The Future Of Cyber Survey 2019 - Deloitte

The future of cyber survey 2019 Cyber everywhere. Succeed anywhere.Cyber needs a leader with the authority todrive changeFrom the results illustrated (see figure 7), we seethat nearly half of organizations (49 percent) havecybersecurity on their board agenda at least quarterly.However, at some level, it can be viewed that half ofboards are not discussing cyber as often as they likelyshould be. After all, only 4 percent of respondentssay cybersecurity is on the agenda once a month.With the level of risk associated with cyber, shouldn’tit have some level of consideration at every boardmeeting? The answer is yes. Today’s boards shouldhave adequate access to cybersecurity expertise, anddiscussion about cyber risk management should begiven regular and adequate time on the board meetingagenda. Askew in these results is the CISO perceptionof cyber on the board agenda—77 percent of CISOsreported that this occurred quarterly whereby theother C-suite leaders surveyed indicated much lowerpercentages. We feel that this data supports the factthat the CISO may not actually have line of sight toexecutive management and the board, whereas mostof the other roles surveyed do. Therefore, it is ourconclusion the CISO response is often more perceptionthan reality.Boards should also consider requiring managementto provide a set of key performance indicators and keyrisk indicators that can enable them to quickly ascertainthe state of cybersecurity in the company. Directorscan work directly with senior management to developthese board-level metrics and benchmarking tools.1This topic has never been more important as executivesand boards will continue to face mounting pressureto reassure customers, shareholders, and regulatorsthat they are making the most informed cybersecurityinvestment decisions to protect the company.Figure 7. How frequently cybersecurity issues are on board’s agenda49%77%of participating C-levelexecutives have cybersecurity issueson their board’s agenda once a quarterof CISOs report thatcybersecurity issues are on theirboard’s agenda at least quarterly77%2% 4%62%59%57%53%31%46%49%22%4%1%15%CISOsOnce a month41%38%37%CTOsOnce a quarter or more2%1%CROsOnce or twice a yearCSOsCIOsOn an ad hoc basisOnce a quarterOnce a yearTwice a yearAd hoc7

The future of cyber survey 2019 Cyber everywhere. Succeed anywhere.The survey also tells us that when it comes to evaluatingcyber investment decisions, half of participating C-levelexecutives (50 percent) use risk quantitative tools andthe other half rely on the experience of their cyberleadership or cyber maturity assessments.50%of participating C-level executivesemploy risk quantification tools totrack and evaluate their cybersecurityinvestment decisionsMany tools are becoming available in the market toassist organizations in their risk maturity assessment,with varied methodologies, but all with the sameunderlying goal: to better estimate both the direct andintangible costs associated with a cyberattack, therebyproviding greater clarity around the potential rangeand financial risks associated with an incident.To drive effective execution of a cyber riskprogram, executive management needs to structuretheir cybersecurity leadership team to drivecommunication and implementation of securityacross the enterprise and have both the authorityand expertise to do so. This is typically best achievedwhen the cyber function is represented in theC-suite so that the broader organization can betterunderstand the priority and importance of adoptingor creating a cyber-secure enterprise.8In most cases, the CISO is the de facto cyber championof the enterprise. Over the course of 5 to 10 years, wehave observed the role expanding beyond that of atechnology champion to one of strategist and advisorto executive management. Given the previously sharedimperative related to the need to prioritize across theenterprise and a need for increased executive buy-in,the next data point could be promising as an indicatorthat organizations are valuing cyber. When asked aboutthe cyber chain-of-command, 43 percent of surveyedCISOs indicated they report directly to the CEO (seefigure 8b). That finding is consistent across the totalsurvey population where 32 percent of respondentsindicated the CISO reported to the CEO, with only 19percent indicating that the role reported to the CIO(see figure 8a). In Deloitte’s experience facilitatinghundreds of CISO transformation labs over the pastfive years and through informal collection of data,nearly 80 percent of CISOs report to a CIO or CSO. Thisindication that CISOs are, in fact, directly reportingto a CEO is quite encouraging but counter to whatexperience tells us. Did survey respondents sharewhere they think the CISO should report or where itactually reports? It’s hard to know. However, if true, thisis an important shift to note, as access and influenceare imperative in helping executives prioritize andunderstand what is needed to propel the enterpriseforward in the realm of cyber everywhere.

