cybersecurity in the technology industry...risk management strategy establish priorities,...
TRANSCRIPT
Internal Audit, Risk, Business & Technology Consulting
A Path for Accelerating Progress
Cybersecurity in the Technology Industry
A Path for Accelerating Progress · 1protiviti.com
The technology industry provides much of the infrastructure powering the digital transformation
of business and personal life around the globe. As such, the effectiveness of the industry’s
cybersecurity programs has consequences that reach far beyond the technology industry itself.
To assess the current state and direction of cybersecurity in technology organisations around the
world, Protiviti has extracted the responses of 250 software, hardware and telecom executives
who participated in The Cybersecurity Imperative, a global online survey on cybersecurity practices.1
The in-depth interviews with chief information security officers (CISOs) and cybersecurity experts,
and input from an executive advisory board, supplement the survey.
Introduction
1 The Cybersecurity Imperative: Managing Cyber Risks in a World of Rapid Digital Change, a research report from a joint effort of ESI ThoughtLab, WSJ Pro Cybersecurity, Protiviti and a group of prominent organisations to conduct rigorous global research and analysis involving a survey of 1,300 global executives across multiple industries, advisory meetings and interviews with leading experts and practitioners, and analytical tools to benchmark approaches and assess performance impacts. The research is available at http://go.dowjones.com/cybersecurity-imperative.
2 The NIST Cybersecurity Framework offers computer security guidance for private sector organisations in the United States to use when assessing and improving their ability to prevent, detect and respond to cyber attacks. It is available at www.nist.gov/cyberframework.
In this white paper, we begin by examining how
technology firms assess the implementation of their
cybersecurity programs against the National Institute
of Standards and Technology (NIST) Cybersecurity
Framework.2 We then discuss survey findings regarding
threats and countertactics and how cybersecurity is
supported internally by policies and organisational
structure. The report concludes with recommendations
that individual technology firms can use to help
strengthen their cybersecurity practices.
Company type Headquarters location
Software
Hardware
Telecom
US/CAN
EU/UK
LATAM
APAC
32%
32%
28%
8%
20%
52%
28%
Company type Headquarters location
Software
Hardware
Telecom
US/CAN
EU/UK
LATAM
APAC
32%
32%
28%
8%
20%
52%
28%
Company Type and Headquarters for the Cybersecurity Imperative Survey Respondents
2 · Protiviti
Functional Maturity and Resource Allocation
The NIST Cybersecurity Framework provides a
standard checklist of 23 recommended activities
grouped into five functions — Identify, Protect,
Detect, Respond and Recover — which organisations
can use in developing their cybersecurity strategy.
In our survey, we asked respondents to evaluate
their progress in each of these activities according to
the scale shown at the right.
Detailed Findings
These self-evaluations reveal that most technology
companies have significant work ahead to develop
their cybersecurity functions. Very few of the
firms represented by the executives we surveyed
have reached the advanced level in any of the 23
cybersecurity activities. This finding was echoed
in further analysis, in which we aggregated each
company’s maturity levels across the entire
set of activities and then categorised firms as
cybersecurity “beginners,” “intermediates” or
“leaders” based on the total of their maturity level
scores. Not only does the technology industry
lag slightly compared with other industries in
the percentage of companies categorised as
cybersecurity leaders, but it also has a much higher
percentage of cybersecurity beginners.
Cybersecurity Maturity Level
Description
No action
Beginning Starting to think about the activity
Developing Planning and support building
Maturing Seeing progress and benefits
Advanced Ahead of most peers and seeing significant benefits
Maturity of Cybersecurity Function
29% 50% 21%
29%
Software
Hardware
Telecom
All Tech
Non-Tech
Beginners Intermediates Leaders
45% 36% 19%
54% 17%
42% 44% 14%
40% 43% 17%
A Path for Accelerating Progress · 3protiviti.com
On the one hand, the industry’s showing seems
counterintuitive — one would expect technology
firms to have a heightened awareness of both evolving
cyber threats and the cost of being underprepared for
them. But perhaps the cybersecurity function within
the technology industry simply reflects to a greater
degree the budgeting and resource pressures that
cybersecurity faces across all industries. Outside of the
technology industry, cybersecurity must compete with
other technology functions and initiatives, such as
research and development, digital transformation, and
improvements to user experience — all budget line
In some cases, the budget shortfall is significant:
Among executives at cybersecurity beginner firms who
felt their cyber funding was inadequate, 28 percent
said a budget increase of 21 percent to 30 percent was
needed. In other cases, however, the requests were
more modest: 37 percent called for a cybersecurity
budget increase of 6 percent to 10 percent.
Particularly at technology companies where the
cybersecurity function is in the early stages of
development, board members, CEOs, CFOs and
other decision-makers should be proactive about
evaluating the cybersecurity budget so that the
items where it is easier to build enthusiasm and buy-
in among multiple decision-makers. These pressures
are even more acute in the technology industry,
where factors like research and development and user
experience drive a company’s market presence.
Even so, we would argue that this merely makes
it more imperative for cybersecurity leaders to
advocate effectively for their functions within their
organisations. Our survey results show how the
maturity of the cybersecurity function correlates
with the adequacy of cybersecurity funding (see
chart below).
function properly reflects the central role that
digital technology plays throughout business today.
The survey results show a telling difference in
how cybersecurity is thought of in the technology
industry, depending on the company’s level of
cybersecurity maturity. While executives from
companies with early-stage cybersecurity functions
primarily think of cybersecurity in terms of incident
prevention and reduced risks, executives from
companies with more advanced cybersecurity view
the function more strategically, as drivers of speed to
market, customer engagement and market share.
28%
76%
86%
Intermediate
Beginner
Leader
Executives Reporting Adequate Cybersecurity Budgets
4 · Protiviti
Perceived Benefits of Cybersecurity
Beginners Intermediates Leaders
Increased market share
Improved customer engagement
Faster speed to market
Incident prevention
Risk reduction
Emphasized byIntermediates and Leaders
Emphasized byBeginners
20%
23%
8%
27%
8%
6%
32%
24%
12%
20%
44%
64%
52%
57%
83%
A Path for Accelerating Progress · 5protiviti.com
Implementation of the NIST Cybersecurity Framework
Perhaps the most notable high-level finding from
the survey is how similar the technology industry
is to other industries in its progress against the
NIST Cybersecurity Framework. This may reflect the
fact that as cybersecurity has become strategically
important across the economy, no one industry
has a privileged position in retaining cybersecurity
expertise. It may also be the case that, as suggested
earlier, cybersecurity within the technology industry
faces a higher level of competition for internal
resources. In any event, however, these findings
should be taken as a reason to evaluate closely the role
cybersecurity plays within technology organisations.
Identify
Develop an organisational understanding to
manage cybersecurity risk to systems, people,
assets, data and capabilities.
Among technology companies, most progress
in the Identify function has been made in risk-
based activities — a pattern that occurs in other
industries as well. (Hardware companies make a
particularly strong showing here.) But while risk
assessment and management provide a strong
groundwork for many aspects of the cybersecurity
function, they need to be paired with strong
governance and integration of cyber concerns with
the overall business.
Poised for Improvement
• Risk management strategy: 54 percent of telecom
companies are currently at the developing stage,
compared with 38 percent of software companies
and 39 percent of hardware companies.
• Governance: 53 percent of hardware companies
and 56 percent of telecom companies are at the
developing stage.
Areas of Concern
• Asset management: 40 percent of technology
companies are still at the beginning stage,
compared with 31 percent of non-technology
companies.
• Risk management strategy: 31 percent of software
companies are still at the beginning stage,
compared with 16 percent of hardware companies
and 18 percent of telecom companies.
• Business environment: 30 percent of software
companies are still at the beginning stage,
compared with 20 percent of hardware companies
and 12 percent of telecom companies.
6 · Protiviti
ActivityMaturing
Non-Tech All Tech Software Hardware Telecom
Risk Management Strategy
Establish priorities, constraints, risk tolerances and assumptions for managing operational risk.
33% 33% 29% 44% 28%
Supply Chain Risk Management
Establish priorities, constraints, risk tolerances and assumptions for managing supply chain risk, as well as establishing and implementing the processes to identify, assess and manage supply chain risks.
30% 29% 25% 37% 26%
Risk Assessment
Identify the cybersecurity risk to organisational operations (including mission, functions, image, or reputation), organisational assets and individuals.
32% 27% 21% 41% 22%
Business Environment
Understand and prioritise the organisation’s objectives, stakeholders and activities.
18% 16% 15% 13% 22%
Organisational Roles
Set roles and responsibilities for the entire workforce and third-party stakeholders.
19% 15% 16% 13% 14%
Asset Management
Identify the data, data flows, devices, personnel and systems that could affect cybersecurity.
17% 10% 10% 7% 16%
Governance
Understand the policies, procedures and processes to manage and monitor the organisation’s regulatory, legal, risk and operational requirements.
12% 10% 12% 7% 6%
Average 23% 20% 18% 23% 19%
A Path for Accelerating Progress · 7protiviti.com
Protect
Develop and implement appropriate safeguards to
ensure delivery of critical services.
As with other industries, technology companies
tend to be strongest overall in the Protect realm,
which is where most organisations traditionally
start to build their cybersecurity function. But
there is a notable drop-off in the activities
necessary to support the frontline protection
efforts. The state of awareness and training is of
particular concern, given the cybersecurity risk
posed by untrained general staff (see sidebar on
page 9), as is maintenance — the percentage of
hardware and telecom companies in the maturing
levels that are in the single digits highlights the
need for more resources here.
Poised for Improvement
• Identity management and access control: 47 percent
of software companies and 42 percent of telecom
companies are currently at the developing stage.
• Protective technology: Two-thirds of telecom and
hardware companies are at the developing stage,
compared with 51 percent of software companies.
Areas for Concern
• Maintenance: Only 10 percent of technology firms
have reached the maturing stage, compared with
15 percent of non-technology companies.
• Protective technology: 31 percent of software
companies are still at the beginning stage,
compared with 17 percent of hardware companies
and 20 percent of telecom companies.
There is a global shortage of tech talent — not only for startups, but also for legacy companies undergoing
digital transformation. This shortage has forced tech companies to deploy their precious human resources
on core activities like product development and customer acquisition, while adopting a flexible labour
model, which includes trusted third parties, whenever possible.
— Gordon Tucker, Managing Director, Global Technology Industry Practice Leader
8 · Protiviti
ActivityMaturing
Non-Tech All Tech Software Hardware Telecom
Identity Management and Access Control
Limit access to physical and logical assets and associated facilities to authorised users, processes and devices.
38% 36% 28% 51% 34%
Information Protection Processes and Procedures
Maintain security policies, processes and procedures for protecting information systems and assets.
34% 35% 30% 43% 36%
Data Security
Manage data in line with risk strategy to protect the confidentiality, integrity, and availability of information and the privacy rights of data subjects.
33% 33% 32% 41% 26%
Protective Technology
Manage technical security solutions according to policies, procedures and agreements to ensure the security and resilience of systems and assets.
20% 16% 18% 16% 14%
Awareness and Training
Train personnel and partners in cybersecurity awareness and to perform cybersecurity duties in line with policies, procedures and agreements.
17% 16% 15% 16% 18%
Maintenance
Perform maintenance and repairs of industrial control and information system components according to policies and procedures.
15% 10% 13% 6% 8%
Average 26% 24% 23% 29% 23%
protiviti.com A Path for Accelerating Progress · 9
Employees Are the Weakest Link
Cybersecurity professionals have long argued that cybersecurity needs to be seen as “everyone’s job” and an
integral part of company culture. That message seems to have taken hold: When asked to name their greatest
internal cybersecurity risk, technology executives, as their counterparts in other industries, are more likely
to name untrained general staff than any other source. However, while awareness of this problem is high,
combatting the issue is still very much a work in progress. Thus, accelerating investment in awareness and
training in this area is likely to yield a noticeable return.
• Telecom companies are also concerned about malicious insiders, with nearly half (48 percent) of executives
from those firms naming that risk.
• Software companies are also concerned about privileged insiders, which were cited by 43 percent of
those executives.
• Concern over contractors varied widely. Over a quarter (26 percent) of hardware companies cited them as
potential risks, while only 4 percent of telecom companies did.
15%
27%
37%
90%Untrained general staff
Privileged insiders
Malicious insiders
Contractors
Internal Threats Posing Significant Risk
Note: These percentages apply to all technology organisations.
10 · Protiviti
Detect
Develop and implement appropriate activities to
identify the occurrence of a cybersecurity event.
Because detection activities are primarily tech-
driven, the technology industry’s activities here
should expand in the next two years, as new
approaches are incorporated (see the Tools and
Technologies section). There is, however, an
important caveat: The adoption of technologies
needs to be matched by the capability to use those
technologies strategically. As the current data shows,
the benefit of continuous security monitoring and
detection processes is blunted without a parallel
ability to understand the impact of detected events
(the “anomalies and events” activity).
Poised for Improvement
• Continuous security monitoring: 50 percent of
telecom companies are at the developing stage,
compared with 44 percent of software companies
and 33 percent of hardware companies.
• Anomalies and events: While only 3 percent of
hardware companies are at the maturing stage,
57 percent are at the developing stage.
Areas of Concern
• Detection processes: 35 percent of software
companies are still at the beginning stage
compared with 24 percent of hardware companies
and 26 percent of telecom companies.
• Predictive analytics: While 26 percent of telecom
companies have reached the maturing stage, 38
percent are still at the beginning stage.
ActivityMaturing
Non-Tech All Tech Software Hardware Telecom
Continuous Security Monitoring
Monitor information systems and assets to identify cybersecurity events and verify the effectiveness of protective measures.
36% 30% 27% 41% 24%
Detection Processes
Maintain and test detection processes and procedures to ensure awareness of anomalous events.
25% 23% 19% 27% 26%
Predictive Analytics
Forecast future cyberattacks by analysing high volumes of data using AI and other advanced technologies.
21% 20% 19% 16% 26%
Anomalies and Events
Detect anomalous activity and understand the potential impact of events.
