invest the high. In one recent attack, an Indian bank lost 944 million rupees
resources we free up? (US$13.5m) after hackers installed malware on its ATM server
that enabled them to make fraudulent withdrawals from cash
EY Global Information Security Survey 2018–19
Overall, 92% of organizations are concerned about their Some organizations may be overstating their
information security function in key areas. Resources are a key resilience and security. Organizations may well
issue: 30% of organizations are struggling with skills shortages, have protection in parts, but the emerging cyber
while 25% cite budget constraints. threat exists across many domains. The focus
on enterprise security is one thing, but what
Smaller companies are especially concerned: 28% say their
about in the manufacturing and production
information security function does not currently meet their
environment, which might be digital or physical –
needs or is to be improved, and 56% say they have skills
and what about in the supply chain?”
shortages or budget constraints.
Sean Wessman
EY Global Automotive and Transportation
Cybersecurity Leader
4% 8%
Fully meets needs
Partially, and there are plans to improve
Partially, but there are no plans to improve
To be improved
Does not meet needs
Of organizations have information
Would be unlikely to detect
Are spending more on
security functions that fully meet a sophisticated breach cyber analytics
their needs
h ec
wt t
2. Investment priorities
ente ise
Where are the gaps?
Where are resources needed most urgently? Op
ize cybersecu
Better incident-response planning and execution is one important Organizations need to look beyond preventive
area where more organizations now need to optimize their measures in their security assessments.
capabilities. Forensics is a particular area of weakness, and this A notable risk, based on our experience,
undermines organizations’ ability to understand what has gone is that many organizations have still not
wrong and to improve protections. developed a robust cyber response plan.”
Smaller companies are especially concerned: 39% say they are Andrew Gordon,
poor at identifying breaches, and 52% are worried about their EY Global Forensic & Integrity Services Leader
forensics capabilities.
35% <10%
• Identity and access management
• Metrics and reporting
• Software security
Of organizations have cyber insurance Believe they are mature on: • Third-party management
that meets their needs • Architecture • Threat and vulnerability management
3. In-house or outsourced?
How do organizations improve their capabilities quickly?
What should they do for themselves, and where do they need to look
outside for help?
Which functions of your security operations center are outsourced?
Real-time network security monitoring
75% Of larger organizations
Incident investigation
25% have a security
49% operations center
Digital and malware forensics
Threat intelligence collection and feeds
Threat intelligence analysis
Cybersecurity exercise creation and delivery
61% Of smaller
Vulnerability scanning and management
39% organizations have
25% a security operations
Penetration testing 75% center
In-house Outsourced
h ec
wt t
4. Reporting
ente ise
Is the organization gathering information on
cybersecurity capabilities and incidents? Op
How is this being reported to stakeholders?
ize cybersecu
Only 15% of organizations say their information security The interest in cybersecurity reporting at board
reporting currently fully meets their expectations. level has grown from attempts to understand
technology to the point where boards now
Smaller companies will need to move particularly quickly: almost
have a fiduciary responsibility to manage
a quarter (23%) do not currently produce information security
cybersecurity risk. Directors, shareholders and
reports, compared with 16% of larger organizations.
regulators are pressing for better reporting,
even if organizations are not yet moving toward a
posture of external disclosure.”
Dave Padmos
EY Global Advisory Technology
Sector Leader
I do not receive reports
Reports do not meet expectations
Reports meet some expectations
Reports meet all my expectations
Of organizations cite the number
Set out the financial impact of
Report on areas for
of attacks in their information each breach improvement
security reports
In the spotlight
Consumer & Mobility
In the spotlight
Financial services
04 Enable growth
th t
Enable g
1 Strategic oversight
2 Leadership
3 Digitalization
tim rit
Organizations are going through a process of digital In this chapter, we look at the four vital components of making
transformation. The nature of each transformation varies cybersecurity part of the growth strategy:
depending on the organization, but they will all have one or more 1. Strategic oversight. To what extent do boards charged with
of the following components: online sales/support to customers, pursuing digital transformation appreciate the need to build
supply chain integrations, application of robotic process cybersecurity into their growth strategies?
automation, artificial intelligence, blockchain and analytics,
2. Leadership. Who are digital organizations asking to take the
business model disruption, and workplace innovation.
lead on cybersecurity, and how is accountability delivered?
