Internal Audit, Risk, Business & Technology Consulting

A Path for Accelerating Progress

Cybersecurity in the Technology Industry

A Path for Accelerating Progress · 1protiviti.com

The technology industry provides much of the infrastructure powering the digital transformation

of business and personal life around the globe. As such, the effectiveness of the industry’s

cybersecurity programs has consequences that reach far beyond the technology industry itself.

To assess the current state and direction of cybersecurity in technology organisations around the

world, Protiviti has extracted the responses of 250 software, hardware and telecom executives

who participated in The Cybersecurity Imperative, a global online survey on cybersecurity practices.1

The in-depth interviews with chief information security officers (CISOs) and cybersecurity experts,

and input from an executive advisory board, supplement the survey.

Introduction

1 The Cybersecurity Imperative: Managing Cyber Risks in a World of Rapid Digital Change, a research report from a joint effort of ESI ThoughtLab, WSJ Pro Cybersecurity, Protiviti and a group of prominent organisations to conduct rigorous global research and analysis involving a survey of 1,300 global executives across multiple industries, advisory meetings and interviews with leading experts and practitioners, and analytical tools to benchmark approaches and assess performance impacts. The research is available at http://go.dowjones.com/cybersecurity-imperative.

2 The NIST Cybersecurity Framework offers computer security guidance for private sector organisations in the United States to use when assessing and improving their ability to prevent, detect and respond to cyber attacks. It is available at www.nist.gov/cyberframework.

In this white paper, we begin by examining how

technology firms assess the implementation of their

cybersecurity programs against the National Institute

of Standards and Technology (NIST) Cybersecurity

Framework.2 We then discuss survey findings regarding

threats and countertactics and how cybersecurity is

supported internally by policies and organisational

structure. The report concludes with recommendations

that individual technology firms can use to help

strengthen their cybersecurity practices.

Company type Headquarters location

Software

Hardware

Telecom

US/CAN

EU/UK

LATAM

APAC

32%

32%

28%

8%

20%

52%

28%

Company type Headquarters location

Software

Hardware

Telecom

US/CAN

EU/UK

LATAM

APAC

32%

32%

28%

8%

20%

52%

28%

Company Type and Headquarters for the Cybersecurity Imperative Survey Respondents

2 · Protiviti

Functional Maturity and Resource Allocation

The NIST Cybersecurity Framework provides a

standard checklist of 23 recommended activities

grouped into five functions — Identify, Protect,

Detect, Respond and Recover — which organisations

can use in developing their cybersecurity strategy.

In our survey, we asked respondents to evaluate

their progress in each of these activities according to

the scale shown at the right.

Detailed Findings

These self-evaluations reveal that most technology

companies have significant work ahead to develop

their cybersecurity functions. Very few of the

firms represented by the executives we surveyed

have reached the advanced level in any of the 23

cybersecurity activities. This finding was echoed

in further analysis, in which we aggregated each

company’s maturity levels across the entire

set of activities and then categorised firms as

cybersecurity “beginners,” “intermediates” or

“leaders” based on the total of their maturity level

scores. Not only does the technology industry

lag slightly compared with other industries in

the percentage of companies categorised as

cybersecurity leaders, but it also has a much higher

percentage of cybersecurity beginners.

Cybersecurity Maturity Level

Description

No action

Beginning Starting to think about the activity

Developing Planning and support building

Maturing Seeing progress and benefits

Advanced Ahead of most peers and seeing significant benefits

Maturity of Cybersecurity Function

29% 50% 21%

29%

Software

Hardware

Telecom

All Tech

Non-Tech

Beginners Intermediates Leaders

45% 36% 19%

54% 17%

42% 44% 14%

40% 43% 17%

A Path for Accelerating Progress · 3protiviti.com

On the one hand, the industry’s showing seems

counterintuitive — one would expect technology

firms to have a heightened awareness of both evolving

cyber threats and the cost of being underprepared for

them. But perhaps the cybersecurity function within

the technology industry simply reflects to a greater

degree the budgeting and resource pressures that

cybersecurity faces across all industries. Outside of the

technology industry, cybersecurity must compete with

other technology functions and initiatives, such as

research and development, digital transformation, and

improvements to user experience — all budget line

In some cases, the budget shortfall is significant:

Among executives at cybersecurity beginner firms who

felt their cyber funding was inadequate, 28 percent

said a budget increase of 21 percent to 30 percent was

needed. In other cases, however, the requests were

more modest: 37 percent called for a cybersecurity

budget increase of 6 percent to 10 percent.

