When it comes to cybersecurity a new Global State of Information Security for 2018 report from PwC suggests that at least half of all organizations are whistling past the proverbial graveyard.
The global survey of 9,500 executives finds 44 percent admitting they do not have an overall information security strategy. Almost half (48%) say they do not have an employee security awareness training program, and well over half (54%) say they do not have an incident response process.
Only about half (52%) of respondents say they have formally appointed a chief information security officer (CISO). Another 47 percent say they employ a chief security officer. But only 47 percent say they have dedicated security staff. When there is a CISO in place, 40 percent report to the CEO, while another 27 percent report directly to the board of directors. Only 24 percent of CISOs report to the CIO. To make matter more challenging, only 44 percent of the respondents described their corporate boards as actively participate in their companies’ overall security strategy.
Overall, the report finds 66 percent of business executives claim their organization’s security spending is aligned with the revenues of each line of business. The remainder (34%) admit this is not the case or they are not sure.
In general, business executives identified the consequences of a cybersecurity breach of greatest concern were ranked as disruption of operations (44%) compromise of sensitive data (39%) harm to product quality (32%) damage to physical property (29%), and harm to human life (22%).
When all those results are averaged it becomes apparent that roughly 50 percent of business executives are concerned enough about cybersecurity enough to at the very least dedicated some resources to IT security. Conversely, that implies that about an equal number have done little or next to nothing. Even among those organizations that have dedicated some resources, it’s not clear how effective those efforts might be. In fact, it’s not even clear how much willful disregard of IT security issues there is among organizations that make a minimal cybersecurity effort versus simple ignorance.
Regardless of the root cause, it’s clear that in far too many cases the efforts of IT and cybersecurity professionals to educate business executives about the nature of the true risks faced is falling on deaf ears. It may not be until business schools and various industry associations get more involved that this situation will improve. Most governments these days are hesitant to add addition cybersecurity regulations simply because they don’t know what’s required. Mostly, governments wind up creating a compliance regulation that only addresses a bare minimal amount of IT security required.
It remains to be seen to what degree the rise of digital business might increase awareness of cybersecurity issues. After all, there’s nothing quite like lost revenue to focus the mind of a business executive. But until business executives equate IT security and revenue, it may still be a while before business executives full appreciate the real value of IT security.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot.Mike also blogs about emerging cloud technology for SmarterMSP.