Embed Size (px)
Citation preview
Internal Audit, Risk, Business & Technology Consulting
A Path for Accelerating Progress
Cybersecurity in the Technology Industry
A Path for Accelerating Progress · 1protiviti.com
The technology industry provides much of the infrastructure powering the digital transformation
of business and personal life around the globe. As such, the effectiveness of the industry’s
cybersecurity programs has consequences that reach far beyond the technology industry itself.
To assess the current state and direction of cybersecurity in technology organizations around the
world, Protiviti has extracted the responses of 250 software, hardware and telecom executives
who participated in The Cybersecurity Imperative, a global online survey on cybersecurity practices.1
The in-depth interviews with chief information security officers (CISOs) and cybersecurity experts,
and input from an executive advisory board, supplement the survey.
Introduction
1 The Cybersecurity Imperative: Managing Cyber Risks in a World of Rapid Digital Change, a research report from a joint effort of ESI ThoughtLab, WSJ Pro Cybersecurity, Protiviti and a group of prominent organizations to conduct rigorous global research and analysis involving a survey of 1,300 global executives across multiple industries, advisory meetings and interviews with leading experts and practitioners, and analytical tools to benchmark approaches and assess performance impacts. The research is available at http://go.dowjones.com/cybersecurity-imperative.
2 The NIST Cybersecurity Framework offers computer security guidance for private sector organizations in the United States to use when assessing and improving their ability to prevent, detect and respond to cyber attacks. It is available at www.nist.gov/cyberframework.
In this white paper, we begin by examining how
technology firms assess the implementation of their
cybersecurity programs against the National Institute
of Standards and Technology (NIST) Cybersecurity
Framework.2 We then discuss survey findings regarding
threats and countertactics and how cybersecurity is
supported internally by policies and organizational
structure. The report concludes with recommendations
that individual technology firms can use to help
strengthen their cybersecurity practices.
Company type Headquarters location
Software
Hardware
Telecom
US/CAN
EU/UK
LATAM
APAC
32%
32%
28%
8%
20%
52%
28%
Company type Headquarters location
Software
Hardware
Telecom
US/CAN
EU/UK
LATAM
APAC
32%
32%
28%
8%
20%
52%
28%
Company Type and Headquarters for the Cybersecurity Imperative Survey Respondents
2 · Protiviti
Functional Maturity and Resource Allocation
The NIST Cybersecurity Framework provides a
standard checklist of 23 recommended activities
grouped into five functions — Identify, Protect,
Detect, Respond and Recover — which organizations
can use in developing their cybersecurity strategy. In
our survey, we asked respondents to evaluate their
progress in each of these activities according to the
scale shown at the right.
Detailed Findings
These self-evaluations reveal that most technology
companies have significant work ahead to develop
their cybersecurity functions. Very few of the
firms represented by the executives we surveyed
have reached the advanced level in any of the 23
cybersecurity activities. This finding was echoed
in further analysis, in which we aggregated each
company’s maturity levels across the entire set of
activities and then categorized firms as cybersecurity
“beginners,” “intermediates” or “leaders” based
on the total of their maturity level scores. Not only
does the technology industry lag slightly compared
with other industries in the percentage of companies
categorized as cybersecurity leaders, but it also has a
much higher percentage of cybersecurity beginners.
Cybersecurity Maturity Level
Description
No action
Beginning Starting to think about the activity
Developing Planning and support building
Maturing Seeing progress and benefits
Advanced Ahead of most peers and seeing significant benefits
Maturity of Cybersecurity Function
29% 50% 21%
29%
Software
Hardware
Telecom
All Tech
Non-Tech
Beginners Intermediates Leaders
45% 36% 19%
54% 17%
42% 44% 14%
40% 43% 17%
A Path for Accelerating Progress · 3protiviti.com
On the one hand, the industry’s showing seems
counterintuitive — one would expect technology firms
to have a heightened awareness of both evolving
cyber threats and the cost of being underprepared for
them. But perhaps the cybersecurity function within
the technology industry simply reflects to a greater
degree the budgeting and resource pressures that
cybersecurity faces across all industries. Outside of
the technology industry, cybersecurity must compete
with other technology functions and initiatives, such
as research and development, digital transformation,
and improvements to user experience — all budget line
In some cases, the budget shortfall is significant:
Among executives at cybersecurity beginner firms who
felt their cyber funding was inadequate, 28 percent
said a budget increase of 21 percent to 30 percent was
needed. In other cases, however, the requests were
more modest: 37 percent called for a cybersecurity
budget increase of 6 percent to 10 percent.
