The survey's key findings adding up to, fewer than 40% of senior executives say they have fully mitigated the risks their bold moves incurred. By their own assessments, CISOs see the need to advance further on five cyber capabilities: identify, detect, protect, respond, recover.
Senior executives see heightened threats to their organisation and worry they’re not fully prepared to address them. In 2023, these challenges loom: mandated disclosures, tests of resilience, and pressure to get data security and privacy right.
Cybersecurity has become a more dynamic field, rapidly adjusting and shifting to keep apace with business inventiveness. Digitisation makes security everyone’s business. The future promises more connected systems and exponentially more data — and more organised adversaries. With everexpanding cyber risks, business leaders have much more work to do — and in a tough economic environment.
Fewer than 40% of respondents say they have fully mitigated the risks their bold moves incurred since 2020. Remote work (38%) and the move to the cloud (35%) have commanded the most attention. Larger organisations (more than $1 billion in revenues) and those based in North America are far more likely to have said they’ve mitigated these risks. Less than 3% of respondents say they have done so fully with all 10 risks.
Senior executives worry that their enterprise isn’t fully prepared to address heightened threats. Topping the 2023 list of rising organisational threats are cybercriminal activity (65%); mobile devices (41%), email (40%), cloud-based breaches (38%); and business email compromise/account takeover (33%) and ransomware (32%).
Only 9% of the respondents feel highly confident that they can effectively meet all disclosure requirements — even as pressure mounts from regulators to report cyber incidents.
In Europe, for instance, the EU Agency for Cybersecurity (ENISA) requires that critical service providers to report to national authorities in the event of any significant cybersecurity incident. The US Securities and Exchange Commission is considering a rule that would require publicly held companies to disclose their cyber risk management, strategy, governance and “material” cyber incidents. And proposed US Cybersecurity and Infrastructure Security Agency (CISA) rules, mandated by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) signed into law last March, would require organisations in 16 critical infrastructure sectors to report major cyber attacks and breaches within 72 hours and to report within 24 hours any ransomware payments they make.
Senior executives are bracing not only for a catastrophic cyber attack but also for global recession, a new health crisis, persistent inflation, and supply chain bottlenecks. Yet only 7% approach resilience in an integrated fashion.
Consumers, consumer-friendly regulators, privacy advocates and ESG activists are gaining ground. Data security and privacy are the Achilles’ heel of many organisations. Fewer than 5% of senior executives say they always implement 10 standard and leading practices to protect and govern customer data.
