From the Cyber & Privacy Innovation Institute
PwC’s Digital Trust Insights Pulse Survey of 141 security and information leaders is akin to an after-action report on the first responses to the COVID-19 pandemic. How did they weather this extreme test of resilience? How are they rethinking their strategy and investments going forward?
The digital economy propped up the whole economy when businesses shuttered workplaces during the coronavirus outbreak. Tech firms and digitally native companies provided the backbone, while other businesses accelerated digitization — including automation, virtual collaboration, distributed work, cloud adoption, telehealth, direct-to-consumer channels, drone monitoring and 3D printing.
Boards and C-suite executives, who in the past may have wondered about the return on investment for all the cybersecurity personnel, solutions and architectures, don’t anymore. The value of their cybersecurity expenditures over the years — and of the CISO’s leadership — became crystal clear during this crisis.
Today, CISOs and CIOs are adjusting to a different future. All but two percent of CISOs/CIOs plan shifts in cyber strategy. They’re reprioritizing investments. Seventy percent expect their organization’s revenues to decrease in 2020 as a result of COVID-19; more than a quarter anticipate declines of more than 25%. It’s a once-in-a-lifetime kind of challenge. CISOs and CIOs must play a major role as businesses pursue twin goals in coming months: accelerating digital models and restoring organizations to financial health.
CISOs surveyed said they invested in eight different areas, on average, over the past two to three years. The ones that paid off the most during the crisis were investments related to three capabilities. Critical to the sudden large-scale shift to remote work were investments such as VPN, VDI, mobile device management, endpoint security and identity-based network architecture. Helpful for crisis management were investments in resilience capabilities, such as business continuity and disaster recovery planning and managed detection and response services. Investments in data-driven risk management — such as real-time threat intelligence, use of data analytics and quantification of cyber risk — were also helpful as information evolved quickly during the crisis.
Was making the right investments just a matter of good luck, or was it due to foresight? The answer lies beyond the scope of this Pulse Survey. But we know this from our 2019 Digital Trust Insights study on business-driven cybersecurity: Only about 25% of cybersecurity organizations had reframed their team’s mission to align with the company’s strategic goals. Business-driven cybersecurity leads to cyber investments that are more likely to yield tangible returns.
Cyber attacks increased in March and April, said more than half of the respondents, and about the same percentage expect an uptick in intrusions over the next six months. A phishing outbreak spread as the coronavirus and responses to it (the CARES Act, stimulus and relief programs) provided fresh, highly effective topical lures for business email compromise and social engineering campaigns. Remote work set-ups, accomplished quickly to enable business continuity, have brought increased exposure to threats. Attacks that were less prevalent — ransomware and denial-of-service attacks — show the largest increase in the number of survey respondents who expect rising risks through the end of 2020.
Cybercriminals, hackers and nation-state actors will continue to deploy proven techniques and invent new ones. Security analysts, investigators and incident responders, as well as penetration and vulnerability testers, will stay extremely busy responding to threat activity that will be elevated and will continue to evolve.
Businesses demonstrated that they can quickly and smoothly shift their workforces from on-premise to remote. But many admit that they have much more to do to prove that their remote-work arrangements are secure.
The increase in distributed work — the mix of remote work, on-premise and managed services that’s here to stay — means that tests and security plans originally designed to protect perimeters are risky. With distributed work, the distinction between external and within-firewalls security protections has been erased.
Identity-based network architectures and Borderless Data Access Controls (BDAC) can help. BDAC asks “who, what, where, why and how” for every attempt — internal and external — to gain access to your critical data and infrastructure, and it authenticates relentlessly. Regardless of where the user or device is located, all face the same stringent scrutiny before accessing sensitive data. It’s consistent with a zero trust model: Trust isn’t freely given, but it must be earned. Everyone must pass the virtual “sniff test” every time, and continuously.
During the pandemic, a CISO needed to be a tactical/operational CISO, as well as a transformational leader, a post-breach CISO, and a compliance and risk guru (four of the six types of CISOs described by Forrester Research). On average, nearly one-third of the CISO’s time was allocated to crisis management, as expected. But nearly as much time was focused on business-as-usual operational tasks, and nearly one-fourth was devoted to strategic cyber projects.
Half of the CISOs surveyed increased cybersecurity training and awareness for the full workforce, helping employees defend the organization from phishing attacks and remote-work– related risks. More CISOs increased cyber spending (35%) than reduced budgets (15%), but some adjusted staffing through furloughs (23%), headcount reduction (16%) or shifts to managed services providers (33%).
In the past, CISOs were often not included in strategic and business decisions and plans, even those with significant security and privacy implications. The pandemic may have changed all that. CISOs were significantly involved in decision-making around pandemic responses that were both operational and transformational: enabling remote work or work-from-home for the workforce (81%), setting up systems to monitor and report remote workers’ productivity (70%), planning for and coordinating return-to-work solutions for essential workers (71%), and implementing systems or apps to enable the monitoring of employee health and safety (65%).