Particularly at technology companies where the
cybersecurity function is in the early stages of
development, board members, CEOs, CFOs and other
decision-makers should be proactive about evaluating
the cybersecurity budget so that the function properly
items where it is easier to build enthusiasm and buy-in
among multiple decision-makers. These pressures
are even more acute in the technology industry,
where factors like research and development and
user experience drive a company’s market presence.
Even so, we would argue that this merely makes it
more imperative for cybersecurity leaders to advocate
effectively for their functions within their organizations.
Our survey results show how the maturity of the
cybersecurity function correlates with the adequacy of
cybersecurity funding (see chart below).
reflects the central role that digital technology plays
throughout business today. The survey results show a
telling difference in how cybersecurity is thought of in
the technology industry, depending on the company’s
level of cybersecurity maturity. While executives from
companies with early-stage cybersecurity functions
primarily think of cybersecurity in terms of incident
prevention and reduced risks, executives from
companies with more advanced cybersecurity view
the function more strategically, as drivers of speed to
market, customer engagement and market share.
28%
76%
86%
Intermediate
Beginner
Leader
Executives Reporting Adequate Cybersecurity Budgets
4 · Protiviti
Beginners Intermediates Leaders
Increased market share
Improved customer engagement
Faster speed to market
Incident prevention
Risk reduction
Emphasized byIntermediates and Leaders
Emphasized byBeginners
20%
23%
8%
27%
8%
6%
32%
24%
12%
20%
44%
64%
52%
57%
83%
Perceived Benefits of Cybersecurity
A Path for Accelerating Progress · 5protiviti.com
Implementation of the NIST Cybersecurity Framework
Perhaps the most notable high-level finding from
the survey is how similar the technology industry is
to other industries in its progress against the NIST
Cybersecurity Framework. This may reflect the fact that
as cybersecurity has become strategically important
across the economy, no one industry has a privileged
position in retaining cybersecurity expertise. It may
also be the case that, as suggested earlier, cybersecurity
within the technology industry faces a higher level
of competition for internal resources. In any event,
however, these findings should be taken as a reason
to evaluate closely the role cybersecurity plays within
technology organizations.
Identify
Develop an organizational understanding to
manage cybersecurity risk to systems, people,
assets, data and capabilities.
Among technology companies, most progress in
the Identify function has been made in risk-based
activities — a pattern that occurs in other industries
as well. (Hardware companies make a particularly
strong showing here.) But while risk assessment and
management provide a strong groundwork for many
aspects of the cybersecurity function, they need to
be paired with strong governance and integration of
cyber concerns with the overall business.
Poised for Improvement
• Risk management strategy: 54 percent of telecom
companies are currently at the developing stage,
compared with 38 percent of software companies
and 39 percent of hardware companies.
• Governance: 53 percent of hardware companies
and 56 percent of telecom companies are at the
developing stage.
Areas of Concern
• Asset management: 40 percent of technology
companies are still at the beginning stage, compared
with 31 percent of non-technology companies.
• Risk management strategy: 31 percent of software
companies are still at the beginning stage,
compared with 16 percent of hardware companies
and 18 percent of telecom companies.
• Business environment: 30 percent of software
companies are still at the beginning stage,
compared with 20 percent of hardware companies
and 12 percent of telecom companies.
6 · Protiviti
ActivityMaturing
Non-Tech All Tech Software Hardware Telecom
Risk Management Strategy
Establish priorities, constraints, risk tolerances and assumptions for managing operational risk.
33% 33% 29% 44% 28%
Supply Chain Risk Management
Establish priorities, constraints, risk tolerances and assumptions for managing supply chain risk, as well as establishing and implementing the processes to identify, assess and manage supply chain risks.
30% 29% 25% 37% 26%
Risk Assessment
Identify the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets and individuals.
32% 27% 21% 41% 22%
Business Environment
Understand and prioritize the organization’s objectives, stakeholders and activities.
18% 16% 15% 13% 22%
Organizational Roles
Set roles and responsibilities for the entire workforce and third-party stakeholders.
19% 15% 16% 13% 14%
Asset Management
Identify the data, data flows, devices, personnel and systems that could affect cybersecurity.
17% 10% 10% 7% 16%
Governance
Understand the policies, procedures and processes to manage and monitor the organization’s regulatory, legal, risk and operational requirements.
