By Vikas Sharma, Partner, Cybersecurity & Privacy
Organisations witnessed unprecedented challenges in 2021. The year also presented significant opportunities for leaders to reinvent themselves, re-configure their businesses and embark on a transformation journey.
CEO optimism remained stable and high, demonstrated by the vigour with which C-Levels took the challenge, coupled with the pressure to deliver top-line results. Leaders have identified steps that they need to take to address current and future business risks.
The PwC 25th Annual Global CEO Survey offers a revelatory look at how today’s executives are meeting the most pressing challenges of the day, from navigating an uneven global economic recovery to preparing for a net-zero society or addressing evolving cyber risks.
Over the past two years, in reaction to COVID-19 responses and subsequent behavioural shifts, many organisations compressed what would have been years of digital transformation into months, abruptly elevating their cybersecurity risk profile.
There has been an increase in cyberattacks as people migrated online, which overwhelmed already-strained IT departments, and disrupted millions of new users of remote-work technology. Some organisations, faced with supply-chain interruptions, resorted to alternative suppliers whose suboptimal cybersecurity practices opened new avenues of attack.
In 2021, we saw a distinct shift in the cyber threat landscape, with ransomware (encrypts devices until the victim pays an extort money to restore its services) using current affairs as bait, supply chain attacks, phishing and impersonation becoming the most significant cyber security threat faced by organisations globally, including Mauritius. Similar attacks have been observed locally where organisations fell victim to ransomware malware.
As our society’s dependence on technology increases and cyber threats evolve, our approach to security also needs to change.
To succeed in a digital world, cyber security needs to be embedded in everything we do.
I recently attended a board meeting, where the Chief Information Officer (CIO) and Chief Security officer (CSO) led wide-ranging discussions about digital transformation projects and security safeguards to protect the company’s data and to fortify its systems against breaches.
The board encouraged heightened investment and vigilance, then moved on to its next item on the agenda - a financial committee presentation leading to a board vote on the acquisition of a company.
To the surprise of the CIO and CSO, who were still in the room, there were no further discussions on cybersecurity, even though the acquiree was operating in a region where cyber breaches and criminal hacking were endemic.
The board did not connect the dots between the two items on the agenda. Their view on cybersecurity was more focused on risk dashboards and surveillance, than on the security implications of business decisions; we’ve seen many variations of this situation over the years.
Simply put, far too many boards and CEOs see cybersecurity as a set of technical initiatives and edicts that are the domain of the CIO, CSO and other technical practitioners.
The “So What?” of getting cybersecurity right, needs to be demystified so that it’s part of the broader corporate agenda and not a short shift because of top-line pressures.
At a strategic level, CEOs should incorporate their commitment to cybersecurity into decision-making processes. For example, many organisations might consider cybersecurity risks as part of an M&A review, but how many of them would walk away from a deal because the acquired company would introduce such a risk?
And how many companies would delay a product launch until key cyber vulnerabilities are fixed? How many would question whether entering a new market would open the company to new and potentially devastating cyber-threats?
The pace of technological change is happening faster than the institutional capacity to adapt to it. Therefore, CEOs must create a culture in which companies move fast, but with a commitment to managing risk.
Given this rapid technological evolution, leaders who are serious about the sustainable growth of their business should weave in cybersecurity objectives into their business priorities in a simpler manner to promote strategic dialogue between the board, CEO and the rest of the C-suite.
How does cyber risk affect your business model’s attractiveness, and does that suggest the need for a “simplification agenda”?
How transparent are the cyber risks and trade-offs associated with your external partnerships, and what would be the pros and cons of simplifying your ecosystem to make them more manageable?
How risky are your IT-enabled legacy processes, and how should you prioritise investments to secure, simplify and transform them to achieve a competitive advantage?
Leadership teams who grapple with questions like these embrace simplicity to boost the odds of making the entire enterprise securable.
Vikas is a Partner at PwC Mauritius and leads the Cybersecurity & Privacy and digital practice. He has more than 18 years of experience working in Financial Services, Retail, Hospitality, Telecommunication and Public Sector. He is passionate about the success of his clients, while demonstrating ongoing leadership and commitment to excellence. Read more.
Partner, Cybersecurity & Privacy, PwC Mauritius
Tel: +230 404 5015
Jean-Pierre Young, ACA, CIA
Advisory Leader, PwC Mauritius
Tel: +230 404 5028
Senior Manager, Clients and Markets Development, PwC Mauritius
Tel: +230 4045029