In October 2017, PricewaterhouseCoopers (PwC) released the latest edition of “The Global State of Information Security Survey.” For this report, the professional services firm surveyed over 9,000 leaders, including CEOs, chief financial officers (CFOs), chief information officer (CIOs) and chief information security officers (CISOs), from 122 countries.
This year, PwC is releasing survey results in batches, starting with its “Strengthening Digital Society Against Cyber Shocks” report. The 20-page report is the latest snapshot of the state of affairs when it comes to organizational — as well as regional and national — maturity in cybersecurity, cyber risk oversight and cyber resilience.
Key Findings From the ‘Global State of Information Security Survey’
We’ve organized the key findings from PwC’s security survey into three categories: items that indicate progress (the good), negative issues that continue to plague organizations around the globe (the bad), and issues that indicate a lack of progress or, worse, a downslide toward more chaotic and dangerous cyber ecosystems (the ugly).
The Good: Increasing Commitment to Cybersecurity
The PwC security survey pointed to the International Telecommunication Union (ITU)’s “Global Cybersecurity Index (GCI) 2017” report, which ranked the U.S. second on its cybersecurity commitment index, behind only Singapore. In the business world, one result of this increased commitment to cybersecurity is the growing number of organizations in which the CISO reports to the CEO (40 percent) or directly to the board of directors (27 percent). However, the report also revealed that 24 percent of CISOs still report to CIOs.
The Bad: Security Awareness Lags
We don’t have to go far into the PwC report to find the bad. In its opening paragraph, the report stated that “many organizations worldwide still struggle to comprehend and manage emerging cyber risks in an increasingly complex digital society.” Only 31 percent of boards participate in the review of current security and privacy risks, and only 44 percent are involved in setting overall security strategy. It only gets worse from here, which brings us to the ugly.
The Ugly: Imminent Disruption
There are many bleak statistics. For example, 48 percent of respondents reported not having a security awareness training program, and 54 percent said they lacked an incident response plan. From a technical perspective, only 45 percent of respondents said they conducted vulnerability assessments, while 42 percent reported running penetration tests. Together, these four items represent cornerstones of basic cybersecurity controls that organizations aren’t utilizing.
The PwC report also referenced the “Global Trends Report,” released in January 2017 by the U.S. National Intelligence Council (NIC), which warned that society faces imminent disruption due to various issues such as cyberattacks. The NIC report stated that “disrupting societies will become more common, with long-range precision weapons, cyber and robotic systems to target infrastructure from afar, and more accessible technology to create weapons of mass destruction.”
It went on to speculate that emerging technologies would enable cybercriminals to commit massively disruptive, potentially lethal acts, such as shutting down electrical systems. The results of the PwC survey echo those concerns: Among leaders of organizations using robotics or automation, 40 percent ranked disruption of operations/manufacturing as the biggest potential consequence, while 29 percent pointed to physical property damage and 22 percent worry about harm to human life.
Where Do We Go From Here?
While the ITU report found that governments around the world are improving and strengthening their cybersecurity agendas, the PwC report revealed that the business world still has a long way to go. Since much of the U.S.’s critical infrastructure is privately owned, those improvements are vital to safeguard our way of life.
A major takeaway from the report is the notion that improved risk resilience can lead to stronger economic performance. Organizations of all sizes and across all sectors and locations need to look inward, evaluate their approach to managing cyber risks and start focusing on becoming more cyber resilient. This means fostering a culture of security and focusing on cyber resilience as part of business operations.
There’s no time to waste. We need to start somewhere, and the time is now. For CISOs, that means expanding their understanding of the business and sphere of influence, and communicating cyber risks in terms of their impact on the business. For CEOs and board directors, it means being engaged, asking tough questions and taking a closer look at the organization’s security strategy and budgets.