12% 10% 12% 7% 6%
Average 23% 20% 18% 23% 19%
A Path for Accelerating Progress · 7protiviti.com
Protect
Develop and implement appropriate safeguards to
ensure delivery of critical services.
As with other industries, technology companies tend
to be strongest overall in the Protect realm, which is
where most organizations traditionally start to build
their cybersecurity function. But there is a notable
drop-off in the activities necessary to support the
frontline protection efforts. The state of awareness
and training is of particular concern, given the
cybersecurity risk posed by untrained general staff
(see sidebar on page 9), as is maintenance — the
percentage of hardware and telecom companies
in the maturing levels that are in the single digits
highlights the need for more resources here.
Poised for Improvement
• Identity management and access control: 47 percent
of software companies and 42 percent of telecom
companies are currently at the developing stage.
• Protective technology: Two-thirds of telecom and
hardware companies are at the developing stage,
compared with 51 percent of software companies.
Areas for Concern
• Maintenance: Only 10 percent of technology firms
have reached the maturing stage, compared with
15 percent of non-technology companies.
• Protective technology: 31 percent of software
companies are still at the beginning stage,
compared with 17 percent of hardware companies
and 20 percent of telecom companies.
There is a global shortage of tech talent — not only for startups, but also for legacy companies undergoing
digital transformation. This shortage has forced tech companies to deploy their precious human resources on
core activities like product development and customer acquisition, while adopting a flexible labor model, which
includes trusted third parties, whenever possible.
— Gordon Tucker, Managing Director, Global Technology Industry Practice Leader
8 · Protiviti
ActivityMaturing
Non-Tech All Tech Software Hardware Telecom
Identity Management and Access Control
Limit access to physical and logical assets and associated facilities to authorized users, processes and devices.
38% 36% 28% 51% 34%
Information Protection Processes and Procedures
Maintain security policies, processes and procedures for protecting information systems and assets.
34% 35% 30% 43% 36%
Data Security
Manage data in line with risk strategy to protect the confidentiality, integrity, and availability of information and the privacy rights of data subjects.
33% 33% 32% 41% 26%
Protective Technology
Manage technical security solutions according to policies, procedures and agreements to ensure the security and resilience of systems and assets.
20% 16% 18% 16% 14%
Awareness and Training
Train personnel and partners in cybersecurity awareness and to perform cybersecurity duties in line with policies, procedures and agreements.
17% 16% 15% 16% 18%
Maintenance
Perform maintenance and repairs of industrial control and information system components according to policies and procedures.
15% 10% 13% 6% 8%
Average 26% 24% 23% 29% 23%
protiviti.com A Path for Accelerating Progress · 9
Employees Are the Weakest Link
Cybersecurity professionals have long argued that cybersecurity needs to be seen as “everyone’s job” and an
integral part of company culture. That message seems to have taken hold: When asked to name their greatest
internal cybersecurity risk, technology executives, as their counterparts in other industries, are more likely
to name untrained general staff than any other source. However, while awareness of this problem is high,
combatting the issue is still very much a work in progress. Thus, accelerating investment in awareness and
training in this area is likely to yield a noticeable return.
• Telecom companies are also concerned about malicious insiders, with nearly half (48 percent) of executives from
those firms naming that risk.
• Software companies are also concerned about privileged insiders, which were cited by 43 percent of
those executives.
• Concern over contractors varied widely. Over a quarter (26 percent) of hardware companies cited them as
potential risks, while only 4 percent of telecom companies did.
15%
27%
37%
90%Untrained general staff
Privileged insiders
Malicious insiders
Contractors
Internal Threats Posing Significant Risk
Note: These percentages apply to all technology organizations.
10 · Protiviti
Detect
Develop and implement appropriate activities to
identify the occurrence of a cybersecurity event.
Because detection activities are primarily tech-
driven, the technology industry’s activities here
should expand in the next two years, as new
approaches are incorporated (see the Tools and
Technologies section). There is, however, an
important caveat: The adoption of technologies
needs to be matched by the capability to use those
technologies strategically. As the current data shows,
the benefit of continuous security monitoring and
detection processes is blunted without a parallel
ability to understand the impact of detected events
(the “anomalies and events” activity).
Poised for Improvement
• Continuous security monitoring: 50 percent of
telecom companies are at the developing stage,
compared with 44 percent of software companies
and 33 percent of hardware companies.
• Anomalies and events: While only 3 percent of
hardware companies are at the maturing stage, 57
percent are at the developing stage.
Areas of Concern
• Detection processes: 35 percent of software
companies are still at the beginning stage compared
with 24 percent of hardware companies and 26
percent of telecom companies.
• Predictive analytics: While 26 percent of telecom
companies have reached the maturing stage, 38
percent are still at the beginning stage.
ActivityMaturing
Non-Tech All Tech Software Hardware Telecom
Continuous Security Monitoring
Monitor information systems and assets to identify cybersecurity events and verify the effectiveness of protective measures.
36% 30% 27% 41% 24%
Detection Processes
Maintain and test detection processes and procedures to ensure awareness of anomalous events.
25% 23% 19% 27% 26%
Predictive Analytics
Forecast future cyberattacks by analyzing high volumes of data using AI and other advanced technologies.
21% 20% 19% 16% 26%
Anomalies and Events
Detect anomalous activity and understand the potential impact of events.
13% 12% 17% 3% 14%
Average 24% 21% 21% 22% 23%
A Path for Accelerating Progress · 11protiviti.com
The Cybersecurity Paradox
Our survey uncovered a counterintuitive finding: The more advanced a technology firm’s cybersecurity efforts,
the more cyber breaches it suffers. That is likely because firms with more mature cybersecurity functions have
better detection, while those in the earlier stages are simply unaware of intrusions. While 30 percent of technology
firms overall have continuous security monitoring at the maturing level, only 1 percent of those categorized as
cybersecurity beginners do, compared with 75 percent of technology’s cybersecurity leaders.
More than 1,000 records stolen involving personal identifiable
information
Three or more breaches requiring emergency response plan deployment
25%
19%
2%
45%
37%
17%
Beginners Intermediates Leaders
Cybersecurity Incidents in the Last Fiscal Year
12 · Protiviti
Respond
Develop and implement appropriate activities to
take action regarding a detected cybersecurity
incident.
While the percentage of technology firms that have
reached the maturing stage in analysis provides a
foundation, there is significant work to be done in
response to cyber breaches. In particular, companies
should increase their focus on response planning,
which can drive improvements in other collateral
areas. Software and hardware companies should follow
telecom’s lead and redouble their mitigation efforts.
Poised for Improvement
• Communications: 63 percent of hardware
companies are at the developing stage, compared
with 51 percent of software companies and
44 percent of telecom companies.
Areas of Concern
• Communications: 42 percent of telecom firms
are still at the beginning stage, compared with
29 percent of software companies and 21 percent
of hardware companies.
ActivityMaturing
Non-Tech All Tech Software Hardware Telecom
Analysis
Analyze incidents to ensure effective response and support recovery.
39% 35% 32% 41% 36%
Ongoing Improvements
Improve organizational response by incorporating lessons learned from current and previous cybersecurity activities.
24% 20% 15% 30% 18%
Response Planning
Maintain and execute processes and procedures to ensure response to detect cybersecurity incidents.
18% 20% 21% 21% 14%
Communications
Coordinate response with internal and external stakeholders, such as law enforcement agencies.
23% 16% 17% 16% 12%
Mitigation
Act to prevent expansion of an event, mitigate its effects and resolve the incident.
11% 7% 11% 1% 6%
Average 23% 20% 19% 22% 17%
A Path for Accelerating Progress · 13protiviti.com
Recover
Develop and implement appropriate activities to
maintain plans for resilience and to restore any
capabilities or services that were impaired due to a
cybersecurity incident.
Cybersecurity leaders and others in the C-suite have
long recognized that in today’s environment, suffering
a cybersecurity breach is a matter of “when,” not “if.”
A firm’s recovery capabilities will be tested — and may
well determine the long-term impact of the breach
on the business. Technology companies across the
board thus need to prioritize this set of cybersecurity
activities — beginning with increased efforts to
become “continuously learning” organizations
regarding their recovery processes.
Poised for Improvement
• Recovery planning: 61 percent of hardware
companies and 58 percent of telecom companies
are at the developing stage, compared with
48 percent of software companies.
• Ongoing improvements: 70 percent of hardware
companies are at the developing stage, compared
with 61 percent of software companies and 52
percent of telecom companies.
ActivityMaturing
Non-Tech All Tech Software Hardware Telecom
Communications
Coordinate restoration efforts — including public relations and reputation management — both internally and externally with internet service providers (ISPs).
26% 22% 19% 27% 22%
Recovery Planning
Maintain and execute recovery plans — during or after a cybersecurity incident — to ensure restoration of affected systems or assets.
20% 20% 25% 20% 10%
Ongoing Improvements
Incorporate lessons learned into future recovery planning and processes.