Organizations are now convinced that looking after cyber risk 3. Digitalization. As organizations make greater use of digital
and building in cybersecurity from the start are imperative to technologies, how much does this increase cybersecurity
success in the digital era. The focus now should also be on how vulnerabilities?
cybersecurity will support and enable enterprise growth. The 4. Emerging technologies. Where are organizations
aim? To integrate and embed security within business processes increasing investment in cybersecurity in order to build
from the start and build a more secure working environment security-by-design?
for all. Security-by-design should be a key principle as emerging
technologies move center stage. Based on this year’s survey, however, only a small number
of organizations are concerned about the vulnerabilities to
To achieve these goals, organizations will need an innovative which emerging technologies are now exposing them. This is
cybersecurity strategy rather than responding in a piecemeal worrisome — not least because these technologies are also
and reactive way. The customer experience must be a key available to attackers. Security researchers at IBM have pointed
consideration. to the potential for artificial intelligence to be used in developing
malware: they developed a code called DeepLocker that can
Questions organizations must ask during their digital conceal its intent until after the target has been infected.23
But there is also good news. Many organizations now regard
• Is our entire supply chain secure?
emerging technologies as a high priority for cybersecurity
• How do we design and build new channels that are secure spending. That includes cloud, which is a much more established
by design? technology for most organizations, but also areas such as
• Where does cybersecurity fit into our digital robotic process automation, machine learning, and artificial
transformation-enabled business model? intelligence — and even the Internet of Things. Nonetheless, in
• Could strong privacy and data protection be a potential most cases organizations do not yet intend to spend more on
competitive differentiator? protecting themselves in these areas. Only cloud is marked out
for additional spending by a clear majority of organizations.
• How focused on cybersecurity is our board as it pursues
its digital ambitions for the organization?
• How are our most senior executives taking ownership of
and showing leadership on cybersecurity?
• Do we have sufficient focus on cybersecurity in our entire
1. Strategic oversight
Does the organization have structures that make cybersecurity a key
element of the board’s strategic planning? Is good governance in place?
Some 70% of organizations say their senior leadership has a We need to see a rapid ramp-up of security-by-
comprehensive understanding of security or is taking positive design. Many organizations are pursuing digital
steps to improve their understanding. transformation at a breakneck pace, and there is
a danger that cybersecurity is left behind. While
However, larger organizations have made more progress: 73% it remains imperative to fix the organization’s
have at least limited understanding, compared with 68% of their legacy systems, this must not be allowed to
smaller counterparts. distract from building in strong protections from
the start as emerging technologies are adopted.”
39% Limited
No, but trying to improve
No, and no plans to improve
Of organizations
Say that information
say that information security influences
security fully influences business strategy plans
business strategy plans somewhat or not at all
on a regular basis
h ec
wt t
2. Leadership
ente ise
Who is ultimately accountable for cybersecurity?
How do they show the leadership that drives leading Op
practices across the organization?
ize cybersecu
The ultimate responsibility for information security is New types of roles are also emerging. We’re now
increasingly held at the most senior levels of the company. For seeing the rise of the chief security officer (CSO).
40% of organizations, the chief information officer (CIO) takes The CSO might be reporting to a chief information
this responsibility. and security officer (CISO) or even a CIO, but he
or she sits outside the CIO organization. They’ve
Four in 10 organizations (40%) say that the person with got accountability for cyber risk, physical security
ultimate responsibility is a member of the board or executive risk, and personal security risk, while the CISO
management. As security becomes a key enabler of growth, this or CIO are the ones focused on broader cyber
proportion is likely to increase. Right now, smaller organizations transformation.”
are more likely to have information security accountability at
board level than larger organizations. Simon Adler, EY Global Digital Identity & Access
No, but trying to improve
No, and no plans to improve
Of organizations
say that the person
directly responsible for
information security is
not a board member
3. Digitalization
As organizations pursue transformation, how does it increase their risk
profile? What threats do new technologies pose?