Particularly at technology companies where the

cybersecurity function is in the early stages of

development, board members, CEOs, CFOs and

other decision-makers should be proactive about

evaluating the cybersecurity budget so that the

items where it is easier to build enthusiasm and buy-

in among multiple decision-makers. These pressures

are even more acute in the technology industry,

where factors like research and development and user

experience drive a company’s market presence.

Even so, we would argue that this merely makes

it more imperative for cybersecurity leaders to

advocate effectively for their functions within their

organisations. Our survey results show how the

maturity of the cybersecurity function correlates

with the adequacy of cybersecurity funding (see

chart below).

function properly reflects the central role that

digital technology plays throughout business today.

The survey results show a telling difference in

how cybersecurity is thought of in the technology

industry, depending on the company’s level of

cybersecurity maturity. While executives from

companies with early-stage cybersecurity functions

primarily think of cybersecurity in terms of incident

prevention and reduced risks, executives from

companies with more advanced cybersecurity view

the function more strategically, as drivers of speed to

market, customer engagement and market share.

28%

76%

86%

Intermediate

Beginner

Leader

Executives Reporting Adequate Cybersecurity Budgets

4 · Protiviti

Perceived Benefits of Cybersecurity

Beginners Intermediates Leaders

Increased market share

Improved customer engagement

Faster speed to market

Incident prevention

Risk reduction

Emphasized byIntermediates and Leaders

Emphasized byBeginners

20%

23%

8%

27%

8%

6%

32%

24%

12%

20%

44%

64%

52%

57%

83%

A Path for Accelerating Progress · 5protiviti.com

Implementation of the NIST Cybersecurity Framework

Perhaps the most notable high-level finding from

the survey is how similar the technology industry

is to other industries in its progress against the

NIST Cybersecurity Framework. This may reflect the

fact that as cybersecurity has become strategically

important across the economy, no one industry

has a privileged position in retaining cybersecurity

expertise. It may also be the case that, as suggested

earlier, cybersecurity within the technology industry

faces a higher level of competition for internal

resources. In any event, however, these findings

should be taken as a reason to evaluate closely the role

cybersecurity plays within technology organisations.

Identify

Develop an organisational understanding to

manage cybersecurity risk to systems, people,

assets, data and capabilities.

Among technology companies, most progress

in the Identify function has been made in risk-

based activities — a pattern that occurs in other

industries as well. (Hardware companies make a

particularly strong showing here.) But while risk

assessment and management provide a strong

groundwork for many aspects of the cybersecurity

function, they need to be paired with strong

governance and integration of cyber concerns with

the overall business.

Poised for Improvement

• Risk management strategy: 54 percent of telecom

companies are currently at the developing stage,

compared with 38 percent of software companies

and 39 percent of hardware companies.

• Governance: 53 percent of hardware companies

and 56 percent of telecom companies are at the

developing stage.

Areas of Concern

• Asset management: 40 percent of technology

companies are still at the beginning stage,

compared with 31 percent of non-technology

companies.

• Risk management strategy: 31 percent of software

companies are still at the beginning stage,

compared with 16 percent of hardware companies

and 18 percent of telecom companies.

• Business environment: 30 percent of software

companies are still at the beginning stage,

compared with 20 percent of hardware companies

and 12 percent of telecom companies.

