enterprisesecuritymag

Why CIOs are Embracing Enterprise Risk Management to Improve Cybersecurity

David Burg, Global & U.S. Advisory Cyber Security, PwC

David Burg, Global & U.S. Advisory Cyber Security, PwC

Businesses across sectors and around the world have reached a tipping point on cybersecurity. As risks continue to escalate, it’s becoming clear that existing approaches simply are not working.

In The Global State of Information Security Survey 2015, PwC found that the number of detected security incidents increased at a compound annual growth rate of 66 percent over the past five years. And it’s not just the frequency of incidents that’s surging— cyberattacks are also becoming increasingly multi-faceted and destructive. Last year’s assault on a U.S. entertainment company, in fact, introduced an entirely new level of malice. The perpetrators not only stole valuable intellectual property, but they also released personal data and corporate documents that included damaging employee communications and payroll information. The attack also disrupted the company’s email and telephone systems and included an unprecedented threat of physical violence to individuals.

It’s no wonder, then, that concern about cybersecurity risks has become top of mind among executive leaders. PwC’s 18th Annual Global CEO Survey 2015 shows that concern about cyberthreats increased more than any other risk factor over the past year. And nowhere is that unease more pronounced than in the U.S., where apprehension about cyberthreats is second only to worries about government regulation. In fact, the percentage of U.S. executives who say that they are “extremely” concerned about cyber threats has doubled in the past year: 45 percent of CEOs reported the highest level of concern, up from 22 percent in 2014.

“Cloud-based security can significantly reduce the need to purchase, maintain, and enhance technology infrastructure”

As more executive leaders and Boards of Directors become concerned about cyber-risks, they’re asking their CIOs about the company’s cyberthreat landscape and response readiness. Forward-thinking CIOs are not only delivering a clear picture of current risks and readiness, they are also emphasizing the importance of understanding cybersecurity as an enterprise-wide business risk issue. They are taking the lead by explaining why cyberthreats are among the most significant business risks facing their organizations, and how cybersecurity incidents can result in potentially crippling financial, legal, and reputational consequences.

Given the complexity of today’s evolving threats and the technologies and processes used to combat them, that’s not an easy message to formulate. In fact, educating corporate leaders about the importance of cybersecurity risk readiness and well-rehearsed response processes is a challenge for many CIOs.

That’s one reason why PwC developed a role-playing simulation called Game of Threats. The game simulates a realistic data breach scenario that allows executives to see how a cyberattack plays out, from the perspective of both the hacker and the company under attack. The role-playing game helps executives understand the consequences and nuances of breach responses, as well as the importance of ensuring that the necessary cybersecurity resources are available and properly used.

Another way that CIOs are advancing their cybersecurity programs is by adopting new technologies and architectures that can deliver powerful security, privacy, and compliance protection. In particular, forward-leaning CIOs are embracing cloud-based cybersecurity services. In The Global State of Information Security S u r v e y 2015, PwC found that 22 percent of respondents who use cloud computing said they leverage the cloud for security services, in addition to traditional deployments like file storage and hosting of data and applications.

These CIOs are in the vanguard of what PwC sees as a powerful new approach to cybersecurity. In recent years, cloud providers have invested in cutting-edge tools for data protection, threat defense, network security, and identity and access management. More importantly, they also have added infrastructure capabilities that enable them to improve intelligence gathering and threat modeling, better block attacks, enhance collaboration and collective learning, accelerate incident responses, and create secure communications channels.

These capabilities can help CIOs address security threats that arise as more businesses share more data that are sensitive with third-party contractors, suppliers, and partners. To do so, cloud-based cybersecurity services can create an infrastructure that provides third parties with appropriate access to the systems and data they need—without giving them credentials to the corporate network.

Cloud advantages are augmented by the scalability of the underlying architecture, which allows service providers to deliver access to considerably more information security technology than most organizations could afford on their own. Cloud-based security can also significantly reduce the need to purchase, maintain, and enhance technology infrastructure and hire support personnel, enabling companies to address cybersecurity fundamentals at a lower cost.

One thing seems certain: Sophisticated and increasingly damaging cyberattacks are the new normal, and there is no going back. Farsighted CIOs are taking the lead in implementing an adaptive cybersecurity strategy that is based on the fundamentals of enterprise risk management and empowered by technology breakthroughs like cloud-based security. That’s a strategic approach that is likely to define the nature of cyber-risks and responses in the coming decade.

Weekly Brief

Read Also

Building a Comprehensive Industrial Cyber Security Program

Building a Comprehensive Industrial Cyber Security Program

Mohamad Mahjoub, CISO, Veolia Middle East
Bolstering Cybersecurity

Bolstering Cybersecurity

Amr Taman, Chief Information Security Officer, Al Ahli Bank of Kuwait
Building Untrusted Networks to Improve Security

Building Untrusted Networks to Improve Security

Earl Duby, Vice President and CISO, Lear
Security challenges that companies face when implementing telehealth and the solutions and best practices for managing the risks

Security challenges that companies face when implementing...

Stefan Richards, Chief Information Security Officer, CorVel Corporation
Building Cyber Resilience during Covid-19

Building Cyber Resilience during Covid-19

Aleksandar Radosavljevic, Global Chief Information Security Officer, STADA
IAM may help secure data, but it needs to be protected as well

IAM may help secure data, but it needs to be protected as well

Marc Ashworth, Chief Information Security Office, First Bank