Challenges related to the Internet of Things
Lack of skilled resources 10%
Tracking access to data 9%
Managing the growth in access points to 8%
your organization
Are most concerned
Defining and monitoring the perimeters of 7% about the Internet of
the business’s ecosystem
Lack of executive awareness/support 5%
The value of data increases with its curation, so now is your chance to clean up your legacy information stores. As you
integrate ecosystems with multiple suppliers, vendors and partners, there is an opportunity to build security into data
management from the start. That opportunity is open to everyone.”
h ec
wt t
4. Emerging technologies
ente ise
Where to prioritize investment from a cybersecurity
perspective? How to promote security-by-design? Op
ize cybersecu
Priorities for cybersecurity investment this year Spending compared to last year
52% 57%
Cloud computing 11% Cloud computing 6%
37% 37%
38% 52%
Cybersecurity analytics 11% Cybersecurity analytics 5%
50% 43%
33% 35%
Mobile computing 16% Mobile computing 7%
52% 58%
25% 29%
Internet of things 27% Internet of Things 9%
48% 61%
18% 31%
Robotic process automation 37% Robotic process automation 11%
45% 58%
16% 27%
Machine learning 36% Machine learning 11%
48% 61%
15% 26%
Artificial intelligence 39% Artificial intelligence 11%
43% 63%
15% 15%
Biometrics 41% Biometrics 13%
44% 72%
14% 15%
Blockchain 48% Blockchain 15%
37% 69%
Those industries that are turning quickest to the digital opportunity must now spend the money on the cybersecurity
side of things. They have to incorporate cybersecurity into the new architectures they’re constructing – to take the
opportunity to get rid of legacy systems that weren’t built around protection and resilience.”
In the spotlight
Technology, Media & Entertainment and
Technology, Media & Entertainment and Telecommunications Some threats to the TMT sector are indiscriminate — the
(TMT) organizations, which are so often at the forefront of chipmaker Taiwan Semiconductor, for instance, said in August
disruption and transformation, may also be in a position to lead 2018 that it had to stop production because of a variant of the
the way on cybersecurity. WannaCry ransomware that has caused such damage across
many industries.24
But while start-up businesses with no legacy infrastructure have
had an opportunity to embrace security-by-design from the Other attacks are focused on technology companies’ innovations.
start, that does not apply to all companies in the sector – many For example, both Google and Apple are fighting a constant
telecommunications organizations, for example, still operate battle to weed out apps from their Google Play and App Store
assets installed decades ago. respectively, with criminals offering malicious applications
that masquerade as legitimate apps25; while messaging apps
Nevertheless, our research suggests that TMT businesses do are increasingly being used to propagate phishing scams.26
recognize the importance of embedding cybersecurity into Elsewhere, Amazon moved quickly to shut down a flaw after
their growth strategies: researchers found a way to turn its Echo smart speaker into an
• Strategic oversight. Over half of TMT organizations (53%) eavesdropping device.27
say that information security fully influences their business
strategy and plans.
• Leadership. At 47% of TMT companies, the person with
direct responsibility for information security is on the
board or is a member of the executive management team.
• Digitalization. 16% of the TMT organizations in the
research say their risk exposure has increased the most
by smartphones, Internet of Things technologies or social
media over the past 12 months.
• Emerging technologies. Regarding new technologies,
TMT organizations intend to increase their cybersecurity
spending across the board. Cloud computing will be a
particularly important focus, with 52% planning
increased budgets.
