Is your organisation too complex to secure?

75% say their organisations are too complex. But those that had the best cybersecurity outcomes over the past two years are 5x more likely to have streamlined operations enterprise-wide.

Be deliberate about simplicity and simplification

In an overly complex organisation, it’s easy for the left hand not to know what the right hand is doing — and the consequences for cybersecurity and privacy can be dire. Seventy-five percent of C-suite respondents to our survey, including CISOs, say their companies are too complex, avoidably and unnecessarily so, and nearly as many say complexity poses “concerning” cyber and privacy risks to their organisations in 11 key areas.

Data seems to be a chief point of concern, especially among large companies (revenues of $1 billion or more). Data governance (77%) and the data infrastructure (77%) ranked highest among areas of “unnecessary and avoidable” complexity. 

Technology networks and devices are also highly complex, particularly in large companies and North American companies. Digital-native companies — those that exist entirely online — tend to use the newest technologies, which are designed to connect and operate together. Most other companies’ technology architectures, which include legacy systems, are more complicated. Mergers with other entities may multiply risks by connecting already complex networks and systems. 

The most worried about all this complexity are CEOs. They assign a complexity level of 10 to seven of 11 areas in their organisations. CEOs tend to be more concerned about cyber and privacy risks arising from complexities in the cloud environment, governance of tech investments, and crossover from IT to operational technology (OT). 

Executives in large organisations and in North America are more likely to be concerned about risks from complexities in the cloud environment and the crossover from IT to OT.

75% of executives report too much complexity in their organisations, leading to ‘concerning’ cyber and privacy risks
Questions: In your view, how complex are the following operations in your organisation, on a scale of 1 to 10? How significant are the cyber and privacy risks posed by complexity in these areas in your organisation?
Base: 3,602 respondents
Source: PwC, 2022 Global Digital Trust Insights, October 2021.

The costs of complexity

Complexity isn’t bad in and of itself. Often, it’s a by-product of business growth. The larger an organisation, the more complex it will naturally be, needing more people and technologies to serve a growing customer base.

The costs of creating unnecessary complexity are not obvious, and it’s hard to create urgency around combatting complexity — that is, until an attack occurs.

One company needlessly kept the sensitive data of people it no longer did business with, making that data available for hackers to steal.

In our article Simplifying cyber, we give examples of how simplification can improve security. At a global retail organisation, six vendors managed customer contacts. Two of those vendors’ systems had been breached in the past. After consulting with the CEO and board, the new operations director whittled the vendor list to two. This simplification improved security: Monitoring two vendors is easier than keeping tabs on six, making information access easier to control, and the retailer could more readily back up the smaller cache of customer data.

Asked to name the top consequences of operational complexity, our respondents named:

  1. Financial losses due to successful data breaches or cyber attacks.
  2. Inability to innovate as quickly as the market opportunities allow.
  3. Lack of operational resilience, or the ability to recover from a cyber attack or technology failure.

Complexity not only threatens today’s fortunes, in the view of executives. It also prevents organisations from creating new opportunities quickly and pursuing future ones.

In all industries, top consequences of complexity are financial losses, inability to innovate, and lack of resilience
Question: In your view, What are the most important consequences of complexity on your business?
Respondents: Industrial manufacturing=789, technology, media and telecommunications=824, financial services=724, retail and consumer=581, energy, utilities and resources=299, healthcare=255, government/public services=126
For Government/Public Services, the third most important consequence is ‘inability to retain top talent.’
Source: PwC, 2022 Global Digital Trust Insights, October 2021.

The move to simplification

Businesses know the risks of complexity, yet only 35% of our respondents have performed any streamlining of their operations and a quarter say they’ve done nothing at all or are just getting started. But a shift appears to be underway. 

Simplifying an organisation takes time, requiring changes in viewpoints and company culture. That’s not easy to achieve, but the payoffs are mighty. The companies that had the best cybersecurity outcomes over the past two years (most improved) are 5x more likely to have streamlined operations enterprise-wide. They’ve focused on consolidating tech vendors (62%), defining/realigning the mix of in-house and managed services (60%), reorganising functions and ways of working (59%) and creating an integrated data governance framework (58%). 

More and more CISOs and CIOs are taking a hard look at their tech investments, no longer just entertaining or chasing the latest products from tech vendors. We’re seeing consolidation of tech vendors and applications to reverse the hard-to-manage and risky tangle of disparate and vulnerable software and tech stack. 

Simplification of cyber. To be fair, simplifying cybersecurity can be challenging. Even knowing where to begin can be difficult, especially given the attacks hitting businesses on every front. Asked to prioritise among nine initiatives aimed at simplifying cyber programs and processes, respondents couldn’t choose, allotting near-equal importance to all of them. CISOs who are building layers of control, for defense in depth, are well-intentioned but must guard against introducing more complexity and cost. More controls don’t always make a company more secure.

Moving to the cloud can help simplify business processes and IT architecture, provide flexibility and accelerate innovation. Yet companies typically waste an average of 35% of their cloud budgets on inefficiencies. Runaway complexity can quickly result from extensive technology options, new architectural approaches, complicated service plans, unused capacity and confusing billing and pricing, especially when the technologies offered are constantly changing. 

Done right, however, cloud transformations can be secure, efficient, and successful. Cloud security is the top investment priority of our survey respondents, as well as in our June US-specific survey. That’s encouraging — but only 16% report realising benefits from these investments. Thirty-five percent haven’t fully benefited from cloud security investments and 45% are just starting or planning theirs.

Whether or not you’re using the cloud to simplify, minimising and combining your tech stack and processes may feel like a bold move. Doing so requires asking hard questions and maintaining a keep-it-simple mindset. To get there, your organisation will need security-minded leadership starting at the very top. 

Don’t overlook moves that can have a significant impact. For example, two moves — deploying two-factor authentication and putting your remote desktop protocol (RDP) behind the firewall — can vastly reduce the risks from phishing, which remains a popular tactic, by itself, and in tandem with malware and ransomware attacks.

Simplification in organisations: 3 in 10 have streamlined over the last two years
Defined a new mix of remote/virtual and onsite work
Reorganised functions and ways of working
Consolidated technology vendors
Created an integrated data governance framework
Automated standard, repetitive processes
Created an integrated dashboard for key metrics
Defined or re-aligned the mix of in-house resources and managed services
Rationalised technologies, including decommissioning legacy technologies
Removed redundancies in processes
Question: In the last two years, to what extent has your organisation streamlined operations in the following ways? Percentage responding ‘completed enterprise-wide’. Other potential responses were ‘partially completed,’ ‘just started,’ or ‘not at all.’
Base: 3,602 respondents
Source: PwC, 2022 Global Digital Trust Insights, October 2021.
Simplification of cyber: spending is spread across several initiatives

Average share of total spending on cyber simplification

Question: In the next two years, what proportion of your cybersecurity spend will your organisation allocate to each of the following initiatives to simplify cybersecurity?
Base: 3,602 respondents
Source: PwC, 2022 Global Digital Trust Insights, October 2021.
Follow us

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Contact us

Sean Joyce

Sean Joyce

Partner, Global Cybersecurity and Privacy Leader, PwC United States