Survey focus
2021 is already shaping up to be one of the worst years on record for cybersecurity. Ever more sophisticated attackers are plumbing the dark corners of our systems and networks, seeking — and finding — vulnerabilities. The consequences for an attack rise as our systems’ interdependencies are becoming increasingly complex. Critical infrastructures are especially vulnerable. And yet, many of the breaches we’re seeing are still preventable with sound cyber practices and strong controls.
The PwC study “2022 Global Digital Trust Insights” is a survey of 3,602 business, technology, and security executives across the globe, and it shows that companies may be overlooking the riskiest cyber threats of all: those originating from third parties and enabled by the complexity of their organisations.
The survey provides deep and detailed insights on cyber developments, trends, and threats companies are facing in an increasingly complex and interconnected business world and, at the same time, serves as both an analysis and practical guide for your own cyber security strategy. It also shows what differentiates the leaders in cybersecurity from the laggards.
Four cyber questions you need to ask
- Can the CEO make a difference to your organisation’s cybersecurity?
- Is your organisation too complex to secure?
- Are you securing against the most important risks today and tomorrow?
- How well do you know the risks posed by your third parties and supply chain?
Can the CEO make a difference to your organisation’s cybersecurity?
Make ‘simply secure’ your business mantra
Cyber certainly has got CEOs’ attention, but are they taking action? Our findings from the 2022 Global Digital Trust Insights Survey suggest an “expectations gap” for cyber, with CEOs perceiving that they are more involved in and supportive of setting and achieving cyber goals than their teams do. A persistent gap can spell disaster if it instills a false sense of security company-wide, given the CEO’s leading role in defining an organisation’s culture. Cybersecurity is not about technology only, it’s a mindset. And this mindset and culture must be enabled from the top.
A Swiss perspective
While CEOs surveyed in Switzerland believe that they make a significant contribution to cybersecurity in their company, only three out of ten non-CEOs agree with this statement. And while 30% of respondents globally state that their CEO embeds cyber and privacy in key operations and decisions of the organisation, only 16% say so in Switzerland.
Is your organisation too complex to secure?
75% say their organisations are too complex
In an overly complex organisation, it’s common for the left hand not to know what the right hand is doing — and the consequences for cybersecurity and privacy can be dire. Businesses know the risks of complexity, yet only 35% of our respondents have streamlined their operations and a quarter say they’ve done nothing at all or are just getting started. But a shift appears to be underway.
A Swiss perspective
Nearly three quarters of all respondents say their companies are too complex and that the complexity of their organisation poses “concerning” cyber and privacy risks. Data infrastructure (77%) ranked highest among the areas of unnecessary and avoidable complexity. For Switzerland, this figure stands at 86%. However, Swiss executives are less worried about financial losses due to complexity compared to their global peers.
Are you securing against the most important risks today and tomorrow?
Fewer than 1 in 3 organisations use available data and intelligence
Data is the asset attackers covet most. Companies can minimise that risk by minimising the target. But only 35% of respondents have mapped all their data, meaning they know where it comes from and where it goes. And only about a third report having mature, fully implemented data-trust processes. Organisations should govern, discover, and protect only the data they need — and eliminate the rest. Low-value data not only creates unnecessary risk, it also crowds out or buries high-value data.
A Swiss perspective
When making decisions about cyber investments and responding to cyber risks, Swiss respondents very often say that they have not integrated analytics and business tools into their operating model. For example, real-time threat intelligence is only integral to 18% of respondents for smart cybersecurity decisions – compared to 30% globally. Threat modeling, scenario building, and predictive analysis seem to be barely unused technologies in Switzerland (8% vs. 26% globally).
How well do you know the risks posed by your third parties and supply chain?
Only 40% say they thoroughly understand their third-party cyber and privacy risks.
