I’ve noticed a tendency within my client base to spend on compliance reporting tools ahead of asset management or threat modelling. This seems the wrong way round to me as accurate software and hardware asset registers are the basis for most other security programs and it’s impossible to run a compliance program unless you know what the state of your asset base is. EY’s observation about the key driver being regulation puts this in perspective…:
- EY’s research shows that the best way to get companies to improve their cyber posture to protect their business and customers is to increase regulation as this is the biggest driver of cyber investment, not digital transformation, cloud or risk management.
- In EY’s 2020 Global Information Security Survey, 19% of respondents said that the number one reason they get funding for cybersecurity is to comply with regulation.