No Match Found
While excitement and budgets are rising for cutting-edge security programmes, progress on actually improving security is sluggish, even stagnant. PwC’s 2024 Global Digital Trust Insights survey of 3,876 business and tech executives at the largest global companies — 30% of respondents have revenues of $10 billion or more — shows considerable room for improvement in cybersecurity.
Consider these findings. Breach costs and the number of high-dollar breaches continue to increase. Although cloud attacks are the top cyber concern, about one-third of organisations have no risk management plan to address cloud service provider challenges. Only half are ‘very satisfied’ with their technology capabilities in key cybersecurity areas. More than 30% of companies don’t consistently follow what should be standard practices of cyber defence.
Imagine a world with security at the epicenter of innovation — the field where bright ideas and bold ambitions flourish. Imagine the CISO right there, working to secure the organisation’s lofty ambitions and prized assets.
We note 179 respondents who seem to be doing just that. These top 5% — our stewards of digital trust — are reaping benefits that others are missing. They’re experiencing fewer breaches, and the attacks that do hit them aren’t as costly. Managing risk is easier because they’ve streamlined their security solutions. And they’ve positioned themselves for greater productivity and faster growth, outpacing the competition as they plunge into new technologies with confidence that they are well protected.
6x more likely to have already implemented transformative cybersecurity initiatives from which they are realising benefits.
5x more likely to be very satisfied with their current cyber technology capabilities.
4x more likely to be continually updating their risk management plan to mitigate cloud risks.
9x more likely to be mature in their cyber resilience practices.
Invest more into cyber budget, with 85% increasing their cyber budget in 2024 (vs 79% overall), of which 19% are increasing cyber budget in 2024 by 15% or more, compared to 10% overall.
Say their most damaging cyber breach in the last three years cost them less than $100k (28% vs 19% overall).
Strongly agree their organisation will develop new lines of business using GenAI (49% vs 33% overall).
Plan to deploy GenAI tools for cyber defence (44% vs 27%).
Disagree that ‘GenAI will lead to a catastrophic cyber attack’ (33% vs 22% overall).
Source: PwC, 2024 Global Digital Trust Insights.
With technology now at the heart of business, safeguarding it is tantamount to safeguarding the enterprise. That’s why in 2023, PwC created a playbook for C-level executives to help each C-level executive focus on the questions they need to answer with their CISO.
We’ve updated the playbook for 2024. This is likely to be a watershed year. Cybersecurity faces four major shifts, each of which could be disruptive on its own.
Businesses are reinventing themselves. Policymakers are thinking of new regulatory approaches. Are your senior executives being similarly innovative in the way they secure their organisations? How bold can you be, and what might you do differently?
Mitigating cyber risk is a top priority for 2024, according to PwC’s 2024 Global Digital Trust Insights survey. After dropping to fourth place in the list of prioritized risks in last year’s PwC CEO Survey, it’s now second for our respondents, behind only digital and technology risks. And in the minds of our respondents, digital and technology risks are inextricable from cyber risk.
In today’s business climate, we simply can’t talk about digital transformation or reinvention without mentioning cybersecurity in the same breath. Cloud attacks and attacks on connected devices are the cyber threats our respondents are most concerned about — two technologies at the heart of business transformation today.
Mega breaches are increasing in number and scale — and cost. The percentage of those reporting costs of $1 million or more for their worst breach in the past three years rose to 36% from 27% last year.
The pace of business reinvention and innovation using technology is not slowing down. Not when 40% of CEOs think their companies may no longer be economically viable a decade from now if they stayed on their current path.
The C-suite challenge is this: is your organisation’s cyber risk management keeping up with the changes?
Percentage who say they had a $1M+ breach: 2024 total = 36%, 2023 total = 27%
Modernisation and optimisation top the cyber investment priorities for 2024. Nearly half (49%) of the business leaders selected technology modernisation, including cyber infrastructure, and 45% chose optimisation of existing technologies and investments.