23% 14% 12% 17% 18%
Average 23% 19% 19% 21% 17%
14 · Protiviti
The Evolving Nature of Cyberattacks
As the technology industry’s digital transformation
continues, cyberattacks are expected to evolve
accordingly. Today, the threat of direct attacks from
malware, ransomware, Trojan horses and more
dominates the cybersecurity landscape. Over the
next two years, survey respondents expect new
vulnerabilities to emerge from greater connectivity
and system complexity.
However, this shift reflects the expected addition
of new threats rather than any lessening of current
ones. Two possible interpretations emerge from this
data. The first is that there is inherent difficulty
in prioritizing future threats. The second is that
the threat profile two years from now will in fact
be significantly more multidimensional. Either
interpretation presents a challenge for cybersecurity
strategic planning.
Attacks With the Biggest Impact
Now In Two Years
01 Malware/spyware 01 Attacks through mobile apps
02 Attacks through mobile apps 02 Web application attacks
03 Ransomware 03 Attacks through supply chain software and hardware
04 Phishing/spoofing/social engineering 04 Attacks through embedded systems
05 Trojan horses/viruses/worms 05 Denial of service (DoS)/Distributed denial of service (DDoS)
Emerging Threats and Countertactics
A Path for Accelerating Progress · 15protiviti.com
Attacks With Significant Impact
Trojan horses/viruses/worms66%
64%
Malware/spyware81%
71%
Phishing/spoofing/social engineering66%
65%
Ransomware70%
67%
Attacks through mobile apps86%
69%
Web application attacks 84%
43%
Attacks through embedded systems79%
39%
Lost/stolen devices61%
28%
DoS/DDoS75%
27%
Abuse of legitimate access67%
23%
Attacks through supply chain hardware and software 80%
27%
Attacks through third parties66%
16%
Now In Two Years
16 · Protiviti
The Effect of Internal and External Trends
From a cybersecurity perspective, technological
advances are a double-edged sword, providing
greater capabilities and control but also creating
new channels for intrusion. Reflecting this, when
asked which internal and external trends were
affecting cybersecurity, technology executives gave
much more emphasis to new technologies, such
as artificial intelligence (AI) and blockchain, and
technologically driven factors like open platforms
and interconnectivity, than they did to business
factors like mergers and acquisitions (M&A) and
expanded supply chains.
The emphasis on technological factors when assessing
the cybersecurity landscape is not surprising. But
technology firms should remember that business
combinations, lengthening supply chains and global
operations significantly expand an organization’s attack
surface while introducing an array of control challenges.
20%
16%
29%
18%
40%
54%
58%
New technologies (AI, Internet of Things (IoT) and blockchain)
Interconnectivity and mobile technologies
Use of open platforms, application programming
interfaces (APIs) and cloud
Digitally enabled products, services and interfaces
Digital transformation of business
Expanded supply chain
Growth through M&A, joint ventures, and partnerships
Impact of Trends on Cybersecurity
Business factors
Technological factors
A Path for Accelerating Progress · 17protiviti.com
Machine learning, advanced analytics, artificial intelligence and other technologies, once regarded as
experimental, are core competencies now. They’re required capabilities to fuel new customer insights and
deliver new customer experiences.
— Ron Lefferts, Managing Director, Global Head of Protiviti Technology Consulting
Tools and Technologies
Technology firms tend to rely on a core set of five
technologies for their cybersecurity efforts. There
is, however, another set of tools that cybersecurity
leaders and intermediates use but which beginners
have yet to adopt widely. Firms that are early in their
cybersecurity development should consider expanding
their cybersecurity arsenal accordingly.
• Telecom companies are much more likely to
use IoT solutions and sensors (80 percent) than
software companies (65 percent) or hardware
companies (53 percent).
• There are several technologies more likely to be
used by hardware companies than by software or
telecom companies, including secure browsers,
network traffic analysis, third-party information
security practices, cloud access security brokers,
and endpoint detection and response software.
Some Technologies Are Used by Many ...
