We identified the most prepared respondents — the top quartile that are likely to be (1) receiving significant investment in cybersecurity and privacy, (2) interacting more with CEOs and boards and (3) leading their security function ahead of the pace and scope of their organization’s digital transformation. These three conditions set them apart with a vastly different stance towards cybersecurity.
This “most prepared group” is more likely to:
There’s general optimism among all respondents about their ability to get, and remain, cyber-ready. Given a choice between an optimistic outlook and a pessimistic view of the future, large majorities said optimism more closely represents their view. Thirteen percent were positive in all areas, and only 2% chose all the negative statements.
Most respondents view more attention from the board and investors as a positive. Nearly three-quarters (72%) expect cyber will become an important board focus as the year progresses. Two-thirds anticipate that data security and privacy will become a focus of investor ESG ratings.
Rising cyber budgets relative to IT budgets bolsters their positive outlook. Companies are innovating in cyber and privacy, not only solving immediate problems, 64% said. Worldwide spending on information security and risk management technology and services is forecast to grow 12.4% to reach $150.4 billion in 2021, according to the latest forecast from Gartner, Inc. Security and risk management spending grew 6.4% in 2020.*
What do the respondents think of regulation? National and state regulatory enforcement will tighten and help improve cybersecurity, 63% agree. Only 37% think inconsistency in enforcement will allow poor cyber practices to continue.
Private-public collaboration didn’t fare as well in our study. CISOs and CIOs were least optimistic about its improvement. They also indicated doubt in the federal government’s ability to robustly defend private industry against nation-state cyber threats.
* Gartner Press Release, Gartner Forecasts Worldwide Security and Risk Management Spending to Exceed $150 Billion in 2021, May 17 2021.
Truly understanding and planning the response to a major cyberespionage attack is like putting together puzzle pieces — 90% of which are in the hands of private companies.
Most (84%) say they participate in public-private information-sharing — but how effective are their efforts when their collaborators are competitors or don’t trust one another?
Companies don’t generally do breach reporting well. Instead of volunteering details, they hide them away — hamstringing government efforts and creating a self-fulfilling prophecy. Absent a voluntary commitment to cooperate and collaborate, a federal data breach reporting law can force the issue. Companies, for their part, might want to know their disclosures are confidential, and to seek assurance that they won’t face liability or be subject to enforcement action from the Federal Trade Commission or other regulators.
Without business participation, governments really can’t defend against nation-state attacks. Private enterprise’s reluctance to divulge breach information needs to change, especially given attackers’ methods such as advanced persistent threats, which can cause widespread harm without detection. Effective defense demands a risk-based, strategic, carefully-crafted plan that changes as tactics do. To get it right, companies should put all their puzzle pieces on the table.
According to our survey, public-private collaboration is fairly commonplace. Nearly 40% say they lead a collaborative initiative, and another 45% are active participants. But companies should focus on the quality of those collaboration mechanisms.
The financial sector — guardian of our individual and collective wealth — provides a model for effective public-private collaboration under the National Cyber-Forensics and Training Alliance (NCFTA). In these private-only meetings, no regulators are in the room. Companies share their information and aggregate the data. They use deconfliction, coordination and collaboration techniques to help solve common problems. And the NCFTA’s reported outcomes are tangible, such as financial losses prevented.
Set priorities for better private-public collaboration using a risk-based approach. Encourage industry associations and other private-sector groups to do the same. Persuade federal agencies to be outcome-oriented, setting security and resilience goals and using them to measure their partnerships’ progress.
Know what your company needs from the government. Define how the government can better help your organization to defend itself, including the key cyber issues you face — and include your government relations people.
1. The cyber-threat landscape: The digital rush left many exposed
2. Big bets: Cloud security, cloud security, cloud security
3. People in cyber: Going all-in on cyber starts from the top
4. Despite heightened risks, hope flourishes
This US Digital Trust Insights Snapshot is a poll of 322 security and technology executives (CISOs, CIOs and similar titles) of US-based companies in April 2021. Sixty-nine percent of respondents are executives in large companies ($1 billion and above in revenues); 9% are in companies with $10 billion or more in revenues. Respondents come from a range of industries: Industrial manufacturing and automotive (23%), tech, media, telecom (19%), financial services (15%), consumer markets (15%), health (14%), and energy, utilities and mining (13%). PwC Research, PwC’s global Centre of Excellence for market research and insight, conducted this survey.