Post on 06-Oct-2020
Do you understand your organisation’s
cyber capabilities well enough to take a risk?
Cybersecurity:
are you asking the right questions?
In these increasingly uncertain times, it is critical that every dollar
spent counts. This is particularly the case for complex technical risks
where it can be difficult to decipher what the problem is. As a top risk
for many organisations, cyber is a case in point.
Recent global events such as geopolitical cyber activity or a global
pandemic have revealed immediate infrastructure gaps for many
businesses, including cybersecurity limitations. The ransomware
NotPetya amounted to the most costly and destructive cyberattack in
history, according to the White House. Fifty-four percent (54%) of
CFOs say the COVID-19 outbreak has the potential for “significant”
impact to their business operations, particularly on digital upskilling,
bandwidth and cybersecurity limitations.2For 35% of Asia Pacific companies - 30% globally – these figures
translate into a cybersecurity spend of 10% or more of their IT budget.1
1 Source: PwC 2019 Digital Trust Insights Survey
2 Source: PwC COVID-19 CFO Pulse Survey, March 11, 2020
$170.4 billion
$114 billion
2018 20222017
12.4%
Worldwide spending on information security
products and services exceeded $114 billion in
2018, an increase of 12.4 percent from 2017,
according to Gartner, Inc. The forecast for 2022 is
that the market will grow to $170.4 billion.
With the increase of cyberattacks occurring, organisations continue to spend more money on security; however, they often spend it in the wrong areas.”– Dr. Eric Cole, founder and CEO at Secure Anchor
Directors are increasingly taking action to be
prepared for a crisis, including a cyber-attack.
In the past five years, directors reported a
sizable increase in the level of cyber
oversight in the boardroom. Roughly, three-
quarters of participants in PwC 2019 Annual
Corporate Directors’ Survey said their boards
have discussed the company’s crisis
response plan in the event of a major security
breach (78%); the company’s cyber insurance
coverage (74%); and whether to engage an
outside cybersecurity expert (74%). Whilst
this is undoubtedly positive, directors remain
uncomfortable with that they have the skills
and tools to effectively lead the organisation
response to cyber risk.
A particular challenge is that the data
available within organisations to articulate its
cyber risks are not prepared with a common
language that all of the disciplines and the
directors can understand.Tough decisions
need to be made about where to invest.
Directors should understand the role and
mandate of their cybersecurity team, this
includes understanding how cybersecurity
budgets are measured and prioritised against
the organisation’s financial exposure to cyber
risk; resources and investment decisions.
What is the role of Directors?
Fewer than 40% of directors say that the board
fully understands the cybersecurity risks facing
the company (37%) or that the board has
sufficient expertise in cybersecurity (36%).
3 Source: National Association of Corporate Directors (‘NACD”) 2020 Director's Handbook on Cyber-Risk Oversight
Management is always eager to tell a board
what they are doing but are less eager to
discuss what they are not doing (i.e., what
difficult budget decisions they had to make
that resulted in risk acceptance). A
conversation about what fell below the cut
line and what decision process was used to
evaluate trade-offs will support senior
stakeholders in better directing investment.3
Organisations must have the right leadership
and processes in place to drive the security
measures required by digital advancements.
Achieving this requires a concerted effort to
uncover and manage new risks inherent in
emerging technologies.
Leadership is vital, however the increase in
the board’s interest and involvement
discussed on the previous page does not
always translate into corporate boards
proactively shaping their companies’ security
strategies or investment plans. Only 44% of
respondents to PwC Digital Trust Insights
Survey 2019 said their corporate boards
actively participate in their companies’ overall
security strategy. Senior leaders driving the
business must take ownership of building
cyber resilience. Establishing a top-down
strategy to manage cyber and privacy risks
across the enterprise is essential.
A company’s risk management strategy
should be informed by a solid understanding
of the cyber threats facing the organisation
and an awareness of which key assets
require the greatest protection. There should
be a coherent risk appetite framework.
Leadership must drive the development of a
cyber-risk management culture at all levels of
the organisation. To enable directors with
limited expertise to fully understand the risks
facing the company and its defences and
communicate effectively throughout the
various functions across an organisation,
companies need a common language that
allows cyber risk discussions in non-technical,
intuitive terms.