51%
52%
64%
67%
87%
Blockchain
IoT solutions/sensors
Multifactor authentication/biometrics
AI/machine learning
Secure browsers
18 · Protiviti
... While Others Are Favored by Those With More Experience
Endpoint detection and response software
Managed security service providers
Network traffic analysis
Third-party information security practices
Cloud access security brokers
Endpoint protection software
48%
4%
8%
43%
5%
41%
46%
7%
49%
6%
50%
7%
Beginners Intermediates and Leaders
Our survey findings suggest that companies across
the technology industry are primed for a significant
expansion of the cybersecurity tool set: The three
approaches that are least used today — user behavior
analytics, smart grid technologies and deception
technology — are those that technology firms say
they are most likely to adopt during the next two
years. It is interesting to note that cybersecurity
beginners are leading the charge for the adoption
of these new technologies. This could be a case of
“leapfrogging,” in which a lagging group accelerates
its technological sophistication through aggressive
early adoption — provided that these firms ensure
that they have the proper infrastructure and
personnel in place to digest this rapid change.
A Path for Accelerating Progress · 19protiviti.com
Now Two years from now — Beginners
Two years from now — Intermediates and Leaders
User behavior analytics
Smart grid technologies
Deception technology
52%
71%
8%
27%
56%
5%
68%
82%
4%
New Technologies on the Horizon
Imagine a scenario in which 50 security analysts are constantly searching for threats across thousands of events
within a company’s IT environment. Not only is that a pricey proposition, but it would almost certainly fail to spot
every danger. AI technologies such as machine learning, on the other hand, can quickly scour data and direct
analysts to patterns of abnormal or suspicious machine and/or human behaviors.
— Tom Lemon, Managing Director, Technology Consulting
20 · Protiviti
Quantitative Methods Bring Far-Reaching Benefits
While other technologies and methods will see a larger jump in adoption over the next two years, the percentage
of technology firms now using quantitative methods for cybersecurity risk analysis combined with those that
plan to adopt it in the next two years will make it a cybersecurity mainstay by 2020. This development will
improve the ability of the industry to respond quickly to cyber threats on a practical level, while solidifying a
more holistic and analytical approach to cybersecurity.
20 · Protiviti
Now In two years Neither
Data recovery
Implementing patches
Mitigating vulnerabilities
Incident discovery
15%
18%
26%
23%
21%
32%
20%
23%
33%
29%
30%
49%
Less Than One Day for ...
Firms using quantitative methods for risk assessment
A Path for Accelerating Progress · 21protiviti.com A Path for Accelerating Progress · 21protiviti.com
That companies that have not yet incorporated quantitative methods for risk analysis show the below benefits
suggests that they have already begun the process of being more data-driven in their cybersecurity strategy.
Use of Metrics in Cybersecurity Strategy
Now In two years Neither
Our security metrics help us determine the resources we need to
apply to our security program
Metrics are well understood by senior management and the board
Our metrics prioritize our security controls and processes
Our security metrics help us evaluate real progress in achieving our
cybersecurity goals
48%
82%
87%
51%
79%
88%
50%
80%
91%
48%
80%
91%
Firms using quantitative methods for risk assessment
22 · Protiviti
Supporting Cybersecurity Across the Organization
An organization’s cybersecurity function does not
exist in a vacuum, of course. As in other industries,
technology companies need to ensure that other parts
of the organization are aligned with the cybersecurity
mission. For example, given the amount of customer
data that software and telecom companies hold, it
is notable that less than a quarter of software and
telecom companies have appointed a data protection
officer. Organizations that have not done so (and
which are not legally required to do so based on where
they operate) need to closely examine how they have
chosen to structure their data privacy function to
ensure that it is adequate.
This data also shows that technology companies have
an opportunity to increase the engagement of the
board and the broader management team regarding
cybersecurity. Forty-four percent of technology
companies have their audit function review the
company’s risk appetite statement and incorporate
gaps into the audit strategy, indicating that nearly
half of the companies represented in the survey have
a fairly sophisticated approach to risk. But less than
half that number have incorporated their cyber-risk
statement into their enterprisewide risk statement,
or have had the cyber-risk statement approved by the
board. Technology firms should endeavor to integrate
cyber risk into larger risk considerations. Doing so will
make the company’s risk discussions better reflect
reality, while increasing awareness of cybersecurity
issues among company decision-makers.
Non-Tech All Tech Software Hardware Telecom
Leadership
An executive with sole responsibility for ensuring information security has been appointed.
40% 37% 33% 46% 34%
A data protection officer has been appointed to oversee data privacy compliance.
19% 21% 23% 16% 22%Support
The HR department has a budget for recruiting, training and developing employees to improve cybersecurity.
39% 46% 43% 41% 58%
A third-party forensics provider is used. 9% 7% 10% 4% 2%Governance
The independent audit function regularly reviews the risk appetite statement and incorporates gaps into the audit strategy.