6 · Protiviti

ActivityMaturing

Non-Tech All Tech Software Hardware Telecom

Risk Management Strategy

Establish priorities, constraints, risk tolerances and assumptions for managing operational risk.

33% 33% 29% 44% 28%

Supply Chain Risk Management

Establish priorities, constraints, risk tolerances and assumptions for managing supply chain risk, as well as establishing and implementing the processes to identify, assess and manage supply chain risks.

30% 29% 25% 37% 26%

Risk Assessment

Identify the cybersecurity risk to organisational operations (including mission, functions, image, or reputation), organisational assets and individuals.

32% 27% 21% 41% 22%

Business Environment

Understand and prioritise the organisation’s objectives, stakeholders and activities.

18% 16% 15% 13% 22%

Organisational Roles

Set roles and responsibilities for the entire workforce and third-party stakeholders.

19% 15% 16% 13% 14%

Asset Management

Identify the data, data flows, devices, personnel and systems that could affect cybersecurity.

17% 10% 10% 7% 16%

Governance

Understand the policies, procedures and processes to manage and monitor the organisation’s regulatory, legal, risk and operational requirements.

12% 10% 12% 7% 6%

Average 23% 20% 18% 23% 19%

A Path for Accelerating Progress · 7protiviti.com

Protect

Develop and implement appropriate safeguards to

ensure delivery of critical services.

As with other industries, technology companies

tend to be strongest overall in the Protect realm,

which is where most organisations traditionally

start to build their cybersecurity function. But

there is a notable drop-off in the activities

necessary to support the frontline protection

efforts. The state of awareness and training is of

particular concern, given the cybersecurity risk

posed by untrained general staff (see sidebar on

page 9), as is maintenance — the percentage of

hardware and telecom companies in the maturing

levels that are in the single digits highlights the

need for more resources here.

Poised for Improvement

• Identity management and access control: 47 percent

of software companies and 42 percent of telecom

companies are currently at the developing stage.

• Protective technology: Two-thirds of telecom and

hardware companies are at the developing stage,

compared with 51 percent of software companies.

Areas for Concern

• Maintenance: Only 10 percent of technology firms

have reached the maturing stage, compared with

15 percent of non-technology companies.

• Protective technology: 31 percent of software

companies are still at the beginning stage,

compared with 17 percent of hardware companies

and 20 percent of telecom companies.

There is a global shortage of tech talent — not only for startups, but also for legacy companies undergoing

digital transformation. This shortage has forced tech companies to deploy their precious human resources

on core activities like product development and customer acquisition, while adopting a flexible labour

model, which includes trusted third parties, whenever possible.

— Gordon Tucker, Managing Director, Global Technology Industry Practice Leader

8 · Protiviti

ActivityMaturing

Non-Tech All Tech Software Hardware Telecom

Identity Management and Access Control

Limit access to physical and logical assets and associated facilities to authorised users, processes and devices.

38% 36% 28% 51% 34%

Information Protection Processes and Procedures

Maintain security policies, processes and procedures for protecting information systems and assets.

34% 35% 30% 43% 36%

Data Security

Manage data in line with risk strategy to protect the confidentiality, integrity, and availability of information and the privacy rights of data subjects.

33% 33% 32% 41% 26%

Protective Technology

Manage technical security solutions according to policies, procedures and agreements to ensure the security and resilience of systems and assets.

20% 16% 18% 16% 14%

Awareness and Training

Train personnel and partners in cybersecurity awareness and to perform cybersecurity duties in line with policies, procedures and agreements.

17% 16% 15% 16% 18%

Maintenance

Perform maintenance and repairs of industrial control and information system components according to policies and procedures.

15% 10% 13% 6% 8%

Average 26% 24% 23% 29% 23%

protiviti.com A Path for Accelerating Progress · 9

Employees Are the Weakest Link

Cybersecurity professionals have long argued that cybersecurity needs to be seen as “everyone’s job” and an

integral part of company culture. That message seems to have taken hold: When asked to name their greatest

internal cybersecurity risk, technology executives, as their counterparts in other industries, are more likely

to name untrained general staff than any other source. However, while awareness of this problem is high,

combatting the issue is still very much a work in progress. Thus, accelerating investment in awareness and

training in this area is likely to yield a noticeable return.

