Nearly all U.S. executives (98%) report that their organizations experienced at least one cyber event in the past year, compared to a slightly lower rate of 84% in non-U.S. executives, according to Deloitte’s 2021 Future of Cyber Survey. Further, COVID-19 pandemic disruption led to increased cyber threats to U.S. executives’ organizations (86%) at a considerably higher rate than non-U.S. executives experienced (63%). Yet, 14% of U.S. executives say their organizations have no cyber threat defense plans. A rate more than double that of non-U.S. executives (6%).
As part of a global Deloitte Touche Tohmatsu Limited survey, 577 C-suite executives around the world — 159 from the U.S. — were polled online from June 6, 2021 to Aug. 24, 2021 about their organizations’ cybersecurity programs. Participating U.S. respondents held CEO (25%); chief information security officer, or CISO (23%); CFO (21%); CIO (15%); CMO (13%) or other c-suite positions (3%). U.S. respondents’ organizations had annual revenues of $500 million to less than $5 billion (37%), more than $5 billion to less than $30 billion (53%) or more than $30 billion (10%). A similar survey was conducted in the U.S. only in 2019.
The biggest fallout U.S. execs report from cyber incidents or breaches at their organizations during the past year include operational disruption (28%), share price drop (24%), leadership change (23%), intellectual property theft (22%) and loss of customer trust (22%).
Increases in data management, perimeter and complexities (38%), inability to match rapid technology changes (35%) and a need for better prioritization of cyber risk across the enterprise (31%) all pose obstacles to U.S. executives’ organization-wide cybersecurity management programs.
“No CISO or CSO ever wants to tell organizational stakeholders that efforts to manage cyber risk aren’t keeping up with the speed of digital transformations made, or bad actors’ improving tactics,” said Deborah Golden, Deloitte Risk & Financial Advisory Cyber and Strategic Risk leader and principal, Deloitte & Touche LLP. “Aggressive organizational digital transformations and continued remote work for some seem to be shining more of a spotlight on the human side of cyber events — both the cyber talent gap and the potential risk well-meaning employees can pose. We see leading organizations turning to advanced technologies to help bridge those gaps.”
Addressing the cyber talent gap in an ever-changing market
Competition for cyber talent remains fierce, particularly in the U.S., as 31% of U.S. executives say their organizations are often unable to recruit and retain cyber talent — a rate nearly twice what non-U.S. executives (16%) experience.
“The cyber talent gap is a long-standing industry challenge. And, as the threat landscape and adversarial set diversifies, it’s driving the need for cybersecurity professionals to take more silo-breaking approaches to problem-solving that use a complement of both traditional, technical capabilities as well as less traditional, skill sets in areas like talent management, marketing data retention, and supply chain operations,” said Golden. “At Deloitte, for example, we’re investing in our existing cyber talent with constant learning and upskilling opportunities, while also recruiting and hiring — both traditional and non-traditional — professionals at all levels who are interested in helping our clients solve various cyber challenges.”
The unwitting enemy within is a top U.S. C-suite concern
Surprisingly, the cyber threat U.S. executives say they are most concerned about isn’t phishing, malware or ransomware (27%)— it’s unintended actions of well-meaning employees (28%).
Yet, 15% of U.S. executives say their organizations have no way to detect or mitigate employee cyber risk indicators, and 44% say their organizations rely on leadership to monitor employee behaviors and cyber risk indicators. Just 41% say their organizations leverage automated behavior analytic tools to help detect potential risk indicators among employees.
“While not always the headline-driver that illicit acts by nation-states or cybercriminals can be, human error introduces considerable risk to any organization,” continued Golden. “Emerging technologies — like advanced analytics, artificial intelligence and machine learning — can help identify and mitigate vulnerabilities that employees, vendors or others can unintentionally create in organizational systems. Further, proactive, tech-enabled cyber programs and adoption of Zero Trust frameworks can offer considerable support to risk management reaching far beyond security itself, nurturing trust between organizations, their employees, clients and other stakeholders.”
Additional findings of note include:
- Zero Trust adoption continues to gain momentum. The prioritization of Zero Trust by U.S. executives as they work to transform their organizations’ security capabilities is second only to cyber and technical resilience building. In contrast, Zero Trust is not near as high a priority (ranked No. 7) by non-U.S. respondents. Interestingly, the adoption of Zero Trust can help organizations bolster their cyber and technical resilience by applying a risk-based access control approach across identities, workloads, data, networks and devices. In short, Zero Trust adoption means embracing a “never trust, always verify” security posture across an organization.
- Balancing business needs with customer trust has room for improvement in the U.S. Data protection (53% U.S. executives; 43% non-U.S. executives), and data privacy (41% U.S. executives; 42% non-U.S. executives) are top-ranked security projects for executives globally. Despite the loss of customer trust resulting from a cyber event ranking high with 22% of U.S. executives and 16% non-U.S. executives, just 19% of U.S. execs say that their marketing organizations balance the need for customer data collection with engendering customer trust “very well,” compared to 60% of non-U.S. execs who say the same.
- Cyber is top of mind for U.S. CEOs and boards. U.S. executives share that their organizations see CISOs reporting direct to CEOs (42%), CTOs (19%) or CIOs (16%). And, nearly all (96%) report that cybersecurity is on the board’s agenda more than once per year — most frequently occurring quarterly (49%) or monthly (30%). Outside the U.S., execs are less likely to see CISOs reporting to CEOs (30%), and cyber appears on the board’s agenda more than annually by most non-U.S. executives (88%), if most frequently occurring quarterly (50%) or biannually (20%). When leaders make decisions on cybersecurity investments, U.S. executives are most likely to do so by leveraging risk quantification tools to discern ROI (45%), compared to non-U.S. executives who are most likely to use cyber maturity assessments to guide those decisions (42%).
- Risk analysis and threat modeling for new and existing app security is conducted monthly by 59% of U.S. executives’ organizations, compared to just 36% of non-U.S. executives’ organizations. Further, DevSecOps has been adopted fully (43% of U.S. executives; 40% of non-U.S. executives) or partially adopted (49% of U.S. executives; 51% of non-U.S. executives) in most respondents’ organizations.
- To address data destruction attacks that aim to disrupt business indefinitely, U.S. executives are most likely to turn to their organization’s disaster recovery (DR) and business continuity (BC) solutions to address such events (43%). Non-U.S. executives are most likely to rely on specific backup or DR solutions or BC plans for data destruction events.
- Cloud environment visibility around workloads and applications protection was the top cloud security concern for all executives polled (34% U.S. executives; 27% non-U.S. executives). But, the groups diverged on secondary cloud security concerns as U.S. executives listed consistency of application changes (25%) second, compared to non-U.S. executives listing compliance (19%) as a second-ranked concern.