13% 12% 17% 3% 14%
Average 24% 21% 21% 22% 23%
A Path for Accelerating Progress · 11protiviti.com
The Cybersecurity Paradox
Our survey uncovered a counterintuitive finding: The more advanced a technology firm’s cybersecurity efforts,
the more cyber breaches it suffers. That is likely because firms with more mature cybersecurity functions
have better detection, while those in the earlier stages are simply unaware of intrusions. While 30 percent of
technology firms overall have continuous security monitoring at the maturing level, only 1 percent of those
categorised as cybersecurity beginners do, compared with 75 percent of technology’s cybersecurity leaders.
More than 1,000 records stolen involving personal identifiable
information
Three or more breaches requiring emergency response plan
deployment
25%
19%
2%
45%
37%
17%
Beginners Intermediates Leaders
Cybersecurity Incidents in the Last Fiscal Year
12 · Protiviti
Respond
Develop and implement appropriate activities to
take action regarding a detected cybersecurity
incident.
While the percentage of technology firms that have
reached the maturing stage in analysis provides a
foundation, there is significant work to be done in
response to cyber breaches. In particular, companies
should increase their focus on response planning,
which can drive improvements in other collateral
areas. Software and hardware companies should follow
telecom’s lead and redouble their mitigation efforts.
Poised for Improvement
• Communications: 63 percent of hardware
companies are at the developing stage, compared
with 51 percent of software companies and
44 percent of telecom companies.
Areas of Concern
• Communications: 42 percent of telecom firms
are still at the beginning stage, compared with
29 percent of software companies and 21 percent
of hardware companies.
ActivityMaturing
Non-Tech All Tech Software Hardware Telecom
Analysis
Analyse incidents to ensure effective response and support recovery.
39% 35% 32% 41% 36%
Ongoing Improvements
Improve organisational response by incorporating lessons learned from current and previous cybersecurity activities.
24% 20% 15% 30% 18%
Response Planning
Maintain and execute processes and procedures to ensure response to detect cybersecurity incidents.
18% 20% 21% 21% 14%
Communications
Coordinate response with internal and external stakeholders, such as law enforcement agencies.
23% 16% 17% 16% 12%
Mitigation
Act to prevent expansion of an event, mitigate its effects and resolve the incident.
11% 7% 11% 1% 6%
Average 23% 20% 19% 22% 17%
A Path for Accelerating Progress · 13protiviti.com
Recover
Develop and implement appropriate activities to
maintain plans for resilience and to restore any
capabilities or services that were impaired due to
a cybersecurity incident.
Cybersecurity leaders and others in the C-suite
have long recognised that in today’s environment,
suffering a cybersecurity breach is a matter of
“when,” not “if.” A firm’s recovery capabilities will
be tested — and may well determine the long-term
impact of the breach on the business. Technology
companies across the board thus need to prioritise
this set of cybersecurity activities — beginning with
increased efforts to become “continuously learning”
organisations regarding their recovery processes.
Poised for Improvement
• Recovery planning: 61 percent of hardware
companies and 58 percent of telecom companies
are at the developing stage, compared with
48 percent of software companies.
• Ongoing improvements: 70 percent of hardware
companies are at the developing stage, compared
with 61 percent of software companies and 52
percent of telecom companies.
ActivityMaturing
Non-Tech All Tech Software Hardware Telecom
Communications
Coordinate restoration efforts — including public relations and reputation management — both internally and externally with internet service providers (ISPs).
26% 22% 19% 27% 22%
Recovery Planning
Maintain and execute recovery plans — during or after a cybersecurity incident — to ensure restoration of affected systems or assets.
20% 20% 25% 20% 10%
Ongoing Improvements
Incorporate lessons learned into future recovery planning and processes.
23% 14% 12% 17% 18%
Average 23% 19% 19% 21% 17%
14 · Protiviti
The Evolving Nature of Cyberattacks
As the technology industry’s digital transformation
continues, cyberattacks are expected to evolve
accordingly. Today, the threat of direct attacks from
malware, ransomware, Trojan horses and more
dominates the cybersecurity landscape. Over the
next two years, survey respondents expect new
vulnerabilities to emerge from greater connectivity
and system complexity.
However, this shift reflects the expected addition
of new threats rather than any lessening of current
ones. Two possible interpretations emerge from this
data. The first is that there is inherent difficulty
in prioritising future threats. The second is that
the threat profile two years from now will in fact
be significantly more multidimensional. Either
interpretation presents a challenge for cybersecurity
strategic planning.