You can’t secure what you can’t see, and most respondents to the PwC 2022 Global Digital Trust Insights Survey seem to have trouble seeing their third-party risks — risks obscured by the complexities of their business partnerships and vendor/supplier networks. 60% of CEOs and other C-suite executives have less than a thorough understanding of the risk of data breaches through third parties, while 20% have little or no understanding of these risks at all – a major blind spot of which cyber attackers are well aware and willing to exploit.
A Swiss perspective
Among all respondents, 56% expect an increase in reportable incidents in 2022 from attacks on the software supply chain, but only 34% have formally assessed their enterprise’s exposure to this risk. In Switzerland, the situation is even more alarming. 35% of Swiss executives say they have little or no understanding about cloud risks and technology vendors risk (compared to 21% and 24% respectively at global level). But Swiss companies lead the way in minimising third-party or supplier risks by simplifying the supply chain and conducting more rigorous due diligence.
A conversation with Philipp Krayenbuehl, Chief Security Officer at Swiss Reinsurance Company
As part of the 2022 Global Digital Trust Insights Survey, PwC interviewed Swiss Re’s Chief Security Officer Philipp Krayenbuehl. In a talk with Urs Küderli, Partner and Leader Cybersecurity and Privacy, PwC Switzerland, he explains the importance of security experts being close to the business from the beginning of each project.
Multiplying the effect: simplifying moves that get you 5x or more results
Strategists and technologists have touted the potential of digital business models to boost business 10x — a Holy Grail promise of exponential returns on digital investments. Likewise, the Survey reveals how simplifying business processes and operations can have a “multiplier” effect on security and privacy.
Here are the four Ps to realising your full cyber potential, as exemplified by most advanced and most improved organisations, who employ them all.
Principle. The CEO must articulate an explicit, unambiguous foundational principle establishing security and privacy as a business imperative.
People. Hire the right leader, and let CISO and security teams connect with the business teams. Your people can be vanguards of simplification even as you build “good complexity” in the business.
Prioritisation. Your risks continually change as your digital ambitions rise. Use data and intelligence to measure your risks continually, as well.
Perception. You can’t secure what you can’t see. Uncover blind spots in your relationships and supply chains.
New findings: 2023 Global Digital Trust Insights
The 25th edition of the Global Digital Trust Insights Survey is now finally available as of November 2022. This year’s report is the C-Suite playbook on cybersecurity and privacy that offers actionable insights about what lies ahead in 2023 and how executives can work together for cyber-ready futures.
Download the study
Do you want to learn more about cyber risks and how risk handling benefits your organisation? Download the PwC 2022 Global Digital Trust Insights here.
https://pages.pwc.ch/core-asset-page?asset_id=7014L0000004zpgQAA&embed=true
About the survey
The 2022 Global Digital Trust Insights is a survey of 3,602 business, technology, and security executives (CEOs, corporate directors, CFOs, CISOs, CIOs, and C-Suite officers) conducted in July and August 2021. Female executives make up 33% of the sample.
Sixty-two percent of respondents are executives in large companies ($1 billion and above in revenues); 33% are in companies with $10 billion or more in revenues.
Respondents operate in a range of industries: Tech, media, telecom (23%), Industrial manufacturing (22%), Financial services (20%), Retail and consumer markets (16%), Energy, utilities, and resources (8%), Health (7%), and Government and public services (3%).
Respondents are based in various regions: Western Europe (33%), North America (26%), Asia Pacific (18 %), Latin America (10 %), Eastern Europe (4%), Middle East (4%), and Africa (4%).
The Global Digital Trust Insights Survey is formally known as the Global State of Information Security Survey (GSISS).
PwC Research, PwC’s global Centre of Excellence for market research and insight, conducted this survey.
This might also interest you
Contact us
Partner and Leader Cybersecurity and Privacy, PwC Switzerland
Tel: +41 58 792 42 21
Partner, Leader Digital Assurance and Cybersecurity & Privacy, PwC Switzerland
Tel: +41 58 792 84 59