Big bets: Cloud security, cloud security, cloud security

Key finding: 81% of those who quantify cyber risk say it helped increase productivity and sharpen focus on strategic matters

We see it all the time: Companies convinced of the cloud’s potential but overwhelmed by the complexities of properly securing it. Just 46% of CISOs and CIOs in our survey said they had mitigated the risks associated with accelerated cloud adoption.

Meanwhile, in PwC’s inaugural US Cloud Business Survey of more than 500 C-Suite executives, 53% said they aren’t getting substantial value from their cloud investments—a major concern given that they’re spending millions or even billions of dollars.

The good news is that CISOs and CIOs—across all industries—are prioritizing cloud security for cyber investments over the next two years. 

At the root of the problem of cloud security is a failure to recognize that cloud adoption is a major change. Identity and access management (IAM) that worked well to guard your contained, centralized on-premises system, for example, most likely won’t protect the information and operations you place on the cloud because the two environments are so different. 

What’s more, businesses often use more than one cloud, and a combination of cloud types. Establishing processes, controls and technologies for these mixed environments becomes even more challenging. And how to keep a tight rein on access to companies within an ecosystem, each with its own cloud accounts?

“Fixing cloud security” is an encompassing endeavor. In addition to IAM, important components include third-party risk management (TPRM), real-time intelligence and zero trust. A well-thought-out, step-by-step approach to security can help jump-start stalled migration and/or modernization. It can even hasten the move so you finish faster than originally planned.

Future of industry + security = successful transitions

Along with cloud security, each industry should customize its defenses, based on the risks it faces. The second and third cyber investment priorities of the survey respondents reflect that.

  • The future of manufacturing relies on IoT, cloud and robotic process automation. Real-time threat intelligence and endpoint security investments can help address the growing attack surface and take advantage of data obtained in real-time connections.

  • The future of healthcare will include interoperability, which allows patients access to their data and healthcare professionals to share it for better results. Understandably, the sector’s investments are centered on securing identities and access as well as security training of personnel. 

  • The future of utilities will mean greater connectedness to the customer, an expanding distributed network of renewable power and more power generation outside the utilities' traditional control. The future of oil and gas will likely see more digitization of wells, rigs and pipelines for greater efficiency and better predictive maintenance. Investments in better third-party risk management and business continuity/disaster recovery can help protect connections essential to reliable and continuous power supply.

  • The future of consumer markets will certainly reflect current trends such as touchless checkout, omnichannel shopping and digital supply chains. Investments in identity and access management can secure massive data flows and real-time threat intelligence can help spot the potentially harmful intrusions among millions of transactions per second.  

  • The future of financial services is being shaped by AI and blockchain, so cyber investments are focused on software-defined perimeter approaches. Cybercrime and fraud via humans continues to evolve, and the industry is rightfully focused on ramping up security awareness and training.

Every new digital process and asset becomes a new potential vulnerability for cyber attack. Weaving security and privacy into your vision for the future increases the odds of success and helps guard against new risks.

Big bets secure the future of industries

Evolving threats demand new security approaches

Judging from newer security measures they’re implementing, organizations understand the need to plan ahead and get ahead.

Cyber risk quantification tops the list of measures they’ve taken over the past two years. And quantification has yielded results: 81% say it helps them increase productivity and focus on strategic matters. Quantification, useful for prioritizing risks and for making the case for cyber-spending to the board, got especially high marks from companies in the energy, utilities and resources (EUR) and retail/consumer sectors.

A system for cyber risk quantification helps companies evaluate novel threats. For instance, a highly acquisitive company that quantifies cyber risks can evaluate deal opportunities faster and more systematically. A financial institution can assess threats and vulnerabilities daily or weekly to protect millions of transactions a day and stay alert to how well their controls are working.

Autonomous threat response ranked second on the list of most-implemented cyber strategies. This tool is particularly popular in the technology, media and telecom (TMT) and manufacturing sectors. Respondents reported almost immediate payoffs from 66% of those using autonomous threat response, but it has a downside: 49% said it takes significant time away from operations, likely due to false positives.

Autonomous response is a must for cyber today, however. Manual threat responses are no match for new threats, including AI-powered attacks. Rather than relying on traditional rule-based security controls, AI-driven autonomous threat response learns what’s typical in the user’s environment, then spots anomalies in email services, cloud applications, IoT devices and industrial systems. Stripped of noise in the data, AI-powered solutions can help security teams decide and act more quickly.

Industries try their hand at new approaches

Differential privacy, which lets companies collect and share personal information while protecting individuals’ privacy, ranked third on the list. Most who use this approach report increased productivity and strategic focus (75%) as well as immediate payoffs (73%).

First developed in 2006, differential privacy is making a significant transition from theoretical approaches to practical applications in the government and private sector. Among the most active explorers are major tech companies as well as government agencies, including the US Census Bureau and the National Science Foundation

Coming in a close fourth—and ranking third in many sectors—is confidential computing, defined as encryption of data while it’s in use (not just in transit or at rest). It complements differential privacy techniques in maximizing data use while protecting individual privacy.

Experience with implementation of new approaches

Cyber risk quantification
Autonomous threat responses
Differential privacy

Ease of implementation
Immediate payoffs
Productivity and strategic focus
Simplified workload
Game changer for org

Q: For the new approach, how would you describe the process of implementation and impact on your organization’s cybersecurity?
Base: Those who ranked ‘cyber risk quantification’ as top priority for implementation n=62; ‘autonomous threat responses’ n=74; ‘differential privacy’ n=56.
Source: PwC, US Digital Trust Insights Snapshot Survey 2021, June 2021. Base: 322


Review how you budget. Cyber is finally getting its due. Companies are investing more, and the C-suite is paying attention. But the expectations—and potential for disappointment—are high. Earn executives’ confidence by modernizing your budgeting process, allocating budgets to help mitigate the most significant risks of the business.

Work with other C-Suite executives to make your organization cyber-ready. Step in as a partner to every executive who is driving a major transformation. Familiarize them with the benefits of security and privacy by design for smoother transitions and sustainable outcomes.

About the survey

This US Digital Trust Insights Snapshot is a poll of 322 security and technology executives (CISOs, CIOs and similar titles) of US-based companies in April 2021. Sixty-nine percent of respondents are executives in large companies ($1 billion and above in revenues); 9% are in companies with $10 billion or more in revenues. Respondents come from a range of industries: Industrial manufacturing and automotive (23%), tech, media, telecom (19%), financial services (15%), consumer markets (15%), health (14%), and energy, utilities and mining (13%). PwC Research, PwC’s global Centre of Excellence for market research and insight, conducted this survey.

Contact us

Sean Joyce

Sean Joyce

Global Cybersecurity & Privacy Leader, PwC US; Cyber, Risk & Regulatory Leader, PwC US

Joseph Nocera

Joseph Nocera

Cyber, Risk and Regulatory Marketing Lead Partner, PwC US

Follow us

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.