➤ Almost two-thirds of CEOs are not confident in their ability to mitigate a geopolitical cybersecurity threat.
➤ The explosion of connected devices in the internet of things makes cybersecurity increasingly critical.
➤ The expenses associated with cybersecurity and resilience will remain part of the cost of doing business going forward.
International business research and services firm PricewaterhouseCoopers recently included a new set of inquiries on cybersecurity and cyber resilience in its annual CEO survey, revealing a widespread lack of confidence in critical cybersecurity infrastructure among business leaders, particularly concerning the mounting geopolitical threat. For example, 72% of executives worldwide acknowledge their business could be impacted by geopolitical cybersecurity threats, but only 15% are confident their company can withstand a cyberattack and recover quickly.
S&P Global Market Intelligence caught up with Sloane Menkes, cybersecurity principal at PwC, to discuss the study, its implications and the current state of global cybersecurity.
S&P Global Market Intelligence: Why this study and why now?
Sloane Menkes: So if we're going to ask these new questions, we could basically dive deeper and understand [cyber resilience] better and help our clients understand. We chose the focus on digital resilience because it's a broader connotation than just cyber risk. So many businesses now are relying on digital technology, because it's the system, it's the data, it's the assets that are powering their businesses, so if your business operations get disrupted, then that's going to cost you customers. That's going to cost you money to get your business operations back up.
Why is there such an interest in digital resilience and cybersecurity now compared to years ago?
You've got the rise of operational technology being a key part of the business and that includes IoT [internet of things] sensors. Regardless of what kind of company you may be, you've got data and information that's being used to make business decisions and operational decisions, which is driving the digitization of how these companies are operating. We're talking about how do you actually shore up this digital resilience, and it gets back to respond, recover and get back to business operations effectively and quickly while minimizing your costs.
Organizations need to protect what matters most, the crown jewels. It could be systems. It could be data. It could be IP. Like for pharmaceuticals, it could be a new formula that is not all the way through testing. So these are the things that are so important to protect and yet it's also critical, if you have data and information that underpins how your business is operated, to be sure those are protected as well.
You talk about an "inconsistent web of solutions." It seems like across businesses and governments, that is what the cybersecurity landscape is like. How does industry overcome that?
First, [the U.S. Department of Commerce's National Institute of Standards and Technology's cybersecurity guidelines] cybersecurity framework focuses on policy, people and technology, in terms of capability and maturity for your cyber and digital resilience. It was created so companies could strengthen and build digital resilience into critical infrastructure. So [following that framework] is the very first thing that a company can do and it's one of the three things that we highlight.
The second thing is to become proactive, not reactive. Use a data-driven approach. Gather your data, know what you have, and make sure you have an evergreen inventory — and in reality, most people are struggling with that. If you unload more and more IoT devices, those become part of that evergreen inventory app, and maintaining that, and making sure you have high availability and disaster recovery solutions, and therefore faster recovery, is absolutely critical. And then test it and retest it. You want to use a risk-based approach to determine what you need.
Third, there may not be a consensus about how the threat actors are operating because they're changing constantly. So the solutions really do need public and private cooperation. We point to the World Economic Forum Centre for Cybersecurity if there is no alternative because that's available to anyone as an avenue for cooperation and conversations. Because it is going to change, so have that conversation and collaboration.
To bring companies up to speed on threat response, preparation and compliance seems like a massive cost to business and investment in the cybersecurity industry. Is most of that a one-time drain on budgets to prepare, or do you see it as a permanent cost of doing business from here on out?
This is going to become a part of a cost to doing business securely because if you're not digitally resilient, you will lose the trust of your partners or your customers. You will lose your brand's reputation to some breach or loss of data. I do think it is implied in this study that what we're talking about is the cost of doing business in the world today. Having said that, it is critically important to have a risk-based approach in making those decisions. Get to an inflection point where we can stop thinking about securing our digital assets as a cost and instead look at them, those investments, as a value we're creating for the organization, because we're building trust.