November 2, 2017 By Christophe Veltsos 3 min read

In October 2017, PricewaterhouseCoopers (PwC) released the latest edition of “The Global State of Information Security Survey.” For this report, the professional services firm surveyed over 9,000 leaders, including CEOs, chief financial officers (CFOs), chief information officer (CIOs) and chief information security officers (CISOs), from 122 countries.

This year, PwC is releasing survey results in batches, starting with its “Strengthening Digital Society Against Cyber Shocks” report. The 20-page report is the latest snapshot of the state of affairs when it comes to organizational — as well as regional and national — maturity in cybersecurity, cyber risk oversight and cyber resilience.

Key Findings From the ‘Global State of Information Security Survey’

We’ve organized the key findings from PwC’s security survey into three categories: items that indicate progress (the good), negative issues that continue to plague organizations around the globe (the bad), and issues that indicate a lack of progress or, worse, a downslide toward more chaotic and dangerous cyber ecosystems (the ugly).

The Good: Increasing Commitment to Cybersecurity

The PwC security survey pointed to the International Telecommunication Union (ITU)’s “Global Cybersecurity Index (GCI) 2017” report, which ranked the U.S. second on its cybersecurity commitment index, behind only Singapore. In the business world, one result of this increased commitment to cybersecurity is the growing number of organizations in which the CISO reports to the CEO (40 percent) or directly to the board of directors (27 percent). However, the report also revealed that 24 percent of CISOs still report to CIOs.

The Bad: Security Awareness Lags

We don’t have to go far into the PwC report to find the bad. In its opening paragraph, the report stated that “many organizations worldwide still struggle to comprehend and manage emerging cyber risks in an increasingly complex digital society.” Only 31 percent of boards participate in the review of current security and privacy risks, and only 44 percent are involved in setting overall security strategy. It only gets worse from here, which brings us to the ugly.

The Ugly: Imminent Disruption

There are many bleak statistics. For example, 48 percent of respondents reported not having a security awareness training program, and 54 percent said they lacked an incident response plan. From a technical perspective, only 45 percent of respondents said they conducted vulnerability assessments, while 42 percent reported running penetration tests. Together, these four items represent cornerstones of basic cybersecurity controls that organizations aren’t utilizing.

The PwC report also referenced the “Global Trends Report,” released in January 2017 by the U.S. National Intelligence Council (NIC), which warned that society faces imminent disruption due to various issues such as cyberattacks. The NIC report stated that “disrupting societies will become more common, with long-range precision weapons, cyber and robotic systems to target infrastructure from afar, and more accessible technology to create weapons of mass destruction.”

It went on to speculate that emerging technologies would enable cybercriminals to commit massively disruptive, potentially lethal acts, such as shutting down electrical systems. The results of the PwC survey echo those concerns: Among leaders of organizations using robotics or automation, 40 percent ranked disruption of operations/manufacturing as the biggest potential consequence, while 29 percent pointed to physical property damage and 22 percent worry about harm to human life.

Where Do We Go From Here?

While the ITU report found that governments around the world are improving and strengthening their cybersecurity agendas, the PwC report revealed that the business world still has a long way to go. Since much of the U.S.’s critical infrastructure is privately owned, those improvements are vital to safeguard our way of life.

A major takeaway from the report is the notion that improved risk resilience can lead to stronger economic performance. Organizations of all sizes and across all sectors and locations need to look inward, evaluate their approach to managing cyber risks and start focusing on becoming more cyber resilient. This means fostering a culture of security and focusing on cyber resilience as part of business operations.

There’s no time to waste. We need to start somewhere, and the time is now. For CISOs, that means expanding their understanding of the business and sphere of influence, and communicating cyber risks in terms of their impact on the business. For CEOs and board directors, it means being engaged, asking tough questions and taking a closer look at the organization’s security strategy and budgets.

More from Risk Management

Are we getting better at quantifying risk management?

4 min read - As cyber threats grow more sophisticated and pervasive, the need for effective risk management has never been greater. The challenge lies not only in defining risk mitigation strategy but also in quantifying risk in ways that resonate with business leaders. The ability to translate complex technical risks into understandable and actionable business terms has become a crucial component of securing the necessary resources for cybersecurity programs.What approach do companies use today for cyber risk quantification? And how has cyber risk…

Cybersecurity Awareness Month: Cybersecurity awareness for developers

3 min read - It's the 21st annual Cybersecurity Awareness Month, and we’re covering many different angles to help organizations manage their cybersecurity challenges. In this mini-series of articles, we’re focusing on specific job roles outside of cybersecurity and how their teams approach security.For developers, cybersecurity has historically been a love-hate issue. The common school of thought is that coders are frustrated with having to tailor their work to fit within cybersecurity rules. However, many companies are embracing a security-first approach, and some developers…

Spooky action: Phantom domains create hijackable hyperlinks

4 min read - According to a recent paper published at the 2024 Web Conference, so-called "phantom domains" make it possible for malicious actors to hijack hyperlinks and exploit users' trust in familiar websites.The research defines phantom domains as active links to dot-com domains that have never been registered.Here's what enterprises need to know about how phantom domains emerge, the potential risks they represent and what they can do to disrupt phantom attacks. There are two common types of phantom domains: Errors and placeholders.Domain errorsErrors…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today