In October 2017, PricewaterhouseCoopers (PwC) released the latest edition of “The Global State of Information Security Survey.” For this report, the professional services firm surveyed over 9,000 leaders, including CEOs, chief financial officers (CFOs), chief information officer (CIOs) and chief information security officers (CISOs), from 122 countries.

This year, PwC is releasing survey results in batches, starting with its “Strengthening Digital Society Against Cyber Shocks” report. The 20-page report is the latest snapshot of the state of affairs when it comes to organizational — as well as regional and national — maturity in cybersecurity, cyber risk oversight and cyber resilience.

Key Findings From the ‘Global State of Information Security Survey’

We’ve organized the key findings from PwC’s security survey into three categories: items that indicate progress (the good), negative issues that continue to plague organizations around the globe (the bad), and issues that indicate a lack of progress or, worse, a downslide toward more chaotic and dangerous cyber ecosystems (the ugly).

The Good: Increasing Commitment to Cybersecurity

The PwC security survey pointed to the International Telecommunication Union (ITU)’s “Global Cybersecurity Index (GCI) 2017” report, which ranked the U.S. second on its cybersecurity commitment index, behind only Singapore. In the business world, one result of this increased commitment to cybersecurity is the growing number of organizations in which the CISO reports to the CEO (40 percent) or directly to the board of directors (27 percent). However, the report also revealed that 24 percent of CISOs still report to CIOs.

The Bad: Security Awareness Lags

We don’t have to go far into the PwC report to find the bad. In its opening paragraph, the report stated that “many organizations worldwide still struggle to comprehend and manage emerging cyber risks in an increasingly complex digital society.” Only 31 percent of boards participate in the review of current security and privacy risks, and only 44 percent are involved in setting overall security strategy. It only gets worse from here, which brings us to the ugly.

The Ugly: Imminent Disruption

There are many bleak statistics. For example, 48 percent of respondents reported not having a security awareness training program, and 54 percent said they lacked an incident response plan. From a technical perspective, only 45 percent of respondents said they conducted vulnerability assessments, while 42 percent reported running penetration tests. Together, these four items represent cornerstones of basic cybersecurity controls that organizations aren’t utilizing.

The PwC report also referenced the “Global Trends Report,” released in January 2017 by the U.S. National Intelligence Council (NIC), which warned that society faces imminent disruption due to various issues such as cyberattacks. The NIC report stated that “disrupting societies will become more common, with long-range precision weapons, cyber and robotic systems to target infrastructure from afar, and more accessible technology to create weapons of mass destruction.”

It went on to speculate that emerging technologies would enable cybercriminals to commit massively disruptive, potentially lethal acts, such as shutting down electrical systems. The results of the PwC survey echo those concerns: Among leaders of organizations using robotics or automation, 40 percent ranked disruption of operations/manufacturing as the biggest potential consequence, while 29 percent pointed to physical property damage and 22 percent worry about harm to human life.

Where Do We Go From Here?

While the ITU report found that governments around the world are improving and strengthening their cybersecurity agendas, the PwC report revealed that the business world still has a long way to go. Since much of the U.S.’s critical infrastructure is privately owned, those improvements are vital to safeguard our way of life.

A major takeaway from the report is the notion that improved risk resilience can lead to stronger economic performance. Organizations of all sizes and across all sectors and locations need to look inward, evaluate their approach to managing cyber risks and start focusing on becoming more cyber resilient. This means fostering a culture of security and focusing on cyber resilience as part of business operations.

There’s no time to waste. We need to start somewhere, and the time is now. For CISOs, that means expanding their understanding of the business and sphere of influence, and communicating cyber risks in terms of their impact on the business. For CEOs and board directors, it means being engaged, asking tough questions and taking a closer look at the organization’s security strategy and budgets.

More from Risk Management

Third-Party App Stores Could Be a Red Flag for iOS Security

Even Apple can’t escape change forever. The famously restrictive company will allow third-party app stores for iOS devices, along with allowing users to “sideload” software directly. Spurring the move is the European Union’s (EU) Digital Markets Act (DMA), which looks to ensure open markets by reducing the ability of digital “gatekeepers” to restrict content on devices. While this is good news for app creators and end-users, there is a potential red flag: security. Here’s what the compliance-driven change means for…

Defensive Driving: The Need for EV Cybersecurity Roadmaps

As the U.S. looks to bolster electric vehicle (EV) adoption, a new challenge is on the horizon: cybersecurity. Given the interconnected nature of these vehicles and their reliance on local power grids, they’re not just an alternative option for getting from Point A to Point B. They also offer a new path for network compromise that could put drivers, companies and infrastructure at risk. To help address this issue, the Office of the National Cyber Director (ONCD) recently hosted a…

Too Much Caffeine? Phishing-as-a-Service Makes Us Jittery

Recently, investigators at Mandiant discovered a new software platform with an intuitive interface. The service has tools to orchestrate and automate core campaign elements. Some of the platform’s features enable self-service customization and campaign tracking. Sounds like a typical Software-as-a-Service (SaaS) operation, right? Well, this time, it’s Caffeine, the latest Phishing-as-a-Service (PhaaS) platform. A basic subscription costs $250 a month; all you need is an email to sign up. How Caffeine PhaaS is Different PhaaS vendors advertise and sell their…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…