Many Companies Lack CISOs amid Steeper Compliance Demands

Does your business include cyber and privacy management in digital transformation “fully from the start”? Are you comfortable with your reporting on metrics for cyber and privacy risk management? These are among the key questions consulting firm PwC wants businesses to answer in 2019.

The company’s inaugural Digital Trust Insights survey draws on data from 3,000 business leaders in 81 territories and outlines 10 opportunities for improvement around people, processes and technology with regards to digital trust.

Room for improvement

Nine out of 10 companies currently executing digital transformation projects say they include security and privacy personnel as stakeholders, and design proactive management of cyber and privacy risks into the project plan and budget. Yet only 53% have proactive risk management measures baked into the project “fully from the start,” which the research group believes should be improved.

Managing risks around security, privacy and ethics will be a steep climb without the right team, PwC analysts say. One of the most startling findings during the survey period is that many companies don’t employ key roles like chief information security officer, chief security officer, chief privacy officer, chief risk officer, or chief data officer.

Employee awareness and accountability around cybersecurity and privacy could also improve. Only 34% of respondents say their company has an employee security awareness training program, and only 31% of companies actually require employee training on privacy policy and practices.

Enabling trust mechanisms

Some 80% of respondents say the board of directors is periodically briefed on strategies for cybersecurity and 83% say it is briefed on privacy, but many have doubts or concerns around their internal reporting on these matters. Only 27% say they are “very comfortable” that the board is receiving adequate reporting. Cybersecurity programs are also increasingly misaligned with the business, as leaders aggressively adopt tech-driven business models. The solution, analysts say, would be to invest more in aligning business objectives with information security strategy. Currently, only 23% of firms do this.

Only about half of those surveyed say they are investing heavily in data governance, in creating transparency in the use and storage of data and toward increasing the control individuals have over their data. Companies blindly pursuing new ways to monetize soaring volumes of incoming data risk crossing ethical red lines, analysts say.

Only about half of medium and large businesses claim to be building resilience to cyberattacks and fewer than half believe their company has adequately tested its resistance to cyberattacks. Boosting cyber resilience – the ability to defend and recover rapidly in the face of a breach – is a must, analysts added.

“If the lifeblood of the digital economy is data, its heart is digital trust—the level of confidence in people, processes, and technology to build a secure digital world,” the report notes. “Companies, regulators, and consumers need fresh mechanisms to build confidence as they address emerging challenges in business, risk management, and compliance.”

*** This is a Security Bloggers Network syndicated blog from Business Insights In Virtualization and Cloud Security authored by Filip Truta. Read the original post at: