Introduction

This POV will summarise and interpret key findings based on research completed by PwC into the most important topics for CISOs in 2024

Emerging technologies are impacting the cybersecurity landscape.

New threats are increasing, leading to organisational disruptions and distraction. Alongside this increase, there is a decline in confidence from consumers, employees, and stakeholders around data security. These new demands and insecurities call for digitally enabled cybersecurity capabilities that address the evolving trends around information and data security.

Safeguarding data is now at the heart of organisations as they modernise and optimise technology infrastructure, increase the use of cloud, and utilise new technologies such as AI. The implementation of such technologies means organisations need to be on top of their risk management practices as their IT landscapes, and thus attack vectors, increase. Transparency and visibility around their cybersecurity strategy to ensure compliance is met is also important.

The statistics mentioned throughout this POV originate from a survey completed by PwC with respondents from 3,876 business and technology executives at large global companies.

PDF

Key Findings

In this section, Responsiv will be exploring and interpreting what we believe are key findings from the PWC report on ‘What’s Important to CISOs in 2024’.

  1. Increase in cyber transparency to meet new requirements
  2. Cyber resilience
  3. Managing cyber risk effectively
  4. Unlocking the value of data

Increase in Cyber Transparency to Meet New Regulation

Initiatives for improved cyber transparency and visibility are being driven by new regulations.

Research has seen a shift to mandatory information-sharing due to emerging regulations. Policies such as the Securities and Exchange Commission’s (SEC) Cybersecurity Disclosure rule means businesses are required to disclose any cybersecurity incidents (including hacks and breaches), as well as information about their cybersecurity risk management, strategy, and governance. This aims to improve insight for investors to evaluate the risks of investing in a specific business.

The rule applies to any business that process data or provide business-critical services to American businesses (similar to the reach of SOX), therefore UK companies should prepare for the increased demand for cybersecurity due diligence around this framework and similar.

PwC suggest the increase in regulation and need for transparency brings the opportunity for organisations to build thorough cyber security strategies to protect against the many cyber risks and regulations that businesses face.

Ensuring this transparency will be a key component in building trust among employees, customers, and stakeholders within an organisation.

Typical cyber risks facing organisations and making them vulnerable include:

    • Phishing
    • Cloud misconfiguration
    • Unsupported and unpatched technology (legacy)
    • Malicious insiders
    • Lost or stolen credentials
    • Ransomware and Malware

Similarly, the transparency and reporting that takes place will allow for faster response and resolution, limiting risks and ensuring compliance.

‘35% of executives think that mandatory reporting of cyber risk management, strategy, and governance is vital to securing future growth’.

In the current cyber landscape, organisations cannot afford to overlook the need for cybersecurity to stay protected. As the number of regulations, threats, and digital assets increase, security solutions are needed more than ever to provide centralised visibility to organisations. Security solutions also provide a way to increase monitoring capacity outside of human resources, providing 24×7 capabilities at no extra cost, whilst allowing staff to focus on more strategic work.

Decision makers and CISOs will need to focus more on their cybersecurity responsibility and approving risk management measures to ensure that compliance is continuously being met.

Cybersecurity reporting may be necessary for various purposes, whether it is to evidence compliance (SOX, GDPR, PCI DSS, NIST), or report on data usage and integrity, or understand vulnerabilities and threats, these reports should provide transparency for security, compliance, and risk management. Reporting allows effective communications between all levels of an organisations, from security managers to the Board. Such reports enable stakeholders to assess performance based on exposure to threats whilst highlighting success of security efforts and providing context for auditors.

The goal for organisations should be to set priorities to stay compliant using risk management practices.

Cyber Resilience

Many organisations are investing in technology and data to meet new demand from consumers, but this leaves risk leaders with a lack of organisational resilience, according to PwC.

All security endeavours should be business wide, from IT teams to C-suite; organisations should adapt to changes in the cybersecurity landscape and act to guard against threats.

With cyber-attacks becoming more frequent, cyber resilience is more critical than ever in 2024. The data loss that occurs due to an attack can heavily impact an organisation. Therefore, having a strategy in place can limit the impact of financial and reputational loss.

‘Only 2% of companies are optimising and continuously improving across nine cyber resilience best practices.’

PwC indicate that having business-wide cyber resilience gives both customers and employees confidence that their data will be kept safe and prepare organisations for a quick response to attacks. Employees should follow policies to support both on-site and remote work, alongside the business using robust tools to protect an organisation’s IT eco-system from malicious attackers.