40% 44% 45% 33% 54%
A cyber-risk appetite statement has been approved by the board. 20% 20% 21% 21% 14%The cyber-risk appetite statement is part of the enterprisewide risk statement. 15% 22% 26% 17% 18%
A Path for Accelerating Progress · 23protiviti.com
Recommendations
01Examine how cybersecurity is regarded within the organization. Firms that see it as a
potential business differentiator rather than a maintenance obligation are more likely to
give it the appropriate level of resources and attention. Cybersecurity should be factored
into the audit function and into board-level discussions, and, along with data privacy,
given dedicated attention within senior management.
02Look critically at the progress being made in implementing the various NIST
Cybersecurity Framework activities and consider adopting more aggressive goals. The
percentage of technology firms that are still “cybersecurity beginners” is problematic
given the industry’s role in enabling the increased digitalization of business.
03The importance of adequate funding cannot be overemphasized, especially for
firms looking to gain the critical mass needed to move past the beginner stage. This
is likely to require the CEO and possibly the board to champion the organization’s
ownership of its cyber risk.
04Examine cybersecurity strategic planning to refine how it prioritizes the potential
threats that may emerge in the coming years. Inventory the array of tools currently
used and consider the benefit of adopting a wider range of solutions. Review both
current infrastructure and personnel capabilities to ensure that they are able to
adapt to the next generation of cybersecurity threats and countertactics.
05Firms that are not yet using, or have not made plans to use, quantitative methods
for cybersecurity risk assessment should consider doing so. Approaching
cybersecurity with a quantitative mindset brings a range of benefits, including
better cybersecurity performance and decision-making.
Our survey results highlight a number of steps that technology industry decision-makers may wish to consider so
that their cybersecurity function stays ahead of evolving threats:
24 · Protiviti
How Protiviti Can Help
Protiviti works with organizations to focus on
foundational information security questions:
• Do we know what we need to protect (e.g., the data
and information systems assets that are most
important — the “crown jewels”) and where those
assets are located? Concerning these assets:
– Are we properly caring for them? How do
we know?
– Who are we protecting them from, to whom
should we permit access, and how can we tell
the difference?
– Are our defenses effective? Are they working
as intended?
– How will we know if things are not working as
we planned?
• Are we able to recognize a new threat to our
environment and detect likely attack techniques on
a timely basis and align our protection measures to
meet the threat?
• Are we ready to respond if something bad were to
happen? Are we capable of managing such incidents?
And when incidents occur, are we able to keep them
from happening again?
Protiviti provides a wide variety of security and
privacy assessment, architecture, transformation, and
management services to help organizations identify
and address security and privacy exposures (e.g.,
loss of customer data, loss of revenue or reputation
impairment) before they become problems. Working
with companies in all industries, we evaluate the
maturity of their information security programs and
the efficacy of their controls — and help them design
and build improvements when needed. We have a
demonstrated track record of helping companies react
to security incidents, establish proactive security
programs, deal with identity and access management,
and handle industry-specific data security and privacy
issues. Our experience and dedication to developing
world-class incident responses have resulted in deep
expertise in security strategies, response execution,
forensic analysis and response plan development.
A Path for Accelerating Progress · 25protiviti.com
CONTACTS
ABOUT PROTIVITI
Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Protiviti and our independently owned Member Firms provide consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit to our clients through our network of more than 75 offices in over 20 countries.
We have served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.
United Kingdom
Roland Carandang Managing Director London +44.20.7389.0443 [email protected]
Thomas Lemon Managing Director London +44.20.7024.7526 [email protected]
United States
Gordon Tucker Managing Director Global Technology Industry Practice Leader +1.415.402.3670 San Francisco [email protected]
Cal Slemp Managing Director Security and Privacy Program and Policy Services Segment Lead New York City +1.203.905.2926 [email protected]
Scott Laliberte Managing Director Global Leader of Security and Privacy Philadelphia +1.267.256.8825 [email protected]
Michael Ebert Managing Director Healthcare Industry Cyber Lead Philadelphia +1.267.234.9735 [email protected]
Andrew Retrum Managing Director Financial Services Industry Cyber Lead Chicago +1.312.476.6353 [email protected]
Jeffrey Sanchez Managing Director Data Security and Privacy Segment Lead Los Angeles +1.213.327.1433 [email protected]
David Taylor Managing Director Response and Recovery Segment Lead Orlando +1.407.849.3916 [email protected]
Michael Walter Managing Director Cyber Intelligence and Response Center Lead Atlanta +1.303.898.9145 [email protected]
Australia
Ewen Ferguson Managing Director Sydney +61.2.8220.9500 [email protected]
China and Hong Kong
Michael Pang Managing Director Hong Kong +852.2238.0438 [email protected]
Germany
Kai-Uwe Ruhse Managing Director Frankfurt +49.699.6376.8148 [email protected]
Italy
Enrico Ferretti Managing Director Rome +39.346.7981427 [email protected]
Japan
Fumihito Fujiwara Managing Director Tokyo +81.70.6962.9797 [email protected]
Masato Maki Managing Director Tokyo +81.80.1177.3674 [email protected]
© 2019 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. PRO-0319-103131 Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.