A better cyber security risk oversight
How to achieve a common understanding of
risks and defences across the organisation?Directors – and organisations overall – should ensure resources exist to
allow stakeholders to understand the business’ cyber risk and address it
appropriately. We see this journey to consist of three phases:
Understanding risk –Companies assess what cyber risk
really means to them, identifying the
key assets that drive the business, and
the nature of the threats they face.
- Inventory assets
- Assess maturity
- Assess threat and risk
- Understand 3rd party obligations
Prioritising risk – Companies focus
more precisely on the areas that matter most
and make decisions based on those priorities.
- Formalise governance
- Interpret risk assessments
- Build remediation plans
- Allocate resources
- Inventory assets
- Assess maturity
- Assess threat and risk
- Understand 3rd party obligations
Monitoring risk – Companies develop
the ability to know with increasing agility when
changes in the technology or business
environment or evolving threats change their
risk exposure.
- Develop meaningful metrics
- Actively engage in discussions about efforts to
improve
- Observe peers and competitors for signals
- Prepare to reassess maturity
- Formalise governance
- Interpret risk assessments
- Build remediation plans
- Allocate resources
- Inventory assets
- Assess maturity
- Assess threat and risk
- Understand 3rd party obligations
• Cyber is a top risk for most organisations
and significant amounts are invested in
better managing cyber related risks, but
cyber related investment decisions are not
aligned to the company’s risk appetite
around core business practices; or blur
housekeeping actions with strategic
improvements. Confidence in the ability of
the company to recover from a cyberattack
is often low.
• Identifying the organisations’ most valuable
and sensitive digital assets is a continuous
exercise and companies are struggling to
maintain an inventory of key processes,
assets and dependencies.
• Controls to manage cyber and other
technology risks are often of a manual
nature resulting in significant limitations;
and for those companies investing in
automated solutions we frequently see the
coverage of tools and other technologies is
not implemented consistently across all key
assets.
• When an incident occurs, it is usually
because of not managing cyber risk at an
adequate granular level. Existing
assurance activity, if in place, is typically
too high level or too narrow to give such
insights.
Be ready for surprisesAs directors and organisations embark on understanding, prioritising and monitoring risk, they are
likely to encounter some surprises. We see these common themes across organisations:
Only 15% of CEOs strongly agree their company
can withstand cyberattacks and
recover quickly.4
40%of PwC’s Fall 2018 Digital
Trust Insights Survey
participants are very
comfortable they have
identified their organisations’
key digital assets.
4 Source: PwC’s 22nd Annual Global CEO Survey
Directors can start the engagement with
executives and their risk and security
leadership by targeting key strategic areas.
Framing questions in a structured nature a chief
information security officer is likely to appreciate
can develop a better conversation and more
impactful communication for all parties.
Framing conversations using internationally
recognised frameworks, such as the US
National Institute of Standards and Technology
Cyber Security Framework (‘NIST CSF’),
provides a common language for all
stakeholders.
The NIST CSF is a structured collection of
cyber risk fundamentals that can be used
when discussing, prioritising, and addressing
key components of a cyber-risk management
program. It is by design a principle-based,
non-prescriptive tool for framing the important
issues so stakeholders can speak a common
language that covers the full lifecycle and
holistic view of cybersecurity risk
management.
What should directors do?
At the highest level, the CSF is organised into five “functions”—
or key activities. Together these define a holistic approach to a
company’s cyber risk management:
Each of the five functions comprises a number of lower level activities broken down as “categories” and “sub-categories,” each providing a more
granular and detailed description of leading practices.
• What measures are in
place to ensure key
elements of the
business are safe?
• How quickly and
effectively can the
organisation react when
bad things happen?
1. Identify 2. Protect 3. Detect 4. Respond 5. Recover
Understanding risk Prioritising risk Monitoring risk
• What matters most to
the business?
• What are the biggest
threats?
• How alert is the
organisation to
threatening events or
disruptions?
• Once an attack or
disruption happens,
how quickly
• is the organisation able
to resume normal
operations?
The objective is to create digital resilience by design: agile cyber defence
and recovery capabilities to weather cyberattacks without suffering costly
disruptions.
