Despite heightened risks, hope flourishes

Key finding: Investments, CEO and board attention, and forward-looking CISOs make for a cyber-ready organization

We identified the most prepared respondents — the top quartile that are likely to be (1) receiving significant investment in cybersecurity and privacy, (2) interacting more with CEOs and boards and (3) leading their security function ahead of the pace and scope of their organization’s digital transformation. These three conditions set them apart with a vastly different stance towards cybersecurity. 

This “most prepared group” is more likely to:

  • Have mitigated risks with remote work and accelerated cloud adoption.
  • Prioritize cloud security investments over the next two years.
  • Have named a chief privacy officer and chief data officer.
  • Have restructured the security team.
  • Have embedded its security team in product development teams.
  • Participate in public-private collaboration opportunities.
  • Participate in robust information sharing within a public-private collaboration group.

There’s general optimism among all respondents about their ability to get, and remain, cyber-ready. Given a choice between an optimistic outlook and a pessimistic view of the future, large majorities said optimism more closely represents their view. Thirteen percent were positive in all areas, and only 2% chose all the negative statements.

Most respondents view more attention from the board and investors as a positive. Nearly three-quarters (72%) expect cyber will become an important board focus as the year progresses. Two-thirds anticipate that data security and privacy will become a focus of investor ESG ratings. 

Rising cyber budgets relative to IT budgets bolsters their positive outlook. Companies are innovating in cyber and privacy, not only solving immediate problems, 64% said. Worldwide spending on information security and risk management technology and services is forecast to grow 12.4% to reach $150.4 billion in 2021, according to the latest forecast from Gartner, Inc. Security and risk management spending grew 6.4% in 2020.*

What do the respondents think of regulation? National and state regulatory enforcement will tighten and help improve cybersecurity, 63% agree. Only 37% think inconsistency in enforcement will allow poor cyber practices to continue.

Private-public collaboration didn’t fare as well in our study. CISOs and CIOs were least optimistic about its improvement. They also indicated doubt in the federal government’s ability to robustly defend private industry against nation-state cyber threats.

* Gartner Press Release, Gartner Forecasts Worldwide Security and Risk Management Spending to Exceed $150 Billion in 2021, May 17 2021.

Quality beats quantity for public-private cyber collaborations

Truly understanding and planning the response to a major cyberespionage attack is like putting together puzzle pieces — 90% of which are in the hands of private companies. 

Most (84%) say they participate in public-private information-sharing — but how effective are their efforts when their collaborators are competitors or don’t trust one another?

Companies don’t generally do breach reporting well. Instead of volunteering details, they hide them away — hamstringing government efforts and creating a self-fulfilling prophecy. Absent a voluntary commitment to cooperate and collaborate, a federal data breach reporting law can force the issue. Companies, for their part, might want to know their disclosures are confidential, and to seek assurance that they won’t face liability or be subject to enforcement action from the Federal Trade Commission or other regulators. 

Without business participation, governments really can’t defend against nation-state attacks. Private enterprise’s reluctance to divulge breach information needs to change, especially given attackers’ methods such as advanced persistent threats, which can cause widespread harm without detection. Effective defense demands a risk-based, strategic, carefully-crafted plan that changes as tactics do. To get it right, companies should put all their puzzle pieces on the table.

According to our survey, public-private collaboration is fairly commonplace. Nearly 40% say they lead a collaborative initiative, and another 45% are active participants. But companies should focus on the quality of those collaboration mechanisms.

The financial sector — guardian of our individual and collective wealth — provides a model for effective public-private collaboration under the National Cyber-Forensics and Training Alliance (NCFTA). In these private-only meetings, no regulators are in the room. Companies share their information and aggregate the data. They use deconfliction, coordination and collaboration techniques to help solve common problems. And the NCFTA’s reported outcomes are tangible, such as financial losses prevented. 

For collaboration that pays off, focus on quality and outcomes

Leading an initiative
Active participant

Robust information sharing within a private-public collaboration group
Industry-led collaboration like ISACs
Discussions about industry standards with agencies like NIST
International cyber-specific working group with defined agenda
A national cyber-specific group with a defined agenda
Participation in private-public sector collaboration groups such as NCFTA and NDCA
Robust relationship with the government through the FBI, CISA, or NSA

Q: How engaged are you in private-public sector collaboration on cyber and privacy matters?
Source: PwC, US Digital Trust Insights Snapshot Survey 2021, June 2021. Base: 322


Set priorities for better private-public collaboration using a risk-based approach. Encourage industry associations and other private-sector groups to do the same. Persuade federal agencies to be outcome-oriented, setting security and resilience goals and using them to measure their partnerships’ progress. 

Know what your company needs from the government. Define how the government can better help your organization to defend itself, including the key cyber issues you face — and include your government relations people.

64% expect a jump in reportable ransomware and software supply chain incidents in the second half of 2021

1. The cyber-threat landscape: The digital rush left many exposed

Learn more

81% of those who quantify cyber risk say it helped increase productivity and focus on strategic matters

2. Big bets: Cloud security, cloud security, cloud security

Learn more

Around 50% have restructured their security teams and embedded them in product development and business teams

3. People in cyber: Going all-in on cyber starts from the top

Learn more

Investments, CEO and board attention, and forward-looking CISOs make for a cyber-ready organization

4. Despite heightened risks, hope flourishes

About the survey:

This US Digital Trust Insights Snapshot is a poll of 322 security and technology executives (CISOs, CIOs and similar titles) of US-based companies in April 2021. Sixty-nine percent of respondents are executives in large companies ($1 billion and above in revenues); 9% are in companies with $10 billion or more in revenues. Respondents come from a range of industries: Industrial manufacturing and automotive (23%), tech, media, telecom (19%), financial services (15%), consumer markets (15%), health (14%), and energy, utilities and mining (13%). PwC Research, PwC’s global Centre of Excellence for market research and insight, conducted this survey.

Contact us

Sean Joyce

Sean Joyce

Global Cybersecurity & Privacy Leader, PwC US; Cyber, Risk & Regulatory Leader, PwC US

Joseph Nocera

Joseph Nocera

Cyber, Risk and Regulatory Marketing Lead Partner, PwC US

Follow us

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.