• Telecom companies are also concerned about malicious insiders, with nearly half (48 percent) of executives

from those firms naming that risk.

• Software companies are also concerned about privileged insiders, which were cited by 43 percent of

those executives.

• Concern over contractors varied widely. Over a quarter (26 percent) of hardware companies cited them as

potential risks, while only 4 percent of telecom companies did.

15%

27%

37%

90%Untrained general staff

Privileged insiders

Malicious insiders

Contractors

Internal Threats Posing Significant Risk

Note: These percentages apply to all technology organisations.

10 · Protiviti

Detect

Develop and implement appropriate activities to

identify the occurrence of a cybersecurity event.

Because detection activities are primarily tech-

driven, the technology industry’s activities here

should expand in the next two years, as new

approaches are incorporated (see the Tools and

Technologies section). There is, however, an

important caveat: The adoption of technologies

needs to be matched by the capability to use those

technologies strategically. As the current data shows,

the benefit of continuous security monitoring and

detection processes is blunted without a parallel

ability to understand the impact of detected events

(the “anomalies and events” activity).

Poised for Improvement

• Continuous security monitoring: 50 percent of

telecom companies are at the developing stage,

compared with 44 percent of software companies

and 33 percent of hardware companies.

• Anomalies and events: While only 3 percent of

hardware companies are at the maturing stage,

57 percent are at the developing stage.

Areas of Concern

• Detection processes: 35 percent of software

companies are still at the beginning stage

compared with 24 percent of hardware companies

and 26 percent of telecom companies.

• Predictive analytics: While 26 percent of telecom

companies have reached the maturing stage, 38

percent are still at the beginning stage.

ActivityMaturing

Non-Tech All Tech Software Hardware Telecom

Continuous Security Monitoring

Monitor information systems and assets to identify cybersecurity events and verify the effectiveness of protective measures.

36% 30% 27% 41% 24%

Detection Processes

Maintain and test detection processes and procedures to ensure awareness of anomalous events.

25% 23% 19% 27% 26%

Predictive Analytics

Forecast future cyberattacks by analysing high volumes of data using AI and other advanced technologies.

21% 20% 19% 16% 26%

Anomalies and Events

Detect anomalous activity and understand the potential impact of events.

13% 12% 17% 3% 14%

Average 24% 21% 21% 22% 23%

A Path for Accelerating Progress · 11protiviti.com

The Cybersecurity Paradox

Our survey uncovered a counterintuitive finding: The more advanced a technology firm’s cybersecurity efforts,

the more cyber breaches it suffers. That is likely because firms with more mature cybersecurity functions

have better detection, while those in the earlier stages are simply unaware of intrusions. While 30 percent of

technology firms overall have continuous security monitoring at the maturing level, only 1 percent of those

categorised as cybersecurity beginners do, compared with 75 percent of technology’s cybersecurity leaders.

More than 1,000 records stolen involving personal identifiable

information

Three or more breaches requiring emergency response plan

deployment

25%

19%

2%

45%

37%

17%

Beginners Intermediates Leaders

Cybersecurity Incidents in the Last Fiscal Year

12 · Protiviti

Respond

Develop and implement appropriate activities to

take action regarding a detected cybersecurity

incident.

While the percentage of technology firms that have

reached the maturing stage in analysis provides a

foundation, there is significant work to be done in

response to cyber breaches. In particular, companies

should increase their focus on response planning,

which can drive improvements in other collateral

areas. Software and hardware companies should follow

telecom’s lead and redouble their mitigation efforts.

Poised for Improvement

• Communications: 63 percent of hardware

companies are at the developing stage, compared

with 51 percent of software companies and

44 percent of telecom companies.

Areas of Concern

• Communications: 42 percent of telecom firms

are still at the beginning stage, compared with

29 percent of software companies and 21 percent

of hardware companies.

