EY’s latest Global Information Security Survey illuminates critical aspects of how EY sees itself positioned in the cybersecurity services market, even as it informs on the trends and troubling developments across the information security space. Reviewing a preview of the results, TBR was struck by three elements: First, EY clearly sees itself as the bridge between security professionals and their internal colleagues, a role that requires technical expertise and, more importantly, trust from all sides. Second, understanding the toughest challenges facing chief information security officers (CISOs) does not require EY staff to be security experts as much as it requires navigating clients’ organizations and budgets and metrics. Third, evaluating security concerns (or lack thereof) across an entire client’s organization becomes even more challenging for EY when the threats change dramatically, as this year’s survey shows.
The bridge between security and … everyone else
When previewing the survey results with TBR, EY security leaders repeatedly described the firm’s role within a client’s organization as the bridge: between security professionals and business leaders, between security professionals and board members, and between security professionals and industry leaders (both internal and external). According to EY, the firm revamped the survey for 2020 with a fresh approach to reflect clients’ emerging appreciation for the role bridging often difficult and strained relationships between security professionals and their own colleagues. One of the starkest findings, in TBR’s view, showed respondents’ ratings of the relationships between the security teams and other groups within their organizations, ranging from Neutral, Distrust or Non-Existent to High Trust and Consultation. Not surprisingly, IT departments had the most trust in security teams while more than 70% of the respondents indicated the relationship between marketing and security teams rated neutral or worse. While understandable that marketing teams would chafe at restrictions placed on them by security concerns, EY’s critical insight revolved around “New Initiative Owners,” which includes marketing. If new investments and reallocated budget dollars (as well as C-Suite and board interest) flow toward lines of business, R&D and marketing, but security teams have poor relationships with those groups at more than 55% of enterprises, EY’s role as a bridge becomes even more critical. Security teams cannot get sustained support and new funding if their colleagues driving new business do not see them as teammates or even positive actors within the organization.
TBR believes that EY’s efforts to position as a bridge conforms with the firm’s overall approach to consulting and plays to EY’s strengths around risk and compliance. In addition, playing that role demands a high level of trust among all the groups within a client; EY has invested heavily in building that level of trust and continues to benefit from it. Immediate technology-centric opportunities in connection with migration and management of SAP S/4HANA workloads can serve as a use case and strengthen EY’s trust with the IT buyer, a persona the firm looks to strengthen its relationship with, especially when it comes to application and data security management. Challenging for EY, however, is the fact that most organizations continue to make reactionary decisions around security and frequently bring security concerns and requirements into a business initiative well after the first few developmental stages. These variables create opportunities for EY as a security services consultancy and potentially enhance the firm’s role within clients.
In a discussion with TBR prior to the release of the 2020 Global Information Security Survey, EY previewed the survey’s findings and how the firm sees a changing role for itself in the security services market. In TBR’s view, the survey’s most notable findings underscore strategic moves by EY to evolve its security services practice, including a focus on bridging organizational gaps between security teams and business leaders within EY’s clients.