In our 2022 survey we found that CEOs in particular were very concerned that their organisations had become too complex to secure. At that time, 32% had consolidated technology vendors in an effort to simplify, as well as realign their mix of managed and in-house services.
In the 2024 survey, 44% report using an integrated suite of cyber tech solutions, and 39% plan to move to one in the next two years. Nearly one-fifth — 19% — say they have too many cyber solutions and need to consolidate.
The C-suite challenge isn’t a lack of tools or a lack of investment. Instead, it’s figuring out how your organisation can reap the benefits of your investments. Is your IT architecture too complex to adequately protect? Are you making it easy for threat actors to find gaps in your defence?
Cloud security is the No. 1 cyber risk concern for nearly half (47%) of our respondents. The ways bad actors might get in may seem virtually limitless. Organisations should place controls everywhere: on identity and access, lateral movement, email accounts, website portals, applications, proprietary information, customer interactions, operating systems, connected devices, the list goes on.
Many of our respondents — 42% — use more than one cloud, and concerns over cloud security increase among users of multiple — hybrid — clouds. Fifty-four percent of these respondents cite cloud as their most pressing cybersecurity risk. Hybrid cloud users are also the most likely to select cloud among their top three priorities for security investments over the next year (36% as opposed to 33% overall).
But nearly every organisation — 97% — has gaps in its cloud risk management plan. Only 3% maintain up-to-date plans that address all nine cloud security areas. Risks posed by fragmented regulations, for instance, have yet to be addressed by 42%; 41% have no plan for dealing with concentration risk; 36% haven’t yet addressed third-party cloud risk.
The C-suite challenge is this: How do you work together and with your cloud security providers to make headway in defending the most important entry points to your systems and assets via the cloud?
Nearly seven in 10 say their organisation will use generative AI (GenAI) for cyber defence. GenAI tools can help reduce a disadvantage for cyber teams overwhelmed by the sheer number and complexity of human-led cyber attacks, both of which continually increase.
Many vendors are pushing the limits of GenAI, testing what’s possible. It could be some time before we see broad-scale use of defenceGPTs. In the meantime, here are the three most promising areas for using GenAI in cyber defence: threat detection and analysis, cyber risk and incident reporting, and adaptive controls.
The C-suite challenge is this: How do you wield the new tools without inviting new risks to flare up in the organisation and in society? What should you do to use GenAI ethically and responsibly?
The mainstream view is that new rules and regulations hinder revenues, but here’s the take of at least one-third of respondents: The guardrails regulators put up can give companies added confidence to explore, experiment, invent and compete.
About a third of this year’s respondents agree that four types of regulation will be most important to securing the future growth of their organisation — regulation of AI (37%), harmonisation of cyber and data protection laws (36%), mandatory reporting of cyber risk management, strategy and governance (35%) and operational resilience requirements (32%).
As many as three-quarters expect that compliance with these regulations will require significant outlays of money and time. Incurring high costs and revenue impacts may be avoidable, if businesses involve themselves early and often in regulatory processes — meeting with law enforcement, for example, participating in public comments and even taking a seat at the table with regulators to help craft or influence proposed directives.
The C-suite challenge is this: Amid regulatory uncertainty, can you give your organisation the room to innovate while keeping security and privacy by design? How do you turn this new regulatory environment as a source of competitive advantage?
It’s no longer business-as-usual at your organisation. But most companies are still locked into cyber-as-usual, as the 2024 Global Digital Trust Insights survey shows.
Fragmented initiatives. An ever-expanding array of technological complexities. A risk management programme that, with its gaps, is risky in itself. Transformations and projects that don’t produce the results you want. These stumbling blocks and others remain in the way of cybersecurity that’s truly trustworthy.
The top initiatives in this chart are cyber-focused; the bottom, business-focused
In the 2023 playbook, we identified critical challenges that C-suite executives should address together, as partners. These are still relevant.