Once directors understand where their company is on the journey,
they can discuss and challenge with confidence and relevant information
whether management’s plans and responses are reasonable.
Directors must take the following three actions:
Make the organisation’s cyber
spend count: a maturity assessment
against a recognised framework can allow the
organisation to set out a clear roadmap on
how to move from current state to a desired
target operating model. This roadmap should
inform the cyber investment needs and
priorities. It does not necessarily mean more
investment; it means the right investment in
the right areas for the business.
By understanding and leveraging the CSF, boards
can play an active role engaging with security
leadership and company leadership about the
company’s cybersecurity strategy and its effort to
build cyber resiliency.
How to take the first step?
Understand the current state
of your organisation’s cyber
risk assessment and defences: assess how well the organisation is
addressing cyber risk by using a maturity
model, such as the widely accepted
Capability Maturity Model Integration (CMMI).
This will allow the company to define current
and target states for its security capabilities
and measure progress against goals. A
maturity model like CMMI combined with
NIST CSF can enable maturity ratings and
benchmark progress, internally and against
peers.
Get involved in shaping
the organisation’s cyber
strategy: do not be comfortable with only
discussing the strategy at high level in
board meetings.
1 2 3
“What we should actually be doing is thinking about what are our key controls that will mitigate the risks. How do we have those funnelled and controlled through the team that we have, how do we work through that in a well formatted, formulated process and pay attention to those controls we have chosen? Not a continual, add more, add more, add more.” – Dr. Chris Pierson, CEO, Binary Sun Cyber Risk Advisors
As a leading provider of trust around cyber and technology risks, PwC
has developed a cyber-maturity assessment framework based upon
internationally recognised frameworks, including the NIST CSF that
can help boards, senior management and other stakeholders establish
a common language for communicating cyber risks across the
organisation. Covering the five key capabilities of cyber risk
management, it supports organisations in making better decisions on
where to focus next from people, process and technology
perspectives.
Our assessment brings together assurance practices and cyber expertise
with a methodology using an internationally recognised framework. It can
help stakeholders assess and monitor the maturity of their cyber
defences using maturity scores against a common standard and
methodology, provide insights into peer organisations on a no-name
basis, resulting in greater confidence. Key features include:
How can PwC help?
Benchmarking to other organisations using
data from similar assessments.
Validation (not just talk-through) performed to
ensure that cyber controls are designed
effectively and implemented across the
scope set.
Maturity scoring using the Capability Maturity
Model Integration (“CMMI”) framework to
provide an absolute rating for each
framework element and a roadmap for
improvement initiatives.
Boards are not expected to have all of the answers related to cyber risk, but they do need to talk with management and ask the right questions so they can stay on top of this complex and dynamic risk.”– PwC “Cybersecurity and the board: six questions your board should ask” – July 2016.
For more information about the topics in this publication, please contact :
Contact us
Kenneth Wong
Cybersecurity and Privacy Leader,
Risk Assurance, Mainland China
and Hong Kong/Asia Pacific
+852 2289 2719
kenneth.ks.wong@hk.pwc.com
Nick Hamer
Trust and Transparency Services
Leader, Risk Assurance,
Mainland China and Hong Kong
+852 2289 8545
nick.j.hamer@hk.pwc.com
This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.
© 2020 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. PMS-001450
NorthCentralSouth
Lisa Li
Partner
+86 (10) 6533 2312
lisa.ra.li@cn.pwc.com
Ryan Yao
Partner
+86 (10) 6533 7576
ryan.h.yao@cn.pwc.com
Samuel Sinn
Partner
+86 (21) 2323 2296
samuel.sinn@cn.pwc.com
Chun Yin Cheung
Partner
+86 (21) 2323 3927
chun.yin.cheung@cn.pwc.com
Tony Wan
Partner
+86 (21) 2323 8149
tony.wan@cn.pwc.com
Kok Tin Gan
Partner
+852 2289 1935
kok.t.gan@hk.pwc.com
Felix Kan
Partner
+852 2289 1970
felix.py.kan@hk.pwc.com
Danny Weng
Partner
+86 (20) 3819 2629
danny.weng@cn.pwc.com
Dennis Li
Partner
+86 (10) 6533 7800
dennis.y.li@cn.pwc.com