Senior leadership needs to be more engaged in cybersecurity strategies

One in four companies worldwide has experienced a data breach costing $1 to $20 million or more in the past three years. Four in five need a comparable and consistent format for mandatory disclosure of cyber incidents to gain stakeholder trust. Less than half (42%) of executives surveyed are fully confident that their organisation can provide the necessary information about a relevant/significant incident. The data is from PwC’s annual “Global Digital Trust Insights“ survey, which was heard from more than 3,500 senior executives in 65 countries between July and August this year.

Less than 40% of executives surveyed say they have fully mitigated their exposure to cyber security risk in several critical areas such as enabling remote and hybrid working; accelerated cloud adoption; increased use of the internet of things; and further digitisation of the supply chain.

Nine in ten expressed concern about their organisation’s ability to withstand a cyber attack that disrupts their supply chain, with 56% extremely or very concerned.

The increase in cyber threats, in frequency and sophistication, has been making holistic approaches to cyber security a priority for C-suites and councils. And it’s not hard to see why. The cost of cyber breaches goes far beyond direct financial costs, according to marketing executives surveyed. 

The range of damage that organisations have suffered due to a cyber breach or data privacy incident in the last 3 years includes loss of customers (cited by 27%), loss of customer data (25%) and damage to reputation or brand (23%).

These distressing moments can serve as a catalyst for collaboration, sharpening the awareness of the entire C-suite to act on cybersecurity.  Senior executives are beginning to understand the need to work as a cohesive unit, commanded by the CISO, who become broadly empowered to advocate, collaborate and orchestrate a better cyber future. According to survey data, 46% of CEOs want to give CISOs more authority to drive security collaboration in the coming year.

Board members are also willing to learn more about cybersecurity and devote time to the topic in 2023.  And they see CISOs and C-suite members as the ones who can best help them become familiar with the organisation’s cybersecurity. The new era of cyber transparency means that CISOs must become adept at presenting information in a way that the board, senior management and investors can understand and act upon. 

Councils and C-Suite see increasing threats to their organisation and are concerned that they are not fully prepared to face them.

Half of executives say that lack of security and governance is the main barrier to their increased use of data for decision making – edging out lack of data accessibility (47%), accuracy (42%) and usability (42%).

Budgets

Also according to the study, companies continue to increase their spending on cybersecurity: 65% of senior executives expect an increase in 2023, compared to 69% in 2022. But the increase will be smaller than that realised in 2022: up to 10%. Not surprisingly, organisations that have been breached are significantly more likely to say they would increase their cyber spending in 2023: 68% versus 55% that have not been breached. And among large companies (with annual revenue of more than $1 billion), 10% will increase their cyber spending by 15% or more.

Nearly 4 in 10 CEOs, CFOs and CISOs fund cybersecurity as a percentage of all technology spending, including OT and automation. Another 15% say their budget takes into account a percentage of revenue. More than half say they are choosing how to spend on cyber according to seven key parameters, including: – Alignment with overall business strategy (55%) – Reflection of cyber priorities (55%) – Adding value to the organisation (52%) – Balance of immediate and long-term needs (51%) – Informed by risk quantification (51%) – Considering the organisation’s risk appetite (51%)

Technology solutions top the list of strategic acquisitions that CFOs see as key to improving their organizations’ cyber defense performance. In fact, modernisation, especially of operational technology, is still an issue in many companies. Outdated technology and managing its vulnerabilities are the main barriers to improving operational technology security, say CISOs, CIOs and CTOs.

Worrying scenes

The study also points to three cyber events that are of most concern to senior executives today:

• 38% expect more serious attacks via cloud in 2023;
• 29% of large organisations expect an increase in OT attacks;
• and 45% of security and IT executives expect an increase in ransomware attacks.

Two-thirds of executives consider cybercriminals the most significant threat vector for their organisation in the coming year.