In 2024, we’re raising the challenge: Do you dare, as a C-suite leader, to break out of the stasis and make the one or two bold moves that will matter most for your organisation? Or to take that one imaginative leap that could finally clear the hurdles blocking your company from its goals?
We see some enterprises already picking their best bets. The array of options is broad. What’s right for your organisation?
Placing yourself at the epicenter of innovation means meeting your leadership teams where they are and helping them to overcome the intimidation they might feel regarding what you do. Using insider terms such as cyber landscape, attack surface and even zero trust can only further mystify those outside your profession.
Dare to talk about cyber in business-speak, tech-speak, finance-speak or everyday-speak. Speak to your customers, investors and business partners in annual security reports in ways that inform and engage. Using common vocabularies can help executives wrestle with the trade-offs, tensions and chaos that inevitably happen at the epicenter of innovation.
Use more sophisticated approaches to cyber risk modeling, such as scanning for threats using formulas specific to your company’s sector, vision and strategy. Create a risk-linked performance incentive for every bonus-eligible employee in the company, to build a risk culture. Invent new ways to find and strengthen your weaknesses, perhaps with a modern bug bounty programme that incentivises independent security research. Finally, procure and begin using a cloud-first, centrally managed identity solution to secure your business expansion goals.
Speak the language of trust, not just regulatory compliance. Involve yourself early and often for the better chance at influencing any new rules and ensuring that they boost, not hinder, business success. AI, the metaverse, cryptocurrency, privacy — these hot regulatory topics could well benefit from your experience and insights. Remember, regulators can feel as befuddled as anyone by the workings of cyber and tech.
Providing you with around-the-clock eyes is one benefit of automation, GenAI and managed services. Performing mundane chores so your teams don’t have to is another. Liberated from the tyranny of tedious tasks, your people may find time and space to ponder new cyber threats and create new ways to thwart evolving threats.
Cyber tops the risk register in most companies and on many executive surveys. But is it a staple topic in your boardroom? Are you getting quality information not on cyber risks and controls, but also on how major strategic initiatives are furthering business and revenue growth? Security provides the underpinnings for everything the organisation does: finance, development, personnel, technology and other areas of the business you likely discuss every time you meet.
Looking your cyber programme squarely in the eye can be a daring move.
Business transformation is one thing. Cyber transformation is not another. They are the same. The CISO and CEO together need now embrace cyber as a whole-of-business endeavor, putting yourselves in the business owner’s shoes. Wouldn’t they want every aspect — financial records, proprietary research, application development, customer data and the like — protected from unauthorized viewing or use? Wouldn’t they want to safeguard their brand? Couldn’t cybersecurity spur innovations that save money and help the business to grow? This is the raison d’etre of cyber.
The 2024 Global Digital Trust Insights is a survey of 3,876 business, technology and security executives (CEOs, corporate directors, CFOs, CISOs, CIOs and C-Suite officers) conducted in the May through July 2023 period.
Four out of 10 executives are in large companies with $5 billion or more in revenues. Importantly, 30% are in companies with $10 billion or more in revenues.
Respondents operate in a range of industries, including industrial manufacturing (20%), financial services (20%), tech, media, telecom (19%), retail and consumer markets (17%), energy, utilities, and resources (11%), health (9%) and government and public services (3%).
Respondents are based in 71 countries. The regional breakdown is Western Europe (32%), North America (28%), Asia Pacific (18%), Latin America (10%), Eastern Europe (5%), Africa (4%) and Middle East (3%).
The Global Digital Trust Insights Survey had been known as the Global State of Information Security Survey (GSISS). Now in its 26th year, it’s the longest-running annual survey on cybersecurity trends. It’s also the largest survey in the cybersecurity industry and the only one that draws participation from senior business executives, not just security and technology executives.
PwC Research, PwC’s global Centre of Excellence for market research and insight, conducted this survey.