Increased collaboration with business and risk functions during the crisis was reported by half of the CISOs, another sign of a turning point in CISO interactions.
Crises precipitate new approaches; that’s how leading organizations emerge stronger from them. Greater integration with the business during this crisis is one such positive change that CISOs should sustain. Leading cyber teams bring greater value when they are connected on strategy, on a risk-based approach and in execution. They are twice as likely to work in strategic partnership with other functions that manage risk in their organizations and one-and-a-half times as likely to have a common understanding of how cyber risks fit within enterprise risk management.
CISOs have shown that business executives can be ambitious about the speed and scale of their digitization plans if they collaborate with their security and privacy chief from the start. It’s a way of operating that can also boost cyber teams’ professional satisfaction and purpose at work, and improve their ability to help their organizations. In a tight market for cybersecurity talent, two points that attract and retain talent are business leaders' commitment to cybersecurity and CISOs who are actively engaged with the business, according to ESG ISSA's 3rd annual survey.
Crises expose fragilities that are perennially ignored, hard to imagine or too costly to test. This pandemic was no exception. CISOs’ shifts in strategy and priorities are likely grounded in a better understanding of the extent of potential damage that could ensue if they don’t address certain specific gaps and vulnerabilities.
Topping the list of the most frequently mentioned changes in cyber strategy is ‘investing in better information governance standards and frameworks across their enterprise’ (39%). The absence — or patchwork state — of information governance would have been starkly evident to the CISOs as they had to quickly enable employees to work from home or move data to the cloud. They would have had to ask: What are our most critical assets? Where are they? And who has access to them?
Not surprisingly, ‘increasing resilience to severe events’ is another often-mentioned change in strategy (34%). Most organizations have much work to do to catch up to the top 25% of companies that scored well on three measures of resilience in our 2019 Digital Trust Insights study of resilient organizations: visibility into assets and interdependencies, defining and testing impact tolerances, and a set of capabilities that define “resilience by design.”
About half of businesses don’t have an enterprise-wide information governance model (51%) or a common digital governance model (46%), according to our 2019 Digital Trust Insights study on business-driven cyber strategy. These are foundational models for organizations that want to increase cloud adoption or shift to digital operating models. Without these governance models in place, it will be difficult to realize desired cost savings or properly protect sensitive information. When in place, these models function as accelerators to help realize digitization plans and achieve returns.
A majority of CISOs have interacted more frequently with their CEOs (65%) and the boards (50%) during the crisis. This trend points to a reset in CISOs’ interactions emerging from the crisis, and it should continue. In 2019, only 33% of all business and IT executives said that their cyber team communicates effectively with the board and senior executives about cyber risks and adjacent risks. But 71% in leading organizations (ones with business-driven cyber teams) report effective communications, according to that study on business-driven cybersecurity.
Effective communications with the board and CEOs requires many leadership skills that will be invaluable in the coming months.
The reopening of workplaces means new and different milestones for organizations to accomplish. CEOs are leading with an eye on both the pragmatic and urgent (how do I contain cost) and the new and long term (how do I apply tech to deliver better customer experience, and do things smarter and more efficiently) There’s repair to be done (how do I close security gaps in remote work setups) and a rethink-and-reconfigure to consider (what’s the office for when most of my employees can work in a distributed model).
This is the new arena where CIOs, CISOs and other business leaders will play in the next six months and beyond. A key question is, will cybersecurity and privacy be strategically woven into every consequential or bold move that corporate chiefs are contemplating?
CISOs love a good challenge. But can they do it under the toughest economic and financial situation in this lifetime? This is where imagination and influence will be required. What is the right cyber strategy to support their company’s reboot? What are the cyber priorities that can create competitive advantage for their company?
This Digital Trust Insights Pulse Survey is a poll of 141 security and technology executives (CISOs, CIOs and similar titles) of US-based companies from May 8 to May 22, 2020. Sixty percent of respondents are executives in large companies ($1 billion and above in revenues); 13% are in companies with $10 billion or more in revenues. Respondents come from a range of industries: Tech, media, telecom (24%)), Financial services (23%), Industrial manufacturing and automotive (19%), Consumer markets (17%), Health (12%), and Energy, utilities and mining (4%).
Comparable statistics are drawn from 2019 Digital Trust Insights studies conducted with more than 3,000 business and IT executives around the world.
The 2020 Global Digital Trust Insights, a survey of 3,000 business, security, risk, and tech executives around the world, will be conducted in July 2020.
PwC Research, PwC’s global Centre of Excellence for market research and insight, conducted this Pulse Survey.