Attacks With the Biggest Impact
Now In Two Years
01 Malware/spyware 01 Attacks through mobile apps
02 Attacks through mobile apps 02 Web application attacks
03 Ransomware 03 Attacks through supply chain software and hardware
04 Phishing/spoofing/social engineering 04 Attacks through embedded systems
05 Trojan horses/viruses/worms 05 Denial of service (DoS)/Distributed denial of service (DDoS)
Emerging Threats and Countertactics
A Path for Accelerating Progress · 15protiviti.com
Attacks With Significant Impact
Trojan horses/viruses/worms
Malware/spyware
Phishing/spoofing/social engineering
Ransomware
Attacks through mobile apps
Web application attacks
Attacks through embedded systems
Lost/stolen devices
DoS/DDoS
Abuse of legitimate access
Attacks through supply chain hardware and software
Attacks through third parties
66%
64%
81%
71%
66%
65%
70%
67%
86%
69%
84%
43%
79%
39%
61%
28%
75%
27%
67%
23%
80%
27%
66%
16%
Now In Two Years
16 · Protiviti
The Effect of Internal and External Trends
From a cybersecurity perspective, technological
advances are a double-edged sword, providing
greater capabilities and control but also creating
new channels for intrusion. Reflecting this, when
asked which internal and external trends were
affecting cybersecurity, technology executives gave
much more emphasis to new technologies, such
as artificial intelligence (AI) and blockchain, and
technologically driven factors like open platforms
and interconnectivity, than they did to business
factors like mergers and acquisitions (M&A) and
expanded supply chains.
The emphasis on technological factors when assessing
the cybersecurity landscape is not surprising.
But technology firms should remember that
business combinations, lengthening supply chains
and global operations significantly expand an
organisation’s attack surface while introducing an
array of control challenges.
20%
16%
29%
18%
40%
54%
58%
New technologies (AI, Internet of Things (IoT) and blockchain)
Interconnectivity and mobile technologies
Use of open platforms, application programming
interfaces (APIs) and cloud
Digitally enabled products, services and interfaces
Digital transformation of business
Expanded supply chain
Growth through M&A, joint ventures, and partnerships
Impact of Trends on Cybersecurity
Business factors
Technological factors
A Path for Accelerating Progress · 17protiviti.com
Machine learning, advanced analytics, artificial intelligence and other technologies, once regarded as
experimental, are core competencies now. They’re required capabilities to fuel new customer insights and
deliver new customer experiences.
— Ron Lefferts, Managing Director, Global Head of Protiviti Technology Consulting
Tools and Technologies
Technology firms tend to rely on a core set of five
technologies for their cybersecurity efforts. There
is, however, another set of tools that cybersecurity
leaders and intermediates use but which beginners
have yet to adopt widely. Firms that are early in
their cybersecurity development should consider
expanding their cybersecurity arsenal accordingly.
• Telecom companies are much more likely to
use IoT solutions and sensors (80 percent) than
software companies (65 percent) or hardware
companies (53 percent).
• There are several technologies more likely to be
used by hardware companies than by software or
telecom companies, including secure browsers,
network traffic analysis, third-party information
security practises, cloud access security brokers,
and endpoint detection and response software.
Some Technologies Are Used by Many ...
51%
52%
64%
67%
87%
Blockchain
IoT solutions/sensors
Multifactor authentication/biometrics
AI/machine learning
Secure browsers
18 · Protiviti
... While Others Are Favoured by Those With More Experience
Endpoint detection and response software
Managed security service providers
Network traffic analysis
Third-party information security practices
Cloud access security brokers
Endpoint protection software
48%
4%
8%
43%
5%
41%
46%
7%
49%
6%
50%
7%
Beginners Intermediates and Leaders
Our survey findings suggest that companies across
the technology industry are primed for a significant
expansion of the cybersecurity tool set: The
three approaches that are least used today — user
behaviour analytics, smart grid technologies and
deception technology — are those that technology
firms say they are most likely to adopt during
the next two years. It is interesting to note that
cybersecurity beginners are leading the charge for
the adoption of these new technologies. This could
be a case of “leapfrogging,” in which a lagging
group accelerates its technological sophistication
through aggressive early adoption — provided
that these firms ensure that they have the proper
infrastructure and personnel in place to digest this
rapid change.
A Path for Accelerating Progress · 19protiviti.com
Now Two years from now — Beginners
Two years from now — Intermediates and Leaders
User behavior analytics
Smart grid technologies
Deception technology
52%
71%
8%
27%
56%
5%
68%
82%
4%
New Technologies on the Horizon
Imagine a scenario in which 50 security analysts are constantly searching for threats across thousands of
events within a company’s IT environment. Not only is that a pricey proposition, but it would almost certainly
fail to spot every danger. AI technologies such as machine learning, on the other hand, can quickly scour data
and direct analysts to patterns of abnormal or suspicious machine and/or human behaviours.
