Why CIOs are Embracing Enterprise Risk Management to Improve Cyber security
By David Burg, Global & U.S. Advisory Cyber Security Leader, PwC
Businesses across sectors and around the world have reached a tipping point on cybersecurity. As risks continue to escalate, it’s becoming clear that existing approaches simply are not working.
In The Global State of Information Security Survey 2015, PwC found that the number of detected security incidents increased at a compound annual growth rate of 66 percent over the past five years. And it’s not just the frequency of incidents that’s surging— cyberattacks are also becoming increasingly multi-faceted and destructive. Last year’s assault on a U.S. entertainment company, in fact, introduced an entirely new level of malice. The perpetrators not only stole valuable intellectual property, but they also released personal data and corporate documents that included damaging employee communications and payroll information. The attack also disrupted the company’s email and telephone systems and included an unprecedented threat of physical violence to individuals.
It’s no wonder, then, that concern about cybersecurity risks has become top of mind among executive leaders. PwC’s 18th Annual Global CEO Survey 2015 shows that concern about cyberthreats increased more than any other risk factor over the past year. And nowhere is that unease more pronounced than in the U.S., where apprehension about cyberthreats is second only to worries about government regulation. In fact, the percentage of U.S. executives who say that they are “extremely” concerned about cyber threats has doubled in the past year: 45 percent of CEOs reported the highest level of concern, up from 22 percent in 2014.
“Cloud-based security can significantly reduce the need to purchase, maintain, and enhance technology infrastructure”
As more executive leaders and Boards of Directors become concerned about cyber-risks, they’re asking their CIOs about the company’s cyberthreat landscape and response readiness.
Forward-thinking CIOs are not only delivering a clear picture of current risks and readiness, they are also emphasizing the importance of understanding cybersecurity as an enterprise-wide business risk issue. They are taking the lead by explaining why cyberthreats are among the most significant business risks facing their organizations, and how cybersecurity incidents can result in potentially crippling financial, legal, and reputational consequences.
Given the complexity of today’s evolving threats and the technologies and processes used to combat them, that’s not an easy message to formulate. In fact, educating corporate leaders about the importance of cybersecurity risk readiness and well-rehearsed response processes is a challenge for many CIOs.
That’s one reason why PwC developed a role-playing simulation called Game of Threats. The game simulates a realistic data breach scenario that allows executives to see how a cyberattack plays out, from the perspective of both the hacker and the company under attack. The role-playing game helps executives understand the consequences and nuances of breach responses, as well as the importance of ensuring that the necessary cybersecurity resources are available and properly used.
Another way that CIOs are advancing their cybersecurity programs is by adopting new technologies and architectures that can deliver powerful security, privacy, and compliance protection. In particular, forward-leaning CIOs are embracing cloud-based cybersecurity services. In The Global State of Information Security Survey 2015, PwC found that 22 percent of respondents who use cloud computing said they leverage the cloud for security services, in addition to traditional deployments like file storage and hosting of data and applications.
These CIOs are in the vanguard of what PwC sees as a powerful new approach to cybersecurity. In recent years, cloud providers have invested in cutting-edge tools for data protection, threat defense, network security, and identity and access management. More importantly, they also have added infrastructure capabilities that enable them to improve intelligence gathering and threat modeling, better block attacks, enhance collaboration and collective learning, accelerate incident responses, and create secure communications channels.
These capabilities can help CIOs address security threats that arise as more businesses share more data that are sensitive with third-party contractors, suppliers, and partners. To do so, cloud-based cybersecurity services can create an infrastructure that provides third parties with appropriate access to the systems and data they need—without giving them credentials to the corporate network.
Cloud advantages are augmented by the scalability of the underlying architecture, which allows service providers to deliver access to considerably more information security technology than most organizations could afford on their own. Cloud-based security can also significantly reduce the need to purchase, maintain, and enhance technology infrastructure and hire support personnel, enabling companies to address cybersecurity fundamentals at a lower cost.
One thing seems certain: Sophisticated and increasingly damaging cyberattacks are the new normal, and there is no going back. Farsighted CIOs are taking the lead in implementing an adaptive cybersecurity strategy that is based on the fundamentals of Enterprise Risk Management and empowered by technology breakthroughs like cloud-based security. That’s a strategic approach that is likely to define the nature of cyber-risks and responses in the coming decade.