PwC Survey Finds C-Level Execs View Cybersecurity as Biggest Risk
A survey of 722 C-level executives published today by PwC finds 40% of business leaders now rank cybersecurity as being the number one serious risk their organizations face today.
In addition, 58% of corporate directors said they would benefit most from enhanced reporting around cybersecurity and technology.
Nearly half of respondents (49%) said as a result they are increasing investments in cybersecurity and privacy, while more than three quarters (79%) said they are revising or enhancing cyber risk management.
A full 84% also said they are either monitoring closely or taking action on potential regulatory changes.
Sean Joyce, global and U.S. cybersecurity and privacy leader for PwC, said that as it becomes clear technology is the central nervous system for organizations, the need to secure is now apparent to most C-level executives, especially as more investments in digital business transformation initiatives are made.
The challenge, of course, remains hiring and retaining cybersecurity expertise, he added. In fact, more organizations than ever are evaluating their cybersecurity outsourcing options, noted Joyce.
Regardless of approach, however, there is a clear need to simplify cybersecurity in terms of both the overall management of cybersecurity tools and platforms as well as the processes used to invoke them, said Joyce.
Longer term, there is also going to be a greater emphasis on cybersecurity transparency, noted Joyce. The cyberattack against the Health Service Executive attack in Ireland is a leading example of how organizations should be sharing cybersecurity intelligence in the wake of a breach, said Joyce.
It’s not clear to what degree organizations are today willing to share cybersecurity intelligence in the wake of a breach for fear of disclosing their own inadequacies. However, it is clear to everyone that cybercriminals are sharing techniques and attack vectors. A lack of transparency among victims of cybercrimes only serves to advance the agenda of cybercriminals that generally prefer to reuse the same techniques multiple times over. Cybersecurity needs to evolve into a team sport to effectively counter those threats, said Joyce.
In theory, at least, a greater appreciation for cybersecurity among C-level executives should make it easier for cybersecurity teams to gain funding for projects. Historically, C-level executives have tended to view cybersecurity as a cost to be minimized as much as possible. In fact, many C-level executives still often confuse attaining momentary compliance with a mandate or regulation with actual cybersecurity versus being a continuous process that requires ongoing vigilance.
The challenge is that the return on investment (ROI) has always been dependent on proving a negative based on the absence of a successful attack. The issue, as every cybersecurity professional well knows, is the bad guys only need to once, while the cybersecurity team needs to 24/7 every day of the year. The cybersecurity team also often takes the blame for a breach when in fact the root cause is usually traced back to a user that disregarded one cybersecurity policy or another. Sadly, that end user often turns out to be a C-level executive that should have known better.
