November 2, 2017 By Christophe Veltsos 3 min read

In October 2017, PricewaterhouseCoopers (PwC) released the latest edition of “The Global State of Information Security Survey.” For this report, the professional services firm surveyed over 9,000 leaders, including CEOs, chief financial officers (CFOs), chief information officer (CIOs) and chief information security officers (CISOs), from 122 countries.

This year, PwC is releasing survey results in batches, starting with its “Strengthening Digital Society Against Cyber Shocks” report. The 20-page report is the latest snapshot of the state of affairs when it comes to organizational — as well as regional and national — maturity in cybersecurity, cyber risk oversight and cyber resilience.

Key Findings From the ‘Global State of Information Security Survey’

We’ve organized the key findings from PwC’s security survey into three categories: items that indicate progress (the good), negative issues that continue to plague organizations around the globe (the bad), and issues that indicate a lack of progress or, worse, a downslide toward more chaotic and dangerous cyber ecosystems (the ugly).

The Good: Increasing Commitment to Cybersecurity

The PwC security survey pointed to the International Telecommunication Union (ITU)’s “Global Cybersecurity Index (GCI) 2017” report, which ranked the U.S. second on its cybersecurity commitment index, behind only Singapore. In the business world, one result of this increased commitment to cybersecurity is the growing number of organizations in which the CISO reports to the CEO (40 percent) or directly to the board of directors (27 percent). However, the report also revealed that 24 percent of CISOs still report to CIOs.

The Bad: Security Awareness Lags

We don’t have to go far into the PwC report to find the bad. In its opening paragraph, the report stated that “many organizations worldwide still struggle to comprehend and manage emerging cyber risks in an increasingly complex digital society.” Only 31 percent of boards participate in the review of current security and privacy risks, and only 44 percent are involved in setting overall security strategy. It only gets worse from here, which brings us to the ugly.

The Ugly: Imminent Disruption

There are many bleak statistics. For example, 48 percent of respondents reported not having a security awareness training program, and 54 percent said they lacked an incident response plan. From a technical perspective, only 45 percent of respondents said they conducted vulnerability assessments, while 42 percent reported running penetration tests. Together, these four items represent cornerstones of basic cybersecurity controls that organizations aren’t utilizing.

The PwC report also referenced the “Global Trends Report,” released in January 2017 by the U.S. National Intelligence Council (NIC), which warned that society faces imminent disruption due to various issues such as cyberattacks. The NIC report stated that “disrupting societies will become more common, with long-range precision weapons, cyber and robotic systems to target infrastructure from afar, and more accessible technology to create weapons of mass destruction.”

It went on to speculate that emerging technologies would enable cybercriminals to commit massively disruptive, potentially lethal acts, such as shutting down electrical systems. The results of the PwC survey echo those concerns: Among leaders of organizations using robotics or automation, 40 percent ranked disruption of operations/manufacturing as the biggest potential consequence, while 29 percent pointed to physical property damage and 22 percent worry about harm to human life.

Where Do We Go From Here?

While the ITU report found that governments around the world are improving and strengthening their cybersecurity agendas, the PwC report revealed that the business world still has a long way to go. Since much of the U.S.’s critical infrastructure is privately owned, those improvements are vital to safeguard our way of life.

A major takeaway from the report is the notion that improved risk resilience can lead to stronger economic performance. Organizations of all sizes and across all sectors and locations need to look inward, evaluate their approach to managing cyber risks and start focusing on becoming more cyber resilient. This means fostering a culture of security and focusing on cyber resilience as part of business operations.

There’s no time to waste. We need to start somewhere, and the time is now. For CISOs, that means expanding their understanding of the business and sphere of influence, and communicating cyber risks in terms of their impact on the business. For CEOs and board directors, it means being engaged, asking tough questions and taking a closer look at the organization’s security strategy and budgets.

More from Risk Management

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today