— Tom Lemon, Managing Director, Technology Consulting
20 · Protiviti
Quantitative Methods Bring Far-Reaching Benefits
While other technologies and methods will see a larger jump in adoption over the next two years, the
percentage of technology firms now using quantitative methods for cybersecurity risk analysis combined
with those that plan to adopt it in the next two years will make it a cybersecurity mainstay by 2020. This
development will improve the ability of the industry to respond quickly to cyber threats on a practical level,
while solidifying a more holistic and analytical approach to cybersecurity.
20 · Protiviti
Now In two years Neither
Data recovery
Implementing patches
Mitigating vulnerabilities
Incident discovery
15%
18%
26%
23%
21%
32%
20%
23%
33%
29%
30%
49%
Less Than One Day for ...
Firms using quantitative methods for risk assessment
A Path for Accelerating Progress · 21protiviti.com A Path for Accelerating Progress · 21protiviti.com
That companies that have not yet incorporated quantitative methods for risk analysis show the below benefits
suggests that they have already begun the process of being more data-driven in their cybersecurity strategy.
Use of Metrics in Cybersecurity Strategy
Now In two years Neither
Our security metrics help us determine the resources we need to
apply to our security program
Metrics are well understood by senior management and the board
Our metrics prioritize our security controls and processes
Our security metrics help us evaluate real progress in achieving our
cybersecurity goals
48%
82%
87%
51%
79%
88%
50%
80%
91%
48%
80%
91%
Firms using quantitative methods for risk assessment
22 · Protiviti
Supporting Cybersecurity Across the Organisation
An organisation’s cybersecurity function does not
exist in a vacuum, of course. As in other industries,
technology companies need to ensure that other
parts of the organisation are aligned with the
cybersecurity mission. For example, given the
amount of customer data that software and telecom
companies hold, it is notable that less than a quarter
of software and telecom companies have appointed
a data protection officer. Organisations that have
not done so (and which are not legally required to
do so based on where they operate) need to closely
examine how they have chosen to structure their
data privacy function to ensure that it is adequate.
This data also shows that technology companies
have an opportunity to increase the engagement
of the board and the broader management team
regarding cybersecurity. Forty-four percent of
technology companies have their audit function
review the company’s risk appetite statement and
incorporate gaps into the audit strategy, indicating
that nearly half of the companies represented in the
survey have a fairly sophisticated approach to risk.
But less than half that number have incorporated
their cyber-risk statement into their enterprisewide
risk statement, or have had the cyber-risk statement
approved by the board. Technology firms should
endeavour to integrate cyber risk into larger risk
considerations. Doing so will make the company’s
risk discussions better reflect reality, while
increasing awareness of cybersecurity issues among
company decision-makers.
Non-Tech All Tech Software Hardware Telecom
Leadership
An executive with sole responsibility for ensuring information security has been appointed.
40% 37% 33% 46% 34%
A data protection officer has been appointed to oversee data privacy compliance.
19% 21% 23% 16% 22%Support
The HR department has a budget for recruiting, training and developing employees to improve cybersecurity.
39% 46% 43% 41% 58%
A third-party forensics provider is used. 9% 7% 10% 4% 2%Governance
The independent audit function regularly reviews the risk appetite statement and incorporates gaps into the audit strategy.
40% 44% 45% 33% 54%
A cyber-risk appetite statement has been approved by the board. 20% 20% 21% 21% 14%The cyber-risk appetite statement is part of the enterprisewide risk statement. 15% 22% 26% 17% 18%
A Path for Accelerating Progress · 23protiviti.com
Recommendations
01Examine how cybersecurity is regarded within the organisation. Firms that see it as a
potential business differentiator rather than a maintenance obligation are more likely
to give it the appropriate level of resources and attention. Cybersecurity should be
factored into the audit function and into board-level discussions, and, along with data
privacy, given dedicated attention within senior management.
02Look critically at the progress being made in implementing the various NIST
Cybersecurity Framework activities and consider adopting more aggressive goals. The
percentage of technology firms that are still “cybersecurity beginners” is problematic
given the industry’s role in enabling the increased digitalization of business.
03The importance of adequate funding cannot be overemphasised, especially
for firms looking to gain the critical mass needed to move past the beginner
stage. This is likely to require the CEO and possibly the board to champion the
organisation’s ownership of its cyber risk.
04Examine cybersecurity strategic planning to refine how it prioritises the potential
threats that may emerge in the coming years. Inventory the array of tools currently
used and consider the benefit of adopting a wider range of solutions. Review both
current infrastructure and personnel capabilities to ensure that they are able to
adapt to the next generation of cybersecurity threats and countertactics.
05Firms that are not yet using, or have not made plans to use, quantitative
methods for cybersecurity risk assessment should consider doing so.
Approaching cybersecurity with a quantitative mindset brings a range of
benefits, including better cybersecurity performance and decision-making.
