To make it cybersecure, CEOs must truly get to know their business

(Credit: Unsplash)

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Sean Joyce, Principal, Global and US Cybersecurity, Privacy & Forensics Leader, PwC US & Joe Nocera, Cyber and Privacy Innovation Institute Leader, PwC US & Richard Horne, Cyber Security Chair, Risk and Quality Partner , PwC UK


• With heightened cybercrime during the pandemic, CEOs are wising up to the threat.

• Money is not a panacea for cybersecurity; a considered strategy is.

• Cybersecurity strategies must be based on a clear vision of business goals.

CEOs around the world now understand the severity and magnitude of the threat that cyberattacks pose to their business. This realization comes not a moment too soon: The global cost of cybercrime is said to exceed $1 trillion. At the same time, CEOs are dramatically stepping up their digitization efforts, PwC’s 24th Annual CEO Survey shows: more than 77% of UK CEOs, for example, expected to increase their investments to do so. https://open.spotify.com/embed/episode/0uqF6UceaRIUZRaQkFnQd5

This is all good progress – but why has it taken so long to get to this point? And how do companies move more rapidly toward being fully digital while keeping their information, systems and networks safe?

Cyber gets its due

Since 2015, cybercrime has made the list of CEOs’ top concerns in PwC’s Annual CEO Survey. In 2020, cyberthreats rank second – topped only by pandemics and other health crises – after sitting in the number four position the previous year. But in North America and Western Europe, cyber is number one.

Though COVID-19 upstaged cybercrime in this survey overall, the pandemic’s tie to cyber can’t be denied. CEOs in most of the world are feeling the urgency to address both, as malicious actors continue to take advantage of vulnerabilities created or exacerbated by the pandemic.

In the US, nearly 70% of CEOs said they are “extremely concerned” about cyberattacks. In Asia Pacific and the Middle East, cyber also ranks second on CEOs’ worry list; in Africa, it comes in third.

Cybersecurity is fast rising as a top CEO concern
Cybersecurity is fast rising as a top CEO concern Image: PWC

The only places where cyberthreats do not rank among CEOs’ top concerns are Central and Eastern Europe (CEE) and Latin America. In both regions, digitization of business processes is still in a fairly early stage.

The prevalance of those who are 'extremely concerned' by cybersecurity threats differs by region
The prevalance of those who are ‘extremely concerned’ by cybersecurity threats differs by region Image: PwC

Money is not the answer

If the global pandemic has a silver lining, it’s this: in the first three months after the pandemic’s declaration in March 2020, many organizations sped up their digitization. Half of the CEOs said they plan double-digit increases in digitization investments over the coming three years.

But only 31% said their cyber and privacy investments will also rise by double digits. On its face, this might seem to be a concern. After all, the cybercrime economy has flourished just as the digital economy exploded.

Then again, money isn’t the only measure of a cybersecurity program’s effectiveness. More isn’t always better. It’s worse, in fact, if cybersecurity spending is pell-mell and piecemeal without an underlying strategy to guide it.

Following the pandemic, digitization and cybersecurity are high up the business priority list
Following the pandemic, digitization and cybersecurity are high up the business priority list Image: PwC

Business leaders might think the best way to solve the cybersecurity conundrum is to simply throw money at it. Enticed by vendor pitches, they buy one solution after another without any plan. In the process, they may end up with a tangled mess of products and services that don’t work together, or technologies that their staff don’t know how to use effectively.

Many tech and security executives – 53% – say they’re not confident that their cyber budgets mesh with the strategy of the enterprise and its business units, PwC’s 2021 Global Digital Trust Insights survey shows. They also aren’t sure that their organizations’ cyber spending really addresses the risks the company faces and uses solid data as a basis for setting priorities. The good news is this: 44% said they were planning a cyber budget overhaul and improving cyber-risk quantification.

To meet the challenges of 2021 and beyond, you need to work with your chief information security officer (CISO) to ensure that cyber spending falls in line with an overarching strategy – and that your programme is streamlined and as simple as can be. Today’s CISO is part transformational leader and part master tactician, and under your direction, they can guide cross-functional teams to ensure that security solutions and systems work together gracefully and effectively to protect the entire enterprise.

What the CEO can do

How you plan to grow should be the driver for every programme in the organization, including cyber. Cybersecurity strategies work best when the CISOs crafting them fully understand their companies’ goals and plans for achieving these business goals.

