Are you securing against the most important risks today and tomorrow?

Fewer than 1 in 3 organisations use available data and intelligence when making decisions. Those that had the best cybersecurity outcomes over the past two years are 18x more likely to say data and threat intel are integral to their operating model.

Size up your risks — using data you can trust — to realise opportunities

Organisational leaders recognise the importance of verifying and safeguarding their business information. Asked to frame the cybersecurity mission, the number-one response was, “A way to establish trust with our customers with respect to how we use their data ethically and protect their data.” Eighteen percent of CEOs and 20% of non-CEOs selected customer trust as the way the CEO frames the cyber mission in their organisation.

Data infrastructure and data governance rank as the two most needlessly complex aspects of business operations in PwC’s 2022 Global Data Trust Insights Survey: 77% say both have “avoidable, unnecessary” levels of complexity. About three-quarters say complexity in these areas poses “concerning” risks to cybersecurity and privacy. Complexity of data can stymie any organisation’s ability to effectively use the information it collects and generates. 

A foundation for data you can trust for better business decisions

Organisations first need to set up that good foundation we call data trust: making sure your data is accurate and verified and secure so you can rely on them for business decisions. (And when it comes to customer data, you want to make sure customers know they can trust you to keep their information safe from unauthorised eyes.)

But only about a third of respondents report having mature, fully implemented data-trust processes in four key areas: governance, discovery, protection and minimisation. Nearly a quarter of our respondents say they have no formal data-trust processes in place at all.

Only about one-third of organisations report having a full, formal data governance program — a surprisingly low number. Once you’ve crafted your data strategy, governance — the policies, procedures and processes for fulfilling the strategy — should follow immediately.

Securing your data from tampering as well as theft is also critical to success, yet only about one-third of respondents report having in place fully implemented, formal data security processes including encryption and secure data-sharing (34%). Verifying and protecting the integrity of your data is essential as well. Not doing so is like hiring workers without fact-checking their resumes. You can’t be certain of the quality of the information.

And only 35% have mapped all their data, meaning they know where it comes from and where it goes. The same goes for those who have mature data minimisation processes.

Data is the asset attackers covet most. Your companies can minimise that risk by minimising the target. You must govern, discover and protect only the data you need — and eliminate the rest. Drafts, duplicates, superseded data, legacy data and employee personal data are common candidates for elimination. Low-value data not only creates unnecessary risk, it also crowds out or buries your high-value data.

The two-thirds of organisations that haven’t formally implemented data trust practices may be at risk in more ways than one. Effective data governance is important not only for operational resilience but also for compliance with regulations such as the European Union’s General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA). New, more stringent regulations loom on the horizon as well. When someone asks for information about their data — what you’re keeping and what you’re doing with it — you’d better be able to answer quickly and accurately. If it’s a regulator doing the asking, the wrong answer could bring heavy fines. 

Turning data into true assets that can increase your revenues is one benefit of good data security — as some leading businesses are discovering. Our “most improved” are more than 10x more likely to have a formal process fully in place for all data trust practices.

According to our Trust in Data Survey, companies with more mature data trust practices tend to be ahead in many respects. They earn revenues from data monetisation by personalising services, operating more efficiently and better serving their customers. They strongly agree that higher customer trust leads to demonstrably higher revenue. They’ve made significant moves in the past year to improve customer and investor trust. And they’re more confident in their third-party risk management program because they monitor their third parties more.

Data trust practices have yet to become the norm

Percentages who say they have fully implemented formal processes around these data trust practices

Question: For each of the following, please rate how mature your organisation’s data trust practices are. Percentages are for the response ‘formal process, fully implemented’
Base: 3,602 respondents
Source: PwC, 2022 Global Digital Trust Insights, October 2021.

Use it or lose out

Chances are good that neither you nor your competitors are letting data inform your cyber risk management. Fewer than one in three of survey respondents say they’ve integrated analytics and business intelligence tools into their operating model.

These respondents scored lowest in their ability to turn data into insights for cyber risk quantification, threat modeling, scenario building and predictive analysis — all critical technologies for smart cybersecurity decisions. 

So many entities fail to benefit from today’s advanced intelligence tools and approaches. New types of internal data, data from new external sources, new data partnerships and information-sharing platforms can be important sources of business intelligence, but only about a quarter of respondents say they’re reaping benefits from these tools.