Our survey results highlight a number of steps that technology industry decision-makers may wish to consider
so that their cybersecurity function stays ahead of evolving threats:
24 · Protiviti
How Protiviti Can Help
Protiviti works with organisations to focus on
foundational information security questions:
• Do we know what we need to protect (e.g., the data
and information systems assets that are most
important — the “crown jewels”) and where those
assets are located? Concerning these assets:
– Are we properly caring for them? How do
we know?
– Who are we protecting them from, to whom
should we permit access, and how can we tell
the difference?
– Are our defences effective? Are they working
as intended?
– How will we know if things are not working as
we planned?
• Are we able to recognise a new threat to our
environment and detect likely attack techniques
on a timely basis and align our protection
measures to meet the threat?
• Are we ready to respond if something bad were
to happen? Are we capable of managing such
incidents? And when incidents occur, are we able
to keep them from happening again?
Protiviti provides a wide variety of security and
privacy assessment, architecture, transformation,
and management services to help organisations
identify and address security and privacy exposures
(e.g., loss of customer data, loss of revenue or
reputation impairment) before they become
problems. Working with companies in all industries,
we evaluate the maturity of their information
security programs and the efficacy of their controls
— and help them design and build improvements
when needed. We have a demonstrated track record
of helping companies react to security incidents,
establish proactive security programs, deal with
identity and access management, and handle
industry-specific data security and privacy issues.
Our experience and dedication to developing world-
class incident responses have resulted in deep
expertise in security strategies, response execution,
forensic analysis and response plan development.
A Path for Accelerating Progress · 25protiviti.com
ABOUT PROTIVITI
Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Protiviti and our independently owned Member Firms provide consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit to our clients through our network of more than 75 offices in over 20 countries.
We have served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.
CYBERSECURITY CONTACTS
United Kingdom
Roland Carandang Managing Director London +44.20.7389.0443 [email protected]
Thomas Lemon Managing Director London +44.20.7024.7526 [email protected]
United States
Gordon Tucker Managing Director Global Technology Industry Practice Leader +1.415.402.3670 San Francisco [email protected]
Cal Slemp Managing Director Security and Privacy Program and Policy Services Segment Lead New York City +1.203.905.2926 [email protected]
Scott Laliberte Managing Director Global Leader of Security and Privacy Philadelphia +1.267.256.8825 [email protected]
Michael Ebert Managing Director Healthcare Industry Cyber Lead Philadelphia +1.267.234.9735 [email protected]
Andrew Retrum Managing Director Financial Services Industry Cyber Lead Chicago +1.312.476.6353 [email protected]
Jeffrey Sanchez Managing Director Data Security and Privacy Segment Lead Los Angeles +1.213.327.1433 [email protected]
David Taylor Managing Director Response and Recovery Segment Lead Orlando +1.407.849.3916 [email protected]
Michael Walter Managing Director Cyber Intelligence and Response Center Lead Atlanta +1.303.898.9145 [email protected]
Australia
Ewen Ferguson Managing Director Sydney +61.2.8220.9500 [email protected]
China and Hong Kong
Michael Pang Managing Director Hong Kong +852.2238.0438 [email protected]
Germany
Kai-Uwe Ruhse Managing Director Frankfurt +49.699.6376.8148 [email protected]
Italy
Enrico Ferretti Managing Director Rome +39.346.7981427 [email protected]
Japan
Fumihito Fujiwara Managing Director Tokyo +81.70.6962.9797 [email protected]
Masato Maki Managing Director Tokyo +81.80.1177.3674 [email protected]
26 · Protiviti
PROTIVITI GLOBAL MARKET LEADERS
ARGENTINA
Pablo Giovannelli+54.11.5278.6345pablo.giovannelli@protivitiglobal.com.pe
AUSTRALIA
Garran Duncan +61.3.9948.1200 [email protected]
BAHRAIN
Arvind Benani +973.1.710.0050 [email protected]
BRAZIL
Raul Silva +55.11.2198.4200 [email protected]
CANADA
David Dawson +1.647.288.4886 [email protected]
CHILE
Soraya Boada +56.22.573.8580 [email protected]
CHINA (HONG KONG)
Albert Lee +852.2238.0499 [email protected]
CHINA (MAINLAND)
David [email protected]
EGYPT
Ashraf Fahmy +202.25864560 [email protected]
FRANCE
Bernard Drui +33.1.42.96.22.77 [email protected]
GERMANY
Michael Klinger +49.69.963.768.155 [email protected]
INDIA
Sanjeev Agarwal +91.124.661.8600 [email protected]
ITALY
Alberto Carnevale +39.02.6550.6301 [email protected]
JAPAN
Yasumi Taniguchi +81.3.5219.6600 [email protected]
KUWAIT
Sanjeev Agarwal +965.2242.6444 [email protected]
MEXICO
Roberto Abad +52.55.5342.9100 [email protected]
NETHERLANDS
Anneke Wieling +31.20.346.0400 [email protected]
OMAN
Shatha Al Maskiry +968 24699402 [email protected]
PERU
Marco Villacorta +51.1.208.1070 [email protected]
QATAR
Andrew North +974.4421.5300 [email protected]
SAUDI ARABIA
Saad Al Sabti +966.11.2930021 [email protected]
SINGAPORE
Nigel Robinson +65.9169.2688 [email protected]
UNITED ARAB EMIRATES
Arindam De +9714.438.0660 [email protected]
UNITED KINGDOM
Peter Richardson +44.20.7930.8808 [email protected]
UNITED STATES
Scott Laliberte +1.267.256.8825 [email protected]
VENEZUELA
Gamal Perez +58.212.418.46.46 [email protected]
© 2019 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. PRO-0319-103131-IZ-ENG Protiviti is not licenced or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.