ActivityMaturing

Non-Tech All Tech Software Hardware Telecom

Analysis

Analyse incidents to ensure effective response and support recovery.

39% 35% 32% 41% 36%

Ongoing Improvements

Improve organisational response by incorporating lessons learned from current and previous cybersecurity activities.

24% 20% 15% 30% 18%

Response Planning

Maintain and execute processes and procedures to ensure response to detect cybersecurity incidents.

18% 20% 21% 21% 14%

Communications

Coordinate response with internal and external stakeholders, such as law enforcement agencies.

23% 16% 17% 16% 12%

Mitigation

Act to prevent expansion of an event, mitigate its effects and resolve the incident.

11% 7% 11% 1% 6%

Average 23% 20% 19% 22% 17%

A Path for Accelerating Progress · 13protiviti.com

Recover

Develop and implement appropriate activities to

maintain plans for resilience and to restore any

capabilities or services that were impaired due to

a cybersecurity incident.

Cybersecurity leaders and others in the C-suite

have long recognised that in today’s environment,

suffering a cybersecurity breach is a matter of

“when,” not “if.” A firm’s recovery capabilities will

be tested — and may well determine the long-term

impact of the breach on the business. Technology

companies across the board thus need to prioritise

this set of cybersecurity activities — beginning with

increased efforts to become “continuously learning”

organisations regarding their recovery processes.

Poised for Improvement

• Recovery planning: 61 percent of hardware

companies and 58 percent of telecom companies

are at the developing stage, compared with

48 percent of software companies.

• Ongoing improvements: 70 percent of hardware

companies are at the developing stage, compared

with 61 percent of software companies and 52

percent of telecom companies.

ActivityMaturing

Non-Tech All Tech Software Hardware Telecom

Communications

Coordinate restoration efforts — including public relations and reputation management — both internally and externally with internet service providers (ISPs).

26% 22% 19% 27% 22%

Recovery Planning

Maintain and execute recovery plans — during or after a cybersecurity incident — to ensure restoration of affected systems or assets.

20% 20% 25% 20% 10%

Ongoing Improvements

Incorporate lessons learned into future recovery planning and processes.

23% 14% 12% 17% 18%

Average 23% 19% 19% 21% 17%

14 · Protiviti

The Evolving Nature of Cyberattacks

As the technology industry’s digital transformation

continues, cyberattacks are expected to evolve

accordingly. Today, the threat of direct attacks from

malware, ransomware, Trojan horses and more

dominates the cybersecurity landscape. Over the

next two years, survey respondents expect new

vulnerabilities to emerge from greater connectivity

and system complexity.

However, this shift reflects the expected addition

of new threats rather than any lessening of current

ones. Two possible interpretations emerge from this

data. The first is that there is inherent difficulty

in prioritising future threats. The second is that

the threat profile two years from now will in fact

be significantly more multidimensional. Either

interpretation presents a challenge for cybersecurity

strategic planning.

