It’s always a breakthrough moment when someone decides to face their fears in a tangible, pragmatic way. That’s especially true for cyber security, and the moment when a business leader stops seeing cyber threats as a ‘someday’ risk from a ghostly enemy, and instead sees them as a business reality in the form of a savvy and entrepreneurial criminal competitor.
That moment has arrived, based on the findings of the KPMG 2021 CEO Outlook of 1,325 chief executives who revealed that:
- They now see cyber security as a top business priority
- They must prepare for a cyber incident today, not tomorrow
- They must embed a cyber security culture including ‘secure by design’ thinking, to manage these risks, truly benefit from their supply chain ecosystems, and earn digital trust with stakeholders
This is a priority, today
The fact that senior business leaders now see cyber security as a top business issue resonates in our survey. For example:
- Cyber security risk vied with today’s burning environmental and supply chain issues as the top threat to organizational growth over the next three years
- 79% say they view information security as a strategic function and as a potential source of competitive advantage
- Cyber security resiliency is among their top three operational priorities over the next three years
These attitudes represent a big shift from just five years ago when cyber security was viewed as a ‘tech issue’ for the IT team in the basement. This changed perspective makes sense, given the all too frequent headlines about crippling cyber-attacks on companies and governments, just as they embrace sweeping digitization and functional interconnectivity. In fact, our survey found that half of organizations plan to collaborate with third-party cloud technology partners, and 42 percent will partner with third-party data providers, adding urgency to safeguard against increasingly complex supply chain cyber risks.
A healthy dose of self-doubt
It’s also heartening to see that senior leaders are taking a more critical look at their own readiness for such threats. For example, the percentage of survey respondents who claim they are ‘very well prepared for a future cyber-attack’ dropped from 27% in 2019 to 10% in 2021, with those feeling ‘well prepared’ overall falling from 68% to 58% over that timeframe. This decline perhaps reflects the growing realization by executives that cyber security requires constant vigilance, not a one-time investment.
They are also attuned to the issue of ransomware attacks: While 57% said “I have a plan to address a ransomware attack”, only 8% agreed strongly with the statement, and 11% were frank in admitting they have no such plan.
They also appreciate the consequences of inaction, since 75% stated that a strong cyber strategy is critical to engender trust with their key stakeholders. This suggests an understanding that ‘digital trust’ with stakeholders is becoming a key driver of their organization’s brand health and future growth.
Getting down to business
But if acceptance is half the problem, how do these organizations then solve the remainder? Nearly half of survey participants (46%) say that, over the next three years, they will either focus on improving cyber security skills or strengthen their governance around operational resilience and the ability to recover from a major incident.
Many respondents also showed a nuanced understanding of the matter. For example, 79% said that “Protecting our partner ecosystem and supply chain is just as important as building our organization’s cyber defenses.” And, 72% said “It will take an industry wide approach to properly address the issue of ransomware demands.”
This realization that one cannot simply put a ‘wall around their garden’ is a positive indicator. In fact, an increased ‘community approach’ could lead to greater cooperation with industry peers and law enforcement agencies to disrupt organized cyber-crime. Hopefully, it will lead to more transparent corporate disclosure of cyber incidents, rather than quietly paying ransomware demands. For years, we’ve witnessed impressive intelligence sharing and collaboration in the banking sector. Now, other industries are demonstrating greater openness, from technology and telecommunications to the oil &gas and utilities sectors.
Embedding a cyber culture
It’s also promising that 81% say that “building a cyber security culture is just as important as building technological controls.” This is a watershed realization since we know that it is now unsustainable to depend upon a central cyber security team to reactively defend all the vulnerabilities across a company’s products, channels, systems and infrastructure.
Instead, imagine an organizational culture where all business leaders and executives share responsibility for achieving cyber resiliency — and safeguards are built into the development process, so that new products, services and connectivity are ‘secure by design,’ rather than frantically retrofitted to resolve each security gap.
We see such best practices in leading sectors, where CISOs no longer act only as translators of cyber matters to business leaders. Rather, they are internalizing these values within each business function, by embedding dedicated Business Information Security Officers (or similarly-titled team members), who integrate the right practices into day-to-day business decision-making, while drawing upon centralized security guidance, resources and processes. But let’s be honest, there is much more to do to achieve these goals, with just 19% of our survey respondents saying that “They plan to embed security and resilience principles into the design of future systems and services,” to address digital risks.
From ghostly enemy to business reality
In many ways, the steps described above are really about ‘re-imagining’ a technology issue as a business response to any competitive threat. Essentially, one must gather intelligence on the adversary, identify weaknesses, build on strengths, look for ways to undermine that adversary’s business model and continuously improve.
By seeing the cyber challenge in this way, business leaders may realize that today’s cyber criminals are not a mysterious ‘ghostly enemy’ but rather just another business competitor — albeit one who hails from the organized crime world and is only too happy to employ illegal tactics and take risk. Fundamentally, they are just one more shrewd competitor who seeks a return on their investment at your company’s expense.
By adopting this mindset, business leaders may gain the confidence to battle this competitive threat in a more strategic and integrated manner. The results of the 2021 CEO Outlook suggest that organizations are indeed ready to face their fears, find their footing, and manage ever-growing cyber security risks.