THE AMERICAS UNITED STATES
Alexandria
Atlanta
Baltimore
Boston
Charlotte
Chicago
Cincinnati
Cleveland
Dallas
Denver
Fort Lauderdale
Houston
Kansas City
Los Angeles
Milwaukee
Minneapolis
New York
Orlando
Philadelphia
Phoenix
Pittsburgh
Portland
Richmond
Sacramento
Salt Lake City
San Francisco
San Jose
Seattle
Stamford
St. Louis
Tampa
Washington, D.C.
Winchester
Woodbridge
ARGENTINA*
Buenos Aires
BRAZIL*
Rio de Janeiro Sao Paulo
CANADA
Kitchener-Waterloo Toronto
CHILE*
Santiago
COLOMBIA*
Bogota
MEXICO*
Mexico City
PERU*
Lima
VENEZUELA*
Caracas
EUROPE, MIDDLE EAST & AFRICA
FRANCE
Paris
GERMANY
Frankfurt
Munich
ITALY
Milan
Rome
Turin
NETHERLANDS
Amsterdam
UNITED KINGDOM
Birmingham
Bristol
Leeds
London
Manchester
Milton Keynes
Swindon
BAHRAIN*
Manama
KUWAIT*
Kuwait City
OMAN*
Muscat
QATAR*
Doha
SAUDI ARABIA*
Riyadh
UNITED ARAB EMIRATES*
Abu Dhabi
Dubai
EGYPT*
Cairo
SOUTH AFRICA *
Durban
Johannesburg
ASIA-PACIFIC AUSTRALIA
Brisbane
Canberra
Melbourne
Sydney
CHINA
Beijing
Hong Kong
Shanghai
Shenzhen
INDIA*
Bengaluru
Hyderabad
Kolkata
Mumbai
New Delhi
JAPAN
Osaka
Tokyo
SINGAPORE
Singapore
*MEMBER FIRM
© 2019 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. PRO-0319-101116 Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.
THE AMERICAS UNITED STATES
Alexandria
Atlanta
Baltimore
Boston
Charlotte
Chicago
Cincinnati
Cleveland
Dallas
Denver
Fort Lauderdale
Houston
Kansas City
Los Angeles
Milwaukee
Minneapolis
New York
Orlando
Philadelphia
Phoenix
Pittsburgh
Portland
Richmond
Sacramento
Salt Lake City
San Francisco
San Jose
Seattle
Stamford
St. Louis
Tampa
Washington, D.C.
Winchester
Woodbridge
ARGENTINA*
Buenos Aires
BRAZIL*
Rio de Janeiro Sao Paulo
CANADA
Kitchener-Waterloo Toronto
CHILE*
Santiago
COLOMBIA*
Bogota
MEXICO*
Mexico City
PERU*
Lima
VENEZUELA*
Caracas
EUROPE, MIDDLE EAST & AFRICA
FRANCE
Paris
GERMANY
Frankfurt
Munich
ITALY
Milan
Rome
Turin
NETHERLANDS
Amsterdam
UNITED KINGDOM
Birmingham
Bristol
Leeds
London
Manchester
Milton Keynes
Swindon
BAHRAIN*
Manama
KUWAIT*
Kuwait City
OMAN*
Muscat
QATAR*
Doha
SAUDI ARABIA*
Riyadh
UNITED ARAB EMIRATES*
Abu Dhabi
Dubai
EGYPT*
Cairo
SOUTH AFRICA *
Durban
Johannesburg
ASIA-PACIFIC AUSTRALIA
Brisbane
Canberra
Melbourne
Sydney
CHINA
Beijing
Hong Kong
Shanghai
Shenzhen
INDIA*
Bengaluru
Hyderabad
Kolkata
Mumbai
New Delhi
JAPAN
Osaka
Tokyo
SINGAPORE
Singapore
*MEMBER FIRM