With a good understanding of your vision and your company’s business strategy, your CISO can help you fully comprehend and mitigate the cyber-risks your organization faces. And your CISO will be able to strike a better balance between complexity and simplicity.

Here are three examples:

Company A has plans for growth via personalized customer experiences, products and services. Risks to this company might include leaks or breaches of personal data, which could violate privacy laws and diminish consumer trust. However, not collecting and making the best use of customer data poses its own risks; namely, not achieving the growth the CEO envisions. The CISO might prioritize a security strategy centred on consumer identity and access management (CIAM), which uses a suite of solutions to manage business customers’ digital identities securely while enabling the use of data to customize services. The CISO could take advantage of new techniques that enable companies to share consumer and customer data while preserving individual anonymity. Confidential computing, for example, encrypts data not only when it’s at rest or in transit, but also when it’s in use. Differential privacy is another example. It’s a technique to share information about group behaviour while protecting information about individuals. New privacy-friendly marketing approaches will depend on such techniques.

Company B aims to grow through the sales of technology products and services. This organization likely faces risks such as components that contain vulnerabilities or malware via software updates, or breaches of their systems via third-party suppliers or vendors. This organization will want a product-centred security strategy, one that works to secure the software and hardware it manufactures or acquires through its supply chain, as well as zero-trust architectures designed to keep bad actors from gaining access to its products or disrupting its supply chain operations.

Company C aims to grow by developing and offering a variety of cloud products, such as developer tools and data analytics. The risks it faces include misconfigurations that could lead to the installation of malware and ransomware, data theft, data loss and denial of service attacks. This company would most likely focus its cybersecurity programme on cloud security, using a security controls framework, automated controls compliance, DevSecOps and infrastructure-as-code tooling, and other cloud-native strategies.

Challenge your CISO to quantify the cyber-risks to your organization and evaluate them against other enterprise risks. When you know which risks are most urgent and why, as well as what is being done and can be done to mitigate them, you can make business decisions with confidence that you’re helping the enterprise to grow in a way that’s safe and secure. Because, when the rubber meets the road, the CEO owns all the risks the business faces. The CISO may run the cybersecurity office, but the risk-mitigation buck stops with you.

What is the World Economic Forum doing on cybersecurity

The World Economic Forum’s Centre for Cybersecurity is leading the global response to address systemic cybersecurity challenges and improve digital trust. We are an independent and impartial global platform committed to fostering international dialogues and collaboration on cybersecurity in the public and private sectors. We bridge the gap between cybersecurity experts and decision makers at the highest levels to reinforce the importance of cybersecurity as a key strategic priority. World Economic Forum | Centre for Cybersecurity

Our community has three key priorities:

Strengthening Global Cooperation – to increase global cooperation between public and private stakeholders to foster a collective response to cybercrime and address key security challenges posed by barriers to cooperation.

Understanding Future Networks and Technology – to identify cybersecurity challenges and opportunities posed by new technologies, and accelerate forward-looking solutions.

Building Cyber Resilience – to develop and amplify scalable solutions to accelerate the adoption of best practices and increase cyber resilience.

Initiatives include building a partnership to address the global cyber enforcement gap through improving the efficiency and effectiveness of public-private collaboration in cybercrime investigations; equipping business decision makers and cybersecurity leaders with the tools necessary to govern cyber risks, protect business assets and investments from the impact of cyber-attacks; and enhancing cyber resilience across key industry sectors such as electricity, aviation and oil & gas. We also promote mission aligned initiatives championed by our partner organizations.

The Forum is also a signatory of the Paris Call for Trust and Security in Cyberspace which aims to ensure digital peace and security which encourages signatories to protect individuals and infrastructure, to protect intellectual property, to cooperate in defense, and refrain from doing harm.

For more information, please contact us.