Enable g
2 Optimize cybersecurity
3 Enable growth
tim rit
ize cybersecu
Phishing and malware underpin a large number Build awareness around phishing and malware —
What is at of successful attacks; the GISS shows that become ‘click-smart’. Technology can help with
stake? organizations see them as the biggest threats. phishing/malware email simulations.
Organizations are potentially connected with Focus the security strategy and program on
thousands of third parties; they are therefore the entire eco-system of the organization:
more dependent on the security measures what threats will hurt us because of the lack
Protection taken by those third parties. of security at our third parties? Do we want to
continue working with unsecure third parties?
How can we help them?
Most organizations increase their cybersecurity Increase cybersecurity budgets now (instead
budget after they have experienced a breach. of after the fact) and focus the spend on threat
Breaches In most cases the breaches are not identified by detection and response. This will lower risk
the organization. profiles significantly.
Optimize cybersecurity
Investments are necessary in many areas but It may be difficult to quickly build up forensic
above all in preparing for and dealing with a capabilities in house. Instead look to build a
security breach. For many organizations, this is relationship with an outside vendor with these
still a green field especially related to forensics. capabilities; have them available for when a
breach occurs.
Many organizations are currently outsourcing Focus on where investment will be most
In-house or cybersecurity functions, including functions of effective, balancing the resources available
outsourced their security operations centers. inhouse with the capabilities of external
Most organizations are not satisfied with their Be more open around security operations
reporting on security operations or security (what we have done, where the gaps are, where
Reporting breaches. we have breakdowns); this will help boost
understanding of the threats and encourage the
organization to take appropriate action.
Enable growth
Strategic oversight is on the rise. The executive This is a huge step forward; put cybersecurity
management in 7 of 10 organizations has a at the heart of corporate strategy.
comprehensive understanding of cybersecurity
or has taken measures to make improvements.
More board members are taking ultimate Cybersecurity must be an ongoing agenda item
responsibility for cybersecurity, currently in 4 of for all executive and non-executive boards.
Leadership 10 organizations. Look to find ways to encourage the board to be
more actively involved in cybersecurity.
The threats related to the use of smart Focus on cybersecurity as part of digital
phones, the Internet of Things and operational transformation strategy. The success of many
Digitalization technology are not yet well understood. Only digital projects will depend on establishing trust
a small number of organizations name these with customers.
areas as high risk areas.
The GISS shows many organizations are Continue the focus on emerging technologies.
thinking about how emerging technologies can Cyber criminals are also investing here, in
help with further optimizing cybersecurity. artificial intelligence, for example. Resist the
Priority and investments are well aligned. temptation to scale back investment in these
key technology areas.
06 Survey methodology
The 21st edition of EY Global Information Security Respondents by area
Survey captures the responses of over 1,400 C-suite
leaders and information security and IT executives/
managers, representing many of the world’s largest and 17%
most recognized global organizations. The research was
conducted between April-July 2018. EMEIA
“Larger organizations” are defined in this report as 49%
organizations with annual revenues of US$1b or more. This
29% Asia-Pacific
group represents one-third of the total respondents to this
survey. “Smaller organizations” are defined in this report as
organizations with annual revenues below US$1b. This group
represents two-thirds of the total respondents to this survey. 4%
20001-25000 2% Health 3%
Life Sciences 2%
Telecommunications 4%
Less than US$10 million 19% The Consumer & Mobility cluster includes respondents from
Automotive & Transportation, Consumer Products & Retail and
US$10 million to
21% Real Estate Hospitality & Construction sectors. The Energy cluster
US$100 million
includes respondents from Mining & Metals, Oil & Gas and Power &
US$100 million to Utilities sectors. The Financial Services cluster includes responses
US$1 billion from Banking & Capital Markets, Insurance and Wealth & Asset
Management sectors. The Healthcare cluster includes responses
US$1 billion to
24% from Government & Public Sector, Health and Life Sciences sectors.
US$10 billion
The TMT cluster includes respondents from Technology, Media &
US$10 billion or more 11% Entertainment and Telecommunications sectors.
