It’s always a breakthrough moment when someone decides to face their fears in a tangible, pragmatic way. That’s especially true for cyber security, and the moment when a business leader stops seeing cyber threats as a ‘someday’ risk from a ghostly enemy, and instead sees them as a business reality in the form of a savvy and entrepreneurial criminal competitor.
That moment has arrived, based on the findings of the KPMG 2021 CEO Outlook of 1,325 chief executives who revealed that:
- They now see cyber security as a top business priority
- They must prepare for a cyber incident today, not tomorrow
- They must embed a cyber security culture including ‘secure by design’ thinking, to manage these risks, truly benefit from their supply chain ecosystems, and earn digital trust with stakeholders
This is a priority, today
The fact that senior business leaders now see cyber security as a top business issue resonates in our survey. For example:
- Cyber security risk vied with today’s burning environmental and supply chain issues as the top threat to organisational growth over the next three years
- 79% say they view information security as a strategic function and as a potential source of competitive advantage
- Cyber security resiliency is among their top three operational priorities over the next three years
These attitudes represent a big shift from just five years ago when cyber security was viewed as a ‘tech issue’ for the IT team in the basement. This changed perspective makes sense, given the all too frequent headlines about crippling cyber-attacks on companies and governments, just as they embrace sweeping digitisation and functional interconnectivity. In fact, our survey found that half of organisations plan to collaborate with third-party cloud technology partners, and 42 percent will partner with third-party data providers, adding urgency to safeguard against increasingly complex supply chain cyber risks.
A healthy dose of self-doubt
It’s also heartening to see that senior leaders are taking a more critical look at their own readiness for such threats. For example, the percentage of survey respondents who claim they are ‘very well prepared for a future cyber-attack’ dropped from 27% in 2019 to 10% in 2021, with those feeling ‘well prepared’ overall falling from 68% to 58% over that timeframe. This decline perhaps reflects the growing realisation by executives that cyber security requires constant vigilance, not a one-time investment.
They are also attuned to the issue of ransomware attacks: While 57% said “I have a plan to address a ransomware attack”, only 8% agreed strongly with the statement, and 11% were frank in admitting they have no such plan.
They also appreciate the consequences of inaction, since 75% stated that a strong cyber strategy is critical to engender trust with their key stakeholders. This suggests an understanding that ‘digital trust’ with stakeholders is becoming a key driver of their organisation’s brand health and future growth.
Getting down to business
But if acceptance is half the problem, how do these organisations then solve the remainder? Nearly half of survey participants (46%) say that, over the next three years, they will either focus on improving cyber security skills or strengthen their governance around operational resilience and the ability to recover from a major incident.
Many respondents also showed a nuanced understanding of the matter. For example, 79% said that “Protecting our partner ecosystem and supply chain is just as important as building our organisation’s cyber defences.” And, 72% said “It will take an industry wide approach to properly address the issue of ransomware demands.”
This realisation that one cannot simply put a ‘wall around their garden’ is a positive indicator. In fact, an increased ‘community approach’ could lead to greater cooperation with industry peers and law enforcement agencies to disrupt organised cyber-crime. Hopefully, it will lead to more transparent corporate disclosure of cyber incidents, rather than quietly paying ransomware demands. For years, we’ve witnessed impressive intelligence sharing and collaboration in the banking sector. Now, other industries are demonstrating greater openness, from technology and telecommunications to the oil & gas and utilities sectors.
Embedding a cyber culture
It’s also promising that 81% say that “building a cyber security culture is just as important as building technological controls.” This is a watershed realisation since we know that it is now unsustainable to depend upon a central cyber security team to reactively defend all the vulnerabilities across a company’s products, channels, systems and infrastructure.
Instead, imagine an organisational culture where all business leaders and executives share responsibility for achieving cyber resiliency — and safeguards are built into the development process, so that new products, services and connectivity are ‘secure by design,’ rather than frantically retrofitted to resolve each security gap.
We see such best practices in leading sectors, where CISOs no longer act only as translators of cyber matters to business leaders. Rather, they are internalising these values within each business function, by embedding dedicated Business Information Security Officers (or similarly-titled team members), who integrate the right practices into day-to-day business decision-making, while drawing upon centralised security guidance, resources and processes. But let’s be honest, there is much more to do to achieve these goals, with just 19% of our survey respondents saying that “They plan to embed security and resilience principles into the design of future systems and services,” to address digital risks.