Do you intend to fight all your cyber-fires yourself?

Fabian Faistauer Head Cyber Compliance Monitoring, PwC Switzerland 09 Nov 2020

Companies quickly realised that digitised business processes and remote working might be the only way of surviving the Covid-19 crisis intact. Not everyone started out as far down the digital track, so in many cases massive efforts have been needed to keep products and services moving and staff occupied. Cybersecurity has sometimes been neglected in the process. As a result, we’ve seen a massive increase in cyber-attacks, and many organisations are realising that new technology introduces new risks as well as benefits. How do companies get up to speed and go about identifying and assessing risks and reducing them to an acceptable level?

What we’re seeing all around us is confirmed by the findings of PwC’s Digital Trust Insights 2021 survey the health and economic crisis has fuelled further technological and organisational change, with 50% of Swiss executives saying they’re accelerating digitalisation in the wake of Covid-19 (that’s ten or more percentage points higher than in the global and Western European samples).  

Q - Which of the following changes are most likely to be impacts of the COVID-19 experience in your industry?

Swiss companies’ main motivations for digital transformation are doing what they’ve always done but faster and more efficiently (38% of respondents), and modernising their organisation/brand with new capabilities (32%). Other significant digital ambitions in Switzerland are changing core business model and redefining the organisation (14%), and breaking into new markets or industries (13%).

PwC’s Digital Trust Insights 2021 survey

Q - What is the primary aspiration for your enterprise-wide, technology-driven business transformation or major digital initiatives?

New tech, new risks

It’s clear that new technologies and business models combined with the rapid pace of adoption bring new risks. The faster you’re moving and the more unfamiliar the territory, the more alert you have to be and the more you have to be able to trust your cybersecurity. Are Swiss companies sufficiently aware of this? Unfortunately the survey suggests that they aren’t: while half of global respondents say they’re now more likely to consider cybersecurity in every business decision, the figure in Switzerland is only 32%. 

Is Switzerland lagging behind?

At such a critical juncture for cybersecurity and CISOs (chief information security officers), this figure gives grounds for concern. With so many Swiss companies accelerating their digitalisation efforts, are they sufficiently mindful that a business-driven cybersecurity strategy is the single most important step for business and the people who lead their security functions? Again, the survey suggests there may be a gap between perceived threats and action. Across most relevant areas, Swiss companies fall way behind their global and Western European peers in terms of their progress in cybersecurity in the last three years. At the same time, respondents in Switzerland fear considerably more serious impacts of cyber incidents in most major categories.  

PwC’s Digital Trust Insights 2021 survey

Q - In your view, what is: (a) the likelihood of these events occurring in your industry in the next 12 months, and (b) the extent of impact, if it were to happen, on your organisation?

This could mean that Swiss companies have some catching up to do in terms of assuring the cyber hygiene (cyber-compliance) necessary to achieve cyber resilience and stave off these threats.

The good news from the survey is that the percentage of Swiss companies that have started implementing measures – in areas including skills, technology, organisation and reporting − to improve the management of cybersecurity compares very well with the global and Western European samples.

What do companies need to do?

Achieving true cyber resilience isn’t just a matter of buying and installing technology. That’s not to say that the technology hasn’t become very good. It has, and it’s also become much easier to integrate and use. The truth is, though, that once you’ve understood the risks that new technology and online presence entail, cybersecurity really starts with some homework: working out which of your precious IT assets have to be protected. Basically, these will consist of electronic data and business-relevant IT services. Then you need to find ways of protecting these ‘crown jewels’. At this point you could go out and evaluate, procure and implement all the relevant security tools yourself. But does this make sense? 

Like we said, cyber resilience isn’t just about technology. As the survey shows, the spectrum of skills and expertise required by organisations to master the cybersecurity challenge is immense, ranging from data analysis and security intelligence to cloud know-how and business process acumen. Companies have to think carefully about which of these skills they can or want to cover in-house. They also have to be realistic about what’s available on the market: there’s no longer the expertise to satisfy the massive need for cybersecurity specialists triggered by the acceleration in digital transformation.

Standardised expertise a more realistic and effective approach

Does every company have its own firefighters? Of course not. There simply aren’t enough to go round. What we have instead is fire brigades: organisations that specialise in putting out fires. But to make this system work, we’ve also defined basic protective measures to minimise the damage and enable a building to be evacuated in an emergency. We also have ways of detecting fires in good time so that the firefighters can be called out. Last but not least, we have mechanisms in place that enable other fire brigades to be brought in if there’s a major incident. 

While it may be possible and preferable for some companies to create their own cyber defence or security operation centre, it’s eminently possible − and indeed makes a lot of sense − to approach cybersecurity in the same way as firefighting. Instead of trying to set up an entire team of cyber specialists of your own, why not consider buying in standardised managed services from a professional provider? That way you don’t have to redefine and reinvent cybersecurity yourself. You have the support of professionals who will monitor security and compliance on a permanent basis. They have the experience and expertise, and the knowledge of the market, to choose the best tools and processes to achieve the level of security you define. 

Remember that cyber-resilience adequate to today’s complex and constantly changing threats requires a high degree of maturity in many different fields. It also requires the ability to mobilise substantial resources instantly if an incident does occur – and make sure your organisation survives with its reputation, operations and bottom line intact.

In conclusion: have you considered managed security services?

Buying in standardised managed security services might be the best approach for you to achieve the cyber resilience you need without having to take care of everything yourself. With security specialists in short supply, it could be by far the easiest option – as well as the most efficient and effective. 

You have some questions? 

Reach out to us

 

 

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Contact us

Fabian Faistauer

Fabian Faistauer

Head Cyber Compliance Monitoring, PwC Switzerland

Tel: +41 58 792 13 33

Lorenz Neher

Lorenz Neher

Head Security Architecture and Operation, PwC Switzerland

Tel: +41 58 792 47 85