Now in its 18th year, The Global State of Information Security® Survey 2016 – a worldwide survey by CIO, CSO and PwC – observes a fundamental shift in the way business leaders are responding to today’s biggest security challenges. Recognizing the rising cyber risks, a growing number of boards and executives are taking action to improve their organization’s security posture. Furthermore, emerging trends and technologies have led businesses to embrace this risk, and connect security to their overall goals and objectives of growth, innovation and leadership. This year’s publication includes the responses of more than 10,000 CEOs, CFOs, CIOs, CISOs, and CSOs, as well as VPs and directors of IT and security practices from 127 countries.
Key Findings
Risk-Based Frameworks
“91% have adopted a risk-based cybersecurity framework” (pg. 4).
An overwhelming majority of organizations said they’ve adopted a security framework – or a variety of them – as the strategy and foundation of their cybersecurity program. According to the report, the most commonly adopted frameworks included the National Institute of Standards and Technology (NIST) Cybersecurity Framework, as well as the ISO 27001 guidelines. Among the many benefits that these frameworks offer, nearly half of respondents (49 percent) listed the ability to better identify and prioritize security risks, while 47 percent said they have since been better able to quickly detect and mitigate incidents.
Source: PwC, The Global State of Information Security® Survey 2016
Cloud-Based Security
“69% use cloud-based cybersecurity services” (pg. 5)
Most organizations are leveraging cloud-based cybersecurity tools for a broad range of critical services, such as real-time monitoring and analytics (56 percent), threat intelligence (47 percent), end-point protection (44 percent), advanced authentication (55 percent), as well as identity and access management (48 percent). Companies are making considerable investments in these cloud-managed services to develop new network infrastructure capabilities, which enabling them to further protect sensitive data, strengthen privacy and confidently safeguard consumer information.
The Internet of Things
The proliferation of the Internet of Things (IoT) will bring huge advantages to organizations but these interconnected devices are also quickly expanding the attack surface. According to the report, the number of survey respondents who reported exploits to IoT components, such as embedded devices, operational systems and consumer technologies, more than doubled this year – from 34 percent in 2014 to 86 percent in 2015. Despite the significant spike, companies are just starting to gear up for the rapid rise of IoT, with only 36 percent of respondents stating they have a security strategy specifically addressing the Internet of Things.
Source: PwC, The Global State of Information Security® Survey 2016
Threat Intelligence Sharing
Over the past three years, the number of organizations embracing external collaboration has steadily increased, the report adds. This year, 65 percent of respondents said they collaborate to improve security and reduce cyber risks – up from 50 percent in 2013. In addition to enhancing their threat intelligence and awareness, these partnerships allow organizations to share and receive more actionable information from industry peers, government agencies, law enforcement and Information Sharing and Analysis Centers (ISACs). “Some businesses believe they can learn quite a bit from others across industries,” read the report. “For example, cybersecurity challenges often do not differ by sector but rather by an entity’s size or constituency—a big bank might have much more in common with a large pharmaceutical company than it does with a regional bank.”
Executive Involvement
Another significant milestone is the fact that boards of directors are beginning to take part in most aspects of information security, with 45 percent of respondents stating their boards now participate in the overall security strategy. As a result of this increased involvement, 24 percent of respondents saw a boost in their security spending, among other benefits, such as fostering an organizational culture of security and better alignment of information security with risk management and business goals.
Source: PwC, The Global State of Information Security® Survey 2016 “Perhaps more than anything, however, Board participation has opened the lines of communication between the cybersecurity function and top executives and directors,” read the report. It’s crucial for business leaders to feel confident in their understanding of the cyber challenges unique to their industry and organization – the board’s involvement is a critical step in changing the culture of business to proactively mitigate these risks.
Conclusion
The report highlights noteworthy progress towards organizations’ willingness to invest in security. Now more than ever, business leaders across the globe are becoming aware of how cybersecurity has strategic, cross-functional, legal and financial implications. "We are seeing more of what we once saw as a risk, being turned into possible solutions," said David Burg PwC's Global and US Advisory Cybersecurity Leader.
"There is no one-size-fits-all model for effective cybersecurity. It's a journey toward a future state that starts with the right mix of technologies, processes, and people skills. With those components in place, cybersecurity potentially serve as an indispensable ongoing business enabler,” said Burg.
Download the full 2016 Global State of Information Security Survey here.
