Despite all the attention that massive hacks and other breaches have attracted in recent years, organizations everywhere still struggle to comprehend the scale of and manage emerging cyber-risks. Of the more than 9,500 senior executives in 122 countries who participated in PricewaterhouseCoopers' Global State of Information Security Survey (GSISS) 2018, only 39% say they are very confident in their attribution capabilities — that is, their ability to detect and trace cyberattacks.
As highlighted in the GSISS report, US infrastructure is still susceptible to what the World Economic Forum (WEF) deems in its Global Risk Report 2017 as the prime business risk in North America: "large-scale cyber-attacks or malware causing large economic damages, geopolitical tensions, or widespread loss of trust in the internet."
"All organizations, no matter how prepared they think they might be, need to verify whether strategic cybersecurity goals are being executed," Grant Waterfall, partner at PwC and global leader of its cybersecurity and privacy practice, told me in an interview. "The UN's 2017 Global Cyber-Security Index ranks the United States among the member states most committed to cybersecurity, second only to Singapore. And yet the White House's National Infrastructure Advisory Council wrote in an August 2017 report that many US infrastructure companies are not practicing basic cyber hygiene despite the availability of effective tools and practices, he adds.
Where Are the CISOs?
Some 40% of GSISS respondents say that disruption of their operations is the biggest potential consequence of a cyberattack. Another 39% cite the compromising of sensitive data, 32% cite harm to product quality, 29% cite damage to physical property, and 22% cite harm to human life as the biggest by-products of an attack.
Meanwhile, cybersecurity executives are either absent or thin on the ground in many organizations. Only about half (52%) of respondents say their organizations have a CISO on the payroll. While 45% say they employ a chief security officer, another 47% say they recruit dedicated security staff to support internal business operations.
"Cyber-risk management is a journey—and many organizations are not far enough along on that journey to realize the need for dedicated senior-level oversight of these issues," Waterfall said. "Also, in some cases it is a question of resources. Many small- and medium-sized businesses, including critical infrastructure companies, lack the resources of larger organizations. And cybersecurity resources are scarce."
Wanted: Board-Level Oversight, Proactive Risk Management
It's clear that leaders must assume greater responsibility for building cyber resilience. In the private sector, the people responsible for business results must also be held accountable for the security risks associated with doing business. Boards, too, must exercise effective oversight and proactive risk management. Strategies for business continuity, succession planning, strategic alignment, and data analytics are key, yet the 2018 GSISS found that most corporate boards are not taking tangible action to shape their companies' security strategies or investment plans. Only half of respondents say their organizations conduct background checks (pen tests, threat assessments, active security monitoring, etc.) to uncover cyber-risks. Similarly, only 44% of GSISS respondents say their corporate boards actively participate in their companies' overall security strategy.
According to the GSISS, cyber threats are among the top concerns for CEOs today. In fact, the US CEOs surveyed ranked cyber threats No. 2 among their top worries, second only to the prospect of over-regulation. In addition, the survey identifies the fastest-rising worries for US CEOs as cybersecurity, the speed of technological change and the lack of trust in business.
Organizations Must Dig Deeper to Uncover Risks
Building greater resilience against cyber threats — as a society and within organizations — will require a concerted effort to uncover and manage new risks inherent in emerging technologies. Organizations need to have the right leadership and processes in place to implement the security measures required by digital advances. Many organizations are just beginning this critical journey.
Because it is often a result of boards' lack of involvement in security measures, this lag should come as no surprise. Just under half of all GSISS participants agree that risk is the only factor that matters when it comes to security spending. Roughly one-third disagree, and the remaining participants are on the fence. A majority of GSISS respondents (66%) say their organizations' security spending aligns with the revenues of each line of business, but one-third (34%) say that is not the case or they are unsure. As the CISO function grows in importance, it will become more common for a company's security leader to report directly to the CEO or the board of directors than to the CIO.
But it's not just up to boards. Greater information sharing and coordination among stakeholders is also high on the to-do list. Only 58% of respondents say they formally collaborate with others in their industry, including competitors, to improve security and reduce the potential for future risks. Trusted, timely, actionable information about cyber threats is a critical enabler for rapid-response capabilities that support resilience.
Next Steps for Security and the C-Suite
Ultimately, C-suites must lead the charge — and boards must be engaged. Senior leaders driving the business must take ownership of building cyber resilience. Establishing a top-down strategy to manage cyber and privacy risks across the enterprise is essential. Resilience must be integrated into business operations. A company's risk management strategy should be informed by a solid understanding among all leaders of the cyber threats facing the organization and an awareness of which key assets require the greatest protection. There should be a coherent framework for the organization's appetite for risk. Leadership must drive the development of a cyber-risk management culture at all levels of the organization.