THE AMERICAS UNITED STATES
Alexandria
Atlanta
Baltimore
Boston
Charlotte
Chicago
Cincinnati
Cleveland
Dallas
Denver
Fort Lauderdale
Houston
Kansas City
Los Angeles
Milwaukee
Minneapolis
New York
Orlando
Philadelphia
Phoenix
Pittsburgh
Portland
Richmond
Sacramento
Salt Lake City
San Francisco
San Jose
Seattle
Stamford
St. Louis
Tampa
Washington, D.C.
Winchester
Woodbridge
ARGENTINA*
Buenos Aires
BRAZIL*
Rio de Janeiro Sao Paulo
CANADA
Kitchener-Waterloo Toronto
CHILE*
Santiago
COLOMBIA*
Bogota
MEXICO*
Mexico City
PERU*
Lima
VENEZUELA*
Caracas
EUROPE, MIDDLE EAST & AFRICA
FRANCE
Paris
GERMANY
Frankfurt
Munich
ITALY
Milan
Rome
Turin
NETHERLANDS
Amsterdam
UNITED KINGDOM
Birmingham
Bristol
Leeds
London
Manchester
Milton Keynes
Swindon
BAHRAIN*
Manama
KUWAIT*
Kuwait City
OMAN*
Muscat
QATAR*
Doha
SAUDI ARABIA*
Riyadh
UNITED ARAB EMIRATES*
Abu Dhabi
Dubai
EGYPT*
Cairo
SOUTH AFRICA *
Durban
Johannesburg
ASIA-PACIFIC AUSTRALIA
Brisbane
Canberra
Melbourne
Sydney
CHINA
Beijing
Hong Kong
Shanghai
Shenzhen
INDIA*
Bengaluru
Hyderabad
Kolkata
Mumbai
New Delhi
JAPAN
Osaka
Tokyo
SINGAPORE
Singapore
*MEMBER FIRM
© 2019 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. PRO-0319-101116 Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.
THE AMERICAS UNITED STATES
Alexandria
Atlanta
Baltimore
Boston
Charlotte
Chicago
Cincinnati
Cleveland
Dallas
Denver
Fort Lauderdale
Houston
Kansas City
Los Angeles
Milwaukee
Minneapolis
New York
Orlando
Philadelphia
Phoenix
Pittsburgh
Portland
Richmond
Sacramento
Salt Lake City
San Francisco
San Jose
Seattle
Stamford
St. Louis
Tampa
Washington, D.C.
Winchester
Woodbridge
ARGENTINA*
Buenos Aires
BRAZIL*
Rio de Janeiro Sao Paulo
CANADA
Kitchener-Waterloo Toronto
CHILE*
Santiago
COLOMBIA*
Bogota
MEXICO*
Mexico City
PERU*
Lima
VENEZUELA*
Caracas
EUROPE, MIDDLE EAST & AFRICA
FRANCE
Paris
GERMANY
Frankfurt
Munich
ITALY
Milan
Rome
Turin
NETHERLANDS
Amsterdam
UNITED KINGDOM
Birmingham
Bristol
Leeds
London
Manchester
Milton Keynes
Swindon
BAHRAIN*
Manama
KUWAIT*
Kuwait City
OMAN*
Muscat
QATAR*
Doha
SAUDI ARABIA*
Riyadh
UNITED ARAB EMIRATES*
Abu Dhabi
Dubai
EGYPT*
Cairo
SOUTH AFRICA *
Durban
Johannesburg
ASIA-PACIFIC AUSTRALIA
Brisbane
Canberra
Melbourne
Sydney
CHINA
Beijing
Hong Kong
Shanghai
Shenzhen
INDIA*
Bengaluru
Hyderabad
Kolkata
Mumbai
New Delhi
JAPAN
Osaka
Tokyo
SINGAPORE
Singapore
*MEMBER FIRM