The other three quarters are missing out. Businesses predicting an increase next year in their cybersecurity spending are often the same enterprises whose operational models use business intelligence and data analytics. Data can not only help you spend your cyber budget wisely, it can also help you get more to work with. The most improved (top 10% in cyber outcomes) are 18x more likely to state that these advanced approaches are integral to their operating model.

Executives underutilise data and intel for better decisions and risk management

Percentage who say these are critical to their operating model today

Real-time threat intelligence
Use of generally accepted standards and frameworks in assessment and diagnostic tools
Autonomous threat detection, including cognitive security
Common industry metrics and dashboards
Cyber risk quantification, using FAIR or other methods
Policy and regulatory strategic intelligence platform
Threat modeling, scenario building, and predictive analysis

Percentage who report realising benefits from these tools and approaches

Information sharing platforms with industry
Information sharing platforms with government agencies
New types of internal data we’ve not traditionally used
New data partnerships to complement and enrich our first-party data sources
New external sources of information we’ve not traditionally used
Questions: To what extent does your organisation use the following tools and approaches when making decisions about cyber investments and responding to cyber risk? What best describes your organisation's plans for using the following tools and approaches for better operational intelligence?
Base: 3,602 respondents
Source: PwC, 2022 Global Digital Trust Insights, October 2021.

Sizing up risks — and opportunities 

“In today’s system-of-systems world, cybersecurity can no longer be treated as a ‘too-hard-to-measure’ problem,” the US Cybersecurity and Infrastructure Security Agency argues. Still, as we saw above, only 26% quantify cyber risks today. 

The data you use to spot and understand threats, put a dollar figure on risks and prioritise them, and predict cybercrime trends can be a powerful tool for convincing boards and the CEO to invest in your cyber program. On the other hand, if you’re having trouble getting the funding you need for cyber, you may need to do a better job of quantifying your cybersecurity risk.

By the same token, data can help you stay apprised of real-time risks, and adjust security tactics and strategies as the business shifts. Respondents in five business sectors said the most important reason to quantify cyber risk is “to continuously evaluate our risk landscape and priorities against changing business objectives.” Enterprise leaders recognise that risks are always in a state of flux and that data is the tool that lets them monitor and measure changes.

Sizing up risks is also important for sizing up opportunities and linking cyber-threat narratives to business narratives that the C-suite and boards can understand. A growing number of organisations recognise the importance of cybersecurity to business — but many still have a long way to go. Between 37% and 42% claim “significant progress” linking the two, while 16% to 18% say they’ve made little or no progress aligning cyber and business goals. 

Executives want to size up cyber risks in continually changing risk landscape

Question: What are your organisation’s most important reasons to quantify cyber risk?
Base: 3,602 respondents
Source: PwC, 2022 Global Digital Trust Insights, October 2021.

The 2022 threat outlook

Our respondents do make predictions about the next 12 months. Sixty percent expect an increase in cybercrime; 53% say nation-state attacks are likely to grow. Mobile, the Internet of Things, and cloud top the list of anticipated targets. But the type of attack could take almost any form, in our respondents’ minds. Cloud service attacks (22%) narrowly edged out ransomware (21%) and cryptomining (21%) as most likely to see significant increases, and a long line of other attack types scored at 20% and 19%. Notably, 56% expect a rise in breaches via their software supply chain, with 19% eyeing significant increases — a number that grows to 25% among North American respondents.

The 2022 threat outlook: Executives expect a surge in attacks and reportable incidents
Questions: How do you expect a change in reportable incidents for these events in your organisation? How do you expect threats via these vectors/actors to change in 2022 compared to 2021?
Base: 3,602 respondents
Source: PwC, 2022 Global Digital Trust Insights, October 2021.


For the CFO

  • Work with the CISO in taking a risk-based approach to cyber budgeting that ties to business objectives.

For the CISO

  • Build a strong data trust foundation: an enterprise-wide approach to data governance, discovery, protection and minimisation.
  • Create a roadmap from cyber risk quantification to real-time cyber risk reporting.
  • Don’t stop at cyber risks. Tie the cyber risks to overall enterprise risks and, ultimately, to effects on the business.
  • With a fuller accounting of cyber risks, identify what works in your business model and where you might need to simplify.
Follow us

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Contact us

Sean Joyce

Sean Joyce

Partner, Global Cybersecurity and Privacy Leader, PwC United States