Attacks With the Biggest Impact

Now In Two Years

01 Malware/spyware 01 Attacks through mobile apps

02 Attacks through mobile apps 02 Web application attacks

03 Ransomware 03 Attacks through supply chain software and hardware

04 Phishing/spoofing/social engineering 04 Attacks through embedded systems

05 Trojan horses/viruses/worms 05 Denial of service (DoS)/Distributed denial of service (DDoS)

Emerging Threats and Countertactics

A Path for Accelerating Progress · 15protiviti.com

Attacks With Significant Impact

Trojan horses/viruses/worms

Malware/spyware

Phishing/spoofing/social engineering

Ransomware

Attacks through mobile apps

Web application attacks

Attacks through embedded systems

Lost/stolen devices

DoS/DDoS

Abuse of legitimate access

Attacks through supply chain hardware and software

Attacks through third parties

66%

64%

81%

71%

66%

65%

70%

67%

86%

69%

84%

43%

79%

39%

61%

28%

75%

27%

67%

23%

80%

27%

66%

16%

Now In Two Years

16 · Protiviti

The Effect of Internal and External Trends

From a cybersecurity perspective, technological

advances are a double-edged sword, providing

greater capabilities and control but also creating

new channels for intrusion. Reflecting this, when

asked which internal and external trends were

affecting cybersecurity, technology executives gave

much more emphasis to new technologies, such

as artificial intelligence (AI) and blockchain, and

technologically driven factors like open platforms

and interconnectivity, than they did to business

factors like mergers and acquisitions (M&A) and

expanded supply chains.

The emphasis on technological factors when assessing

the cybersecurity landscape is not surprising.

But technology firms should remember that

business combinations, lengthening supply chains

and global operations significantly expand an

organisation’s attack surface while introducing an

array of control challenges.

20%

16%

29%

18%

40%

54%

58%

New technologies (AI, Internet of Things (IoT) and blockchain)

Interconnectivity and mobile technologies

Use of open platforms, application programming

interfaces (APIs) and cloud

Digitally enabled products, services and interfaces

Digital transformation of business

Expanded supply chain

Growth through M&A, joint ventures, and partnerships

Impact of Trends on Cybersecurity

Business factors

Technological factors

A Path for Accelerating Progress · 17protiviti.com

Machine learning, advanced analytics, artificial intelligence and other technologies, once regarded as

experimental, are core competencies now. They’re required capabilities to fuel new customer insights and

deliver new customer experiences.

— Ron Lefferts, Managing Director, Global Head of Protiviti Technology Consulting

Tools and Technologies

Technology firms tend to rely on a core set of five

technologies for their cybersecurity efforts. There

is, however, another set of tools that cybersecurity

leaders and intermediates use but which beginners

have yet to adopt widely. Firms that are early in

their cybersecurity development should consider

expanding their cybersecurity arsenal accordingly.

• Telecom companies are much more likely to

use IoT solutions and sensors (80 percent) than

software companies (65 percent) or hardware

companies (53 percent).

• There are several technologies more likely to be

used by hardware companies than by software or

telecom companies, including secure browsers,

network traffic analysis, third-party information

security practises, cloud access security brokers,

and endpoint detection and response software.

Some Technologies Are Used by Many ...

51%

52%

64%

67%

87%

Blockchain

IoT solutions/sensors

Multifactor authentication/biometrics

AI/machine learning

Secure browsers

18 · Protiviti

... While Others Are Favoured by Those With More Experience

Endpoint detection and response software

Managed security service providers

Network traffic analysis

Third-party information security practices

Cloud access security brokers

Endpoint protection software

48%

4%

8%

43%

5%

41%

46%

7%

49%

6%

50%

7%

Beginners Intermediates and Leaders

Our survey findings suggest that companies across

the technology industry are primed for a significant

expansion of the cybersecurity tool set: The

three approaches that are least used today — user

behaviour analytics, smart grid technologies and

deception technology — are those that technology

firms say they are most likely to adopt during

the next two years. It is interesting to note that

cybersecurity beginners are leading the charge for

the adoption of these new technologies. This could

be a case of “leapfrogging,” in which a lagging

group accelerates its technological sophistication

through aggressive early adoption — provided

that these firms ensure that they have the proper

infrastructure and personnel in place to digest this

rapid change.

A Path for Accelerating Progress · 19protiviti.com

Now Two years from now — Beginners

Two years from now — Intermediates and Leaders

User behavior analytics

Smart grid technologies

Deception technology

52%

71%

8%

27%

56%

5%

68%

82%

4%

New Technologies on the Horizon

Imagine a scenario in which 50 security analysts are constantly searching for threats across thousands of

events within a company’s IT environment. Not only is that a pricey proposition, but it would almost certainly

fail to spot every danger. AI technologies such as machine learning, on the other hand, can quickly scour data

and direct analysts to patterns of abnormal or suspicious machine and/or human behaviours.