The future of cyber survey 2019 Cyber everywhere. Succeed anywhere.Figure 8a. To whom does the CISO typically report in your organization?Across companies, the CISO position can be a high-level strategic asset or an operational role focused on addressing technology orinformation risks, as it commonly answers to the CEO (32 percent) or one of the following members of the C-suite: CIO (19 percent), CTO (12percent), or CRO (11 percent). Across the five C-level executive groups, participating CISOs appear to be more involved in strategic planning,as they (43 percent) are the most likely to say they report to the CEO directly, leading the other sub-audiences by 9 to 23 cer(CTO)Chiefrisk nancialofficer(CFO)Board ofdirectors1%-MultipledirectreportsOtherThere is noCISO in myorganizationFigure 8b Top positions that the CISO typically reports to in a companyCISOs are the most likely to say the CISOposition reports directly to the CEO43%37%34%33%29%20%23%22%15%10%12% 13%9% 9%7%15% 14%11% 12% 11%6%7%13%6%1%CISOsReports to CEOCTOsReports to CIOCROsReports to CTOCSOsReports to CROCIOsReports to CCOTop responses only9

The future of cyber survey 2019 Cyber everywhere. Succeed anywhere.Many organizations still rely on the CISO without fullyempowering those in the role to lead confidently acrossthe enterprise. That said, we want to be careful not toget hung up on titles because what matters more iswhere the responsibility for managing cyber sits in theorganization. Some organizations have it a couple layersdown where, buried in bureaucracy, the role is nothingmore than an IT function. Ensuring the cyber functionis senior enough to have line of sight and influence intostrategy and operations is critical to cyber transformationin the organization.Here’s what classically happens: cyber is stuck in IT, and ITreports to the CIO. IT security is often equated with cyber,but it is not the same strategic function. By nesting cyberin IT, the cyber budget rests under the IT budget, underthe CIO, and that is why you often see the sort of resultsthe survey results are indicating—that cyber isn’t actuallyprioritized or resourced to meet the cyber everywhererealities of tomorrow. In many cases, this leads tosituations where CISOs lack the ability to shape strategyand help organizations to prioritize effectively. Similarly, inanother example, if cyber sits under the chief legal officer,then cyber may become a compliance-oriented programversus one focused on innovation and risk management.Cyber is a top strategic business imperative; apervasive issue that should inform management andsit alongside finance, legal, and operations. Cyberneeds “a seat at the table” to help guide the enterpriseand ensure it can effectively make the right decisionsby looking internally at how the organization runsand looking externally at interactions with customers,suppliers, and business partners. The prolific impactof having cyber embedded in organizational strategy,planning, and the execution of operational orperformance effort should not be underestimated.Cyber deserves organizational alignment, prioritization,and reporting structures.The organizations that do this well today are ones thatare typically large custodians of data. They are dialedin to the need for security, innovation, and customerservices. In our experience, the organizations thatrelegate cyber to sub-layers within the organizationare less mature in understanding their cyber risk.Seeing the role of the CISO elevated to the C-suite is a10positive indication of organizational acceptance thatthe ubiquity of cyber warrants full senior leadershipengagement, greater cyber risk governance, andintegration across the enterprise.Although it is impossible to prevent every cyberincident, with a well-governed, executive-led programit is possible to manage technology risk to acceptablelevels. The cyber risk program, rather than being anever-increasing cost to the business, is a necessaryelement of the investments made to achieve thestrategic goals of the organization.The future of cyber demands alignment andcollaboration both internally and outsidethe organizationDigital transformation is enabling organizationsto simplify their environments, employ strongertechnology capabilities to collaborate more effectively,manage data more efficiently, and do what isneeded to enable better delivery of their productsand services. As you consider the role of cyber, thequestion becomes how can you integrate cyber andtake a position that helps lead the organization andbecome a catalyst to direct transformation fromlegacy environments, disconnected data sources,and fragmented identity systems? How can you usethis strategy and the supporting infrastructure as acatalyst for change?Organizational alignment on the risks that mattermost to the enterprise may seem obvious, but as thesurvey results have shown, leadership often strugglesto achieve it. According to the survey, the ways inwhich today’s cyber organizations interact with variousbusiness units is through security assessments oraudits (29 percent), security steering committees thatwork with the business (29 percent), separate securityorganizations within each business (24 percent), and 18percent through security liaisons within each business(see figure 9). We are seeing many organizations havegreat success with the latter. Cyber professionalsembedded in the businesses are an effective approachto manage cyber risk across the enterprise and fostergreater collaboration and innovation.

The future of cyber survey 2019 Cyber everywhere. Succeed anywhere.In the financial services industry, many banks havebusiness security officers embedded in the businessunits. They know the business, and from their purviewamongst business analysts and financial professionals,for example, their sole mission is to embed securityin new initiatives, manage compliance, and fostercollaboration and modernization. This model becomesa catalyst for better efficiency and risk management.This is one example of an organization creating a cybersecure culture, embedding an ethos of integratedinnovation and security within the business units.But the fact that less than 30 percent of surveyrespondents selected some sort of security liaisons/champions within each business further supportsthe lack of readiness of organizations to embracecyber everywhere.Embedding cyber professionals into the businessescan enable the cyber organization, and its leader,to be strategic and better manage security intransformation efforts. It allows for the bifurcationof firefighting and strategic planning, because cybercertainly requires both. Within the businesses,cyber is able to represent the security interestsof the enterprise and be a part of the discussionsfrom the outset on user experiences, data risks,platform reliability, and so on. The CISO doesn’thave time to be in every discussion, but integratingcyber team members who act as liaisons betweencyber and the business can help to ensure alignmenton organizational priorities and prevents siloedagendas, or worse having to remediate incidents thatcould have been prevented had cyber been a part ofinitial discussions.Figure 9. Cyber department’s interaction withother business unitsTotal participants18%29%24%29%Through security assessments or auditsThrough security steering committees that work with businessesThrough separate security organizations within each businessThrough security liaisons/champions within each business11