At the same time, dare to ask yourself and your CISO how, and where, you can simplify. In 2020, amid the pandemic and other crises, many CEOs realized the need to streamline every aspect of the business. In the rush to digitize, “more is better” may have seemed like a good idea, but too much complexity just gets in the way: of great customer experiences, innovative ideas, agile market responses, employee satisfaction – and security. If you’re in “simplify” mode, make improved security one of the benchmarks of your success.

the sting Milestones

Featured Stings

Can we feed everyone without unleashing disaster? Read on

These campaigners want to give a quarter of the UK back to nature

How to build a more resilient and inclusive global system

Stopping antimicrobial resistance would cost just USD 2 per person a year

UNICEF urges all countries to provide ‘Super Dads’ with paid leave

EP stands up for democracy in Hungary during COVID-19

6 ways to drive funding to transform the fashion industry

Commission supports reform projects in Member States for more jobs and sustainable growth

Scientists studied microbes feeding on Antarctica’s first methane leak – here’s what they found

Bridging the gap: Health through technology

‘Forgotten’ pneumonia epidemic kills more children than any other disease

Is the energy industry meeting its sustainability goals?

Commission concludes that an Excessive Deficit Procedure is no longer warranted for Italy at this stage

Confidence in the COVID-19 vaccine grows in UK and US, but global concerns about side effects are on the rise

Mobile health: The future of global healthcare

Six children among 53 confirmed fatalities after Libya detention centre airstrikes: Security Council condemns attack

Why practicing medicine privately at home is still a (difficult) option?

Afghanistan probe: ‘at least 60 civilians’ killed after US military airstrikes on alleged drug labs

VP McGuinness on women’s rights: “Not an option, but a duty”

Humanitarian migration falls while labour and family migration rises

What can we do about the crisis in trust in public institutions?

6 things to know about the General Assembly as UN heads into high level week

End Syria fighting to avoid ‘even greater humanitarian catastrophe’

Egypt urged to free prominent couple jailed arbitrarily since last June: UN rights office

Recovering from COVID-19: these are the risks to anticipate now – before it’s too late

The needs, challenges and power dynamics of refugee resettlement

COVID-19 and nature are linked. So should be the recovery.

Spending another 3 billion euros on Turkey feels better than admitting EU’s failure

G20 LIVE: The European Sting covers online world news and the latest developments at G20 from Antalya Turkey

Eurozone: Retail sales and inflation point to recession

Access and hesitancy as major challenges surrounding covid-19 vaccination campaigns

North-east Nigeria displacement crisis continues amid ‘increased sophistication’ of attackers, warns UN

Exchanges of medical students and the true understanding of global health issues

What will education look like in 20 years? Here are 4 scenarios

Balancing economic growth and the environment: lessons from Brazil

7 skills every leader needs in times of disruption

World’s most powerful tidal turbine pumps out greener electricity in Scotland

Cyclone Idai: UNICEF warns of ‘race against time’ to protect children, prevent spread of disease in flood-ravaged Mozambique

African cooperation on peace ‘increasingly strong’, Security Council told

Western Sahara: a ‘peaceful solution’ to conflict is possible, says UN envoy

Palliative care and Universal Health Care

Brexit: Britain and the Continent fighting the battle of Waterloo again

How the ‘California effect’ could shape a global approach to ethical AI

3.7 million lives could be saved by 2025 if health services ramp up nutrition actions: WHO

Brexit kick-off: a historic day for the EU anticlockwise

State aid: Commission approves Greek public funding for construction and operation of North section of E65 motorway

Asylum: MEPs call for more solidarity among EU member states

Iraq: Education access still a challenge in former ISIL-controlled areas

It’s time to end our ‘separate but unequal’ approach to mental health

Long-term EU budget: The Union’s ambitions must be matched with sufficient reliable funding

How cities can become more resilient to climate change

SDG progress ‘in danger’ of going backwards without change in direction, new UN report reveals

South Africa’s economy in 5 charts

Terrorist content online: companies to be given just one hour to remove it

Anti-vaccination scaremongering: What should we know about anti-vaccine argument?

Why cities hold the key to safe, orderly migration

UN welcomes ‘most comprehensive agreement ever’ on global health

Remembering Kofi Annan

EU-US ties to break over Iran; Democrats’ electoral win may not change it

MEPs demand unprecedented support measures for EU firms and workers

New UN bullying report calls for ‘safe, inclusive’ schools for all children

UN chief ‘following very closely’ reports of chemical weapons use in Syria’s Aleppo

Greece @ MWC14: Greek-born mobile champions at MWC 2014

UN rights chief Bachelet appeals for dialogue in Sudan amid reports ‘70 killed’ in demonstrations

More Stings?

Speak your Mind Here

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s