Engaging with a trusted security partner can also play a crucial role in building cyber resilience. Building this up will require expertise and access to security solutions that will provide proactive engagement to risk mitigation.

Organisations building better cyber resilience should consider:

    • Having a deep understanding of the technology in use and what security gaps there may be and implementing preventative measures from these findings
    • Building a recovery and response plan to respond to attacks efficiently and quickly
    • Having the ability and agility to adapt to different cyber threats
    • Having on-going cyber training for all employees

Preparedness is vital to staying cyber resilient.

Effectively Managing Cyber Risk

Most businesses depend on information technology to carry out key business functions, in turn exposing them to cybersecurity threats and employee error.

Research found that only three per cent of companies are continuously updating their risk management plans to mitigate cloud related risk.

The move to cloud has multiple benefits for organisations but attack surfaces increase by doing so, arising from the increased landscape, active devices, and misconfiguration. Therefore, it is essential that technology leaders understand and mitigate the risks of new technologies to ensure that data is kept safe.

Risk cannot be fully eliminated, but risk management practices can reduce the likelihood and impact of cyber threats. Risk management helps organisations understand their security posture and cybersecurity readiness, ensure resources and investments are spent correctly, and mitigate risks.

Businesses should be protecting confidential data, be ready to decrease downtime for business processes, address regulatory implications, and have a disaster recovery plans to quickly respond to threats.

‘Only 3% of companies continually update their risk management plans to mitigate nine cloud-related risk.’

Cyber risk management should be an ongoing process rather than a one-time event. Revisiting processes regularly allows a company to review and update strategy with any new threat developments. Cyber risk management activities also allow businesses to comply with regulatory requirements like GDPR.

Reports generated during the monitoring stage of risk management can help companies prove they are maintaining regulatory data compliance. As previously mentioned, cybersecurity risk management requires unified and disciplined controls, with defined roles and responsibilities to incorporate new information and respond to developments quickly.  From this, risk profiles can be built to catalogue potential risks, prioritising them based on how critical the risk is to the organisation.

Unlocking the Value of Data (and keeping it safe)

Organisations are becoming more digitalised and therefore, data needs to be safeguarded. PwC found 25% of executives are incorporating data security and privacy features into services, products, and third-party relationships. Utilising data insights allows organisations to tailor customer experience and in the same breath, prioritise keeping data safe.

‘25% of executives incorporate data security and privacy features into products, services and third-party relationships.’

Additionally, PwC suggest that to stay a step ahead of regulations and proposals, having a tech-enabled understanding of where cloud-based data is, how it is secured and managed, and how it is being used is important. This awareness is important to understand where priorities for attack may occur, which data is personally identifiable or falls under the remit of regulation, and who has access and who is accessing the data. You can’t know what is malicious or non-compliant if it isn’t defined.

Implementing data governance frameworks promotes the quality, availability, and security of an organisation’s data through policies and standards. They determine security measures and intended use with the goal of maintaining high quality data that is accessible to provide deeper insights and security.

Implementing a data governance framework will increase the value of your data as it improves overall accuracy and thus improve insight for decision making. Furthermore, it ensures data integrity and consistency, allowing better understanding of business processes and customers, alongside meeting demands of government regulation.

Conclusion

The ever-growing technical landscape means that CISOs and their wider organisations should focus on building a strong cybersecurity strategy. Businesses should embrace digital innovation to ensure their data is kept secure, whilst understanding the risks this also brings.

Increasing cyber resilience, improving risk management, and following regulations will hold organisations accountable and ensure they are taking action to keep data safe. Improving cybersecurity practices will allow businesses to decrease the likelihood of threats creating serious damage due to the preparation already in place; either keeping the risk at bay or reducing the time to recovery.

Data is the most powerful asset an organisation can utilise to achieve business goals. Investing in data management and security tools will ensure organisations have a centralised platform for cybersecurity visibility.  

Read the PwC report around the important topics CISOs should focus on in 2024 here: What cybersecurity issues are important to CISOs in 2024: PwC
Get in touch today to talk about your cybersecurity strategy in 2024!

    Last Name*

    First Name

    E Mail*

    Company*

    Lead Status*


    *By pressing submit you agree to receiving communication from Responsiv. You may unsubscribe from communications at any time.
    jadams

    jadams