Organisational leaders recognise the importance of verifying and safeguarding their business information. Asked to frame the cybersecurity mission, the number-one response was, “A way to establish trust with our customers with respect to how we use their data ethically and protect their data.” Eighteen percent of CEOs and 20% of non-CEOs selected customer trust as the way the CEO frames the cyber mission in their organisation.
Data infrastructure and data governance rank as the two most needlessly complex aspects of business operations in PwC’s 2022 Global Data Trust Insights Survey: 77% say both have “avoidable, unnecessary” levels of complexity. About three-quarters say complexity in these areas poses “concerning” risks to cybersecurity and privacy. Complexity of data can stymie any organisation’s ability to effectively use the information it collects and generates.
Organisations first need to set up that good foundation we call data trust: making sure your data is accurate and verified and secure so you can rely on them for business decisions. (And when it comes to customer data, you want to make sure customers know they can trust you to keep their information safe from unauthorised eyes.)
But only about a third of respondents report having mature, fully implemented data-trust processes in four key areas: governance, discovery, protection and minimisation. Nearly a quarter of our respondents say they have no formal data-trust processes in place at all.
Only about one-third of organisations report having a full, formal data governance program — a surprisingly low number. Once you’ve crafted your data strategy, governance — the policies, procedures and processes for fulfilling the strategy — should follow immediately.
Securing your data from tampering as well as theft is also critical to success, yet only about one-third of respondents report having in place fully implemented, formal data security processes including encryption and secure data-sharing (34%). Verifying and protecting the integrity of your data is essential as well. Not doing so is like hiring workers without fact-checking their resumes. You can’t be certain of the quality of the information.
And only 35% have mapped all their data, meaning they know where it comes from and where it goes. The same goes for those who have mature data minimisation processes.
Data is the asset attackers covet most. Your companies can minimise that risk by minimising the target. You must govern, discover and protect only the data you need — and eliminate the rest. Drafts, duplicates, superseded data, legacy data and employee personal data are common candidates for elimination. Low-value data not only creates unnecessary risk, it also crowds out or buries your high-value data.
The two-thirds of organisations that haven’t formally implemented data trust practices may be at risk in more ways than one. Effective data governance is important not only for operational resilience but also for compliance with regulations such as the European Union’s General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA). New, more stringent regulations loom on the horizon as well. When someone asks for information about their data — what you’re keeping and what you’re doing with it — you’d better be able to answer quickly and accurately. If it’s a regulator doing the asking, the wrong answer could bring heavy fines.
Turning data into true assets that can increase your revenues is one benefit of good data security — as some leading businesses are discovering. Our “most improved” are more than 10x more likely to have a formal process fully in place for all data trust practices.
According to our Trust in Data Survey, companies with more mature data trust practices tend to be ahead in many respects. They earn revenues from data monetisation by personalising services, operating more efficiently and better serving their customers. They strongly agree that higher customer trust leads to demonstrably higher revenue. They’ve made significant moves in the past year to improve customer and investor trust. And they’re more confident in their third-party risk management program because they monitor their third parties more.
Percentages who say they have fully implemented formal processes around these data trust practices
Chances are good that neither you nor your competitors are letting data inform your cyber risk management. Fewer than one in three of survey respondents say they’ve integrated analytics and business intelligence tools into their operating model.
These respondents scored lowest in their ability to turn data into insights for cyber risk quantification, threat modeling, scenario building and predictive analysis — all critical technologies for smart cybersecurity decisions.
So many entities fail to benefit from today’s advanced intelligence tools and approaches. New types of internal data, data from new external sources, new data partnerships and information-sharing platforms can be important sources of business intelligence, but only about a quarter of respondents say they’re reaping benefits from these tools.
The other three quarters are missing out. Businesses predicting an increase next year in their cybersecurity spending are often the same enterprises whose operational models use business intelligence and data analytics. Data can not only help you spend your cyber budget wisely, it can also help you get more to work with. The most improved (top 10% in cyber outcomes) are 18x more likely to state that these advanced approaches are integral to their operating model.
Percentage who say these are critical to their operating model today
Percentage who report realising benefits from these tools and approaches
“In today’s system-of-systems world, cybersecurity can no longer be treated as a ‘too-hard-to-measure’ problem,” the US Cybersecurity and Infrastructure Security Agency argues. Still, as we saw above, only 26% quantify cyber risks today.
The data you use to spot and understand threats, put a dollar figure on risks and prioritise them, and predict cybercrime trends can be a powerful tool for convincing boards and the CEO to invest in your cyber program. On the other hand, if you’re having trouble getting the funding you need for cyber, you may need to do a better job of quantifying your cybersecurity risk.
By the same token, data can help you stay apprised of real-time risks, and adjust security tactics and strategies as the business shifts. Respondents in five business sectors said the most important reason to quantify cyber risk is “to continuously evaluate our risk landscape and priorities against changing business objectives.” Enterprise leaders recognise that risks are always in a state of flux and that data is the tool that lets them monitor and measure changes.
Sizing up risks is also important for sizing up opportunities and linking cyber-threat narratives to business narratives that the C-suite and boards can understand. A growing number of organisations recognise the importance of cybersecurity to business — but many still have a long way to go. Between 37% and 42% claim “significant progress” linking the two, while 16% to 18% say they’ve made little or no progress aligning cyber and business goals.
Our respondents do make predictions about the next 12 months. Sixty percent expect an increase in cybercrime; 53% say nation-state attacks are likely to grow. Mobile, the Internet of Things, and cloud top the list of anticipated targets. But the type of attack could take almost any form, in our respondents’ minds. Cloud service attacks (22%) narrowly edged out ransomware (21%) and cryptomining (21%) as most likely to see significant increases, and a long line of other attack types scored at 20% and 19%. Notably, 56% expect a rise in breaches via their software supply chain, with 19% eyeing significant increases — a number that grows to 25% among North American respondents.
For the CFO
For the CISO
Global Cybersecurity & Privacy Leader, US Cyber, Risk and Regulatory Leader, PwC US