The future of cyber survey 2019 Cyber everywhere. Succeed anywhere.Who is the cyber team?Much of what is being written about the future ofcyber is addressing the looming cyber talent gap.Organizations today are already stressed to staffappropriately, and the cyber workforce is strugglingto keep up with demand. By 2021, there is estimatedto be an astounding 3.5 million unfilled cybersecuritypositions worldwide.2 That means cybersecurityprofessionals will have to find ways to compensatefor those empty slots. There are too many facets toconsider, too many vulnerabilities to take notice of,and too few IT professionals to manage every threat.According to our survey, 85 percent of the participantsindicated some level of reliance on vendors andmanaged services providers to provide cybersecurityoperations, with 66 percent of those outsourcingbetween 21 percent and 50 percent of cyber operations.Tangentially, that leads us right back to the survey.When asked what percentage of their workforcesupporting cybersecurity are full-time employeesversus contractors and consultants, more than 30percent of CTOs, CROs, and CSOs indicated that themajority (up to 80 percent) were full-time employees(see figure 10). Conversely, the majority of CISOs (81percent) and CIOs (56 percent) indicated that full-timeemployees made up less than 20 percent of theircyber teams. The disparity in the findings is surprisinguntil you consider that in many cases, CTOs, CROs,and CSOs are farther removed from the actual tacticsof the cyber operation, including how it is staffed.They may have purview related to budget but havelimited understanding as it relates to outsourcing andcontractor usage. We would infer that the CISO and CIOperspective is likely more accurate in this case.Figure 10. Percentage of full-time cybersecurity employeesTotalparticipantsCISOsCTOsCROsCSOsCIOs10% or –50%7%3%8%6%7%12%51–80%29%12%35%31%39%27%More than 80%9%4%13%10%11%5%12

The future of cyber survey 2019 Cyber everywhere. Succeed anywhere.Part of the challenge for organizations evolvingtheir cyber risk capability is that many are limitingthemselves by trying to build cyber capabilities inhouse. Resources are hard to train and harder toretain. If organizations are going to prioritize cyber inthe organization, then executive leadership shouldbegin to explore talent models and strategies tokeep up with the burgeoning resource demands.Contractors, or outsourcing entire capabilities, aremore efficient and often can deliver at a higher servicelevel. Consideration should also be given to automationof processes and services, which can help improvespeed quality and help the organization to do morewith less. The combination of these solutions canhelp address cyber risk. To succeed in the future ofcyber, organizations need to become nimbler andmore considerate of new channels to getting thingsaccomplished. This includes the growing capabilities ofthird-party security providers.We can get an idea from the survey results thatorganizations are already demonstrating thewillingness to rely on third parties to help addresscyber everywhere. Nearly all of the survey respondentsindicated they had allocated cyber operations dollarstoward third-party providers, with 14 percent of totalrespondents indicating that more than 50 percent oftheir cybersecurity operations are outsourced (seefigure 11). When looking across the roles of surveyrespondents, 65 percent of CISOs put that percentageof outsourced cyber operations in the 21–30 percentrange. The consistency of the CISO responses anddifferences in comparison to the other C-suite leaderssurveyed help us to infer that the CISO is typicallyresponsible for day-to-day cyber oversight.Figure 11. Percentage of outsourced cybersecurity %32%20%More than 50%14%16%17%13%14%10%13

The future of cyber survey 2019 Cyber everywhere. Succeed anywhere.Cybersecurity functions outsourced tothird partiesSo where are these third-party dollars going? Surveyrespondents indicated a willingness to outsourcea myriad of cybersecurity functions. The collectiveresults of those surveyed is reflected in figure 12.Worth noting, 50 percent of CIOs most often selectedsecurity operations, and 48 percent of CISOs choseinsider threat detection. Both of those selectionsstood out in the response data specific to theroles surveyed. But across the board, our surveyrespondents indicated that they turn to partnersmost often when it comes to security operations,vulnerability management, physical security, andtraining and awareness.Partnerships can be a pathway to success, but failuresof third parties have also led to some of the costliestcybersecurity breaches. Our survey data is consistentwith what Deloitte is finding in the marketplace, whichis many organizations need a little bit of help in a lotof places. To develop a well-rounded cybersecurityprogram, organizations should partner closely withsuppliers, industry associations, governmentalagencies, academic institutions, researchers, andother business partners.Third-party testing should continue to be a valuableto

The future of cyber survey 2019 Cyber everywhere. Succeed anywhere. 6 The survey reveals that respondents believe there are notable gaps in organizational capabilities to meet today's cybersecurity demands. Cyber teams are challenged by their ability to help the organization better prioritize cyber risk across the enterprise