Despite heightened risks, hope flourishes

We identified the most prepared respondents — the top quartile that are likely to be (1) receiving significant investment in cybersecurity and privacy, (2) interacting more with CEOs and boards and (3) leading their security function ahead of the pace and scope of their organization’s digital transformation. These three conditions set them apart with a vastly different stance towards cybersecurity. 

This “most prepared group” is more likely to:

• Have mitigated risks with remote work and accelerated cloud adoption.
• Prioritize cloud security investments over the next two years.
• Have named a chief privacy officer and chief data officer.
• Have restructured the security team.
• Have embedded its security team in product development teams.
• Participate in public-private collaboration opportunities.
• Participate in robust information sharing within a public-private collaboration group.

There’s general optimism among all respondents about their ability to get, and remain, cyber-ready. Given a choice between an optimistic outlook and a pessimistic view of the future, large majorities said optimism more closely represents their view. Thirteen percent were positive in all areas, and only 2% chose all the negative statements.

Most respondents view more attention from the board and investors as a positive. Nearly three-quarters (72%) expect cyber will become an important board focus as the year progresses. Two-thirds anticipate that data security and privacy will become a focus of investor ESG ratings. 

Rising cyber budgets relative to IT budgets bolsters their positive outlook. Companies are innovating in cyber and privacy, not only solving immediate problems, 64% said. Worldwide spending on information security and risk management technology and services is forecast to grow 12.4% to reach $150.4 billion in 2021, according to the latest forecast from Gartner, Inc. Security and risk management spending grew 6.4% in 2020.*

What do the respondents think of regulation? National and state regulatory enforcement will tighten and help improve cybersecurity, 63% agree. Only 37% think inconsistency in enforcement will allow poor cyber practices to continue.

Private-public collaboration didn’t fare as well in our study. CISOs and CIOs were least optimistic about its improvement. They also indicated doubt in the federal government’s ability to robustly defend private industry against nation-state cyber threats.

^{_{* Gartner Press Release, Gartner Forecasts Worldwide Security and Risk Management Spending to Exceed $150 Billion in 2021, May 17 2021.}}

Truly understanding and planning the response to a major cyberespionage attack is like putting together puzzle pieces — 90% of which are in the hands of private companies. 

Most (84%) say they participate in public-private information-sharing — but how effective are their efforts when their collaborators are competitors or don’t trust one another?

Companies don’t generally do breach reporting well. Instead of volunteering details, they hide them away — hamstringing government efforts and creating a self-fulfilling prophecy. Absent a voluntary commitment to cooperate and collaborate, a federal data breach reporting law can force the issue. Companies, for their part, might want to know their disclosures are confidential, and to seek assurance that they won’t face liability or be subject to enforcement action from the Federal Trade Commission or other regulators. 

Without business participation, governments really can’t defend against nation-state attacks. Private enterprise’s reluctance to divulge breach information needs to change, especially given attackers’ methods such as advanced persistent threats, which can cause widespread harm without detection. Effective defense demands a risk-based, strategic, carefully-crafted plan that changes as tactics do. To get it right, companies should put all their puzzle pieces on the table.

According to our survey, public-private collaboration is fairly commonplace. Nearly 40% say they lead a collaborative initiative, and another 45% are active participants. But companies should focus on the quality of those collaboration mechanisms.

The financial sector — guardian of our individual and collective wealth — provides a model for effective public-private collaboration under the National Cyber-Forensics and Training Alliance (NCFTA). In these private-only meetings, no regulators are in the room. Companies share their information and aggregate the data. They use deconfliction, coordination and collaboration techniques to help solve common problems. And the NCFTA’s reported outcomes are tangible, such as financial losses prevented.