November 2, 2017 By Christophe Veltsos 3 min read

In October 2017, PricewaterhouseCoopers (PwC) released the latest edition of “The Global State of Information Security Survey.” For this report, the professional services firm surveyed over 9,000 leaders, including CEOs, chief financial officers (CFOs), chief information officer (CIOs) and chief information security officers (CISOs), from 122 countries.

This year, PwC is releasing survey results in batches, starting with its “Strengthening Digital Society Against Cyber Shocks” report. The 20-page report is the latest snapshot of the state of affairs when it comes to organizational — as well as regional and national — maturity in cybersecurity, cyber risk oversight and cyber resilience.

Key Findings From the ‘Global State of Information Security Survey’

We’ve organized the key findings from PwC’s security survey into three categories: items that indicate progress (the good), negative issues that continue to plague organizations around the globe (the bad), and issues that indicate a lack of progress or, worse, a downslide toward more chaotic and dangerous cyber ecosystems (the ugly).

The Good: Increasing Commitment to Cybersecurity

The PwC security survey pointed to the International Telecommunication Union (ITU)’s “Global Cybersecurity Index (GCI) 2017” report, which ranked the U.S. second on its cybersecurity commitment index, behind only Singapore. In the business world, one result of this increased commitment to cybersecurity is the growing number of organizations in which the CISO reports to the CEO (40 percent) or directly to the board of directors (27 percent). However, the report also revealed that 24 percent of CISOs still report to CIOs.

The Bad: Security Awareness Lags

We don’t have to go far into the PwC report to find the bad. In its opening paragraph, the report stated that “many organizations worldwide still struggle to comprehend and manage emerging cyber risks in an increasingly complex digital society.” Only 31 percent of boards participate in the review of current security and privacy risks, and only 44 percent are involved in setting overall security strategy. It only gets worse from here, which brings us to the ugly.

The Ugly: Imminent Disruption

There are many bleak statistics. For example, 48 percent of respondents reported not having a security awareness training program, and 54 percent said they lacked an incident response plan. From a technical perspective, only 45 percent of respondents said they conducted vulnerability assessments, while 42 percent reported running penetration tests. Together, these four items represent cornerstones of basic cybersecurity controls that organizations aren’t utilizing.

The PwC report also referenced the “Global Trends Report,” released in January 2017 by the U.S. National Intelligence Council (NIC), which warned that society faces imminent disruption due to various issues such as cyberattacks. The NIC report stated that “disrupting societies will become more common, with long-range precision weapons, cyber and robotic systems to target infrastructure from afar, and more accessible technology to create weapons of mass destruction.”

It went on to speculate that emerging technologies would enable cybercriminals to commit massively disruptive, potentially lethal acts, such as shutting down electrical systems. The results of the PwC survey echo those concerns: Among leaders of organizations using robotics or automation, 40 percent ranked disruption of operations/manufacturing as the biggest potential consequence, while 29 percent pointed to physical property damage and 22 percent worry about harm to human life.

Where Do We Go From Here?

While the ITU report found that governments around the world are improving and strengthening their cybersecurity agendas, the PwC report revealed that the business world still has a long way to go. Since much of the U.S.’s critical infrastructure is privately owned, those improvements are vital to safeguard our way of life.

A major takeaway from the report is the notion that improved risk resilience can lead to stronger economic performance. Organizations of all sizes and across all sectors and locations need to look inward, evaluate their approach to managing cyber risks and start focusing on becoming more cyber resilient. This means fostering a culture of security and focusing on cyber resilience as part of business operations.

There’s no time to waste. We need to start somewhere, and the time is now. For CISOs, that means expanding their understanding of the business and sphere of influence, and communicating cyber risks in terms of their impact on the business. For CEOs and board directors, it means being engaged, asking tough questions and taking a closer look at the organization’s security strategy and budgets.

More from Risk Management

Digital solidarity vs. digital sovereignty: Which side are you on?

4 min read - The landscape of international cyber policy continues to evolve rapidly, reflecting the dynamic nature of technology and global geopolitics. Central to this evolution are two competing concepts: digital solidarity and digital sovereignty.The U.S. Department of State, through its newly released International Cyberspace and Digital Policy Strategy, has articulated a clear preference for digital solidarity, positioning it as a counterpoint to the protectionist approach of digital sovereignty.What are the main differences between these two concepts, and why does it matter? Let’s…

A decade of global cyberattacks, and where they left us

5 min read - The cyberattack landscape has seen monumental shifts and enormous growth in the past decade or so.I spoke to Michelle Alvarez, X-Force Strategic Threat Analysis Manager at IBM, who told me that the most visible change in cybersecurity can be summed up in one word: scale. A decade ago, “'mega-breaches' were relatively rare, but now feel like an everyday occurrence.”A summary of the past decade in global cyberattacksThe cybersecurity landscape has been impacted by major world events, especially in recent years.…

It all adds up: Pretexting in executive compromise

4 min read - Executives hold the keys to the corporate kingdom. If attackers can gain the trust of executives using layered social engineering techniques, they may be able to access sensitive corporate information such as intellectual property, financial data or administrative control logins and passwords.While phishing remains the primary pathway to executive compromise, increasing C-suite awareness of this risk requires a more in-depth approach from attackers: Pretexting.What is pretexting?Pretexting is the use of a fabricated story or narrative — a “pretext” — to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today