— Tom Lemon, Managing Director, Technology Consulting

20 · Protiviti

Quantitative Methods Bring Far-Reaching Benefits

While other technologies and methods will see a larger jump in adoption over the next two years, the

percentage of technology firms now using quantitative methods for cybersecurity risk analysis combined

with those that plan to adopt it in the next two years will make it a cybersecurity mainstay by 2020. This

development will improve the ability of the industry to respond quickly to cyber threats on a practical level,

while solidifying a more holistic and analytical approach to cybersecurity.

20 · Protiviti

Now In two years Neither

Data recovery

Implementing patches

Mitigating vulnerabilities

Incident discovery

15%

18%

26%

23%

21%

32%

20%

23%

33%

29%

30%

49%

Less Than One Day for ...

Firms using quantitative methods for risk assessment

A Path for Accelerating Progress · 21protiviti.com A Path for Accelerating Progress · 21protiviti.com

That companies that have not yet incorporated quantitative methods for risk analysis show the below benefits

suggests that they have already begun the process of being more data-driven in their cybersecurity strategy.

Use of Metrics in Cybersecurity Strategy

Now In two years Neither

Our security metrics help us determine the resources we need to

apply to our security program

Metrics are well understood by senior management and the board

Our metrics prioritize our security controls and processes

Our security metrics help us evaluate real progress in achieving our

cybersecurity goals

48%

82%

87%

51%

79%

88%

50%

80%

91%

48%

80%

91%

Firms using quantitative methods for risk assessment

22 · Protiviti

Supporting Cybersecurity Across the Organisation

An organisation’s cybersecurity function does not

exist in a vacuum, of course. As in other industries,

technology companies need to ensure that other

parts of the organisation are aligned with the

cybersecurity mission. For example, given the

amount of customer data that software and telecom

companies hold, it is notable that less than a quarter

of software and telecom companies have appointed

a data protection officer. Organisations that have

not done so (and which are not legally required to

do so based on where they operate) need to closely

examine how they have chosen to structure their

data privacy function to ensure that it is adequate.

This data also shows that technology companies

have an opportunity to increase the engagement

of the board and the broader management team

regarding cybersecurity. Forty-four percent of

technology companies have their audit function

review the company’s risk appetite statement and

incorporate gaps into the audit strategy, indicating

that nearly half of the companies represented in the

survey have a fairly sophisticated approach to risk.

But less than half that number have incorporated

their cyber-risk statement into their enterprisewide

risk statement, or have had the cyber-risk statement

approved by the board. Technology firms should

endeavour to integrate cyber risk into larger risk

considerations. Doing so will make the company’s

risk discussions better reflect reality, while

increasing awareness of cybersecurity issues among

company decision-makers.

Non-Tech All Tech Software Hardware Telecom

Leadership

An executive with sole responsibility for ensuring information security has been appointed.

40% 37% 33% 46% 34%

A data protection officer has been appointed to oversee data privacy compliance.

19% 21% 23% 16% 22%Support

The HR department has a budget for recruiting, training and developing employees to improve cybersecurity.

39% 46% 43% 41% 58%

A third-party forensics provider is used. 9% 7% 10% 4% 2%Governance

The independent audit function regularly reviews the risk appetite statement and incorporates gaps into the audit strategy.

40% 44% 45% 33% 54%

A cyber-risk appetite statement has been approved by the board. 20% 20% 21% 21% 14%The cyber-risk appetite statement is part of the enterprisewide risk statement. 15% 22% 26% 17% 18%

A Path for Accelerating Progress · 23protiviti.com

Recommendations

01Examine how cybersecurity is regarded within the organisation. Firms that see it as a

potential business differentiator rather than a maintenance obligation are more likely

to give it the appropriate level of resources and attention. Cybersecurity should be

factored into the audit function and into board-level discussions, and, along with data

privacy, given dedicated attention within senior management.

02Look critically at the progress being made in implementing the various NIST

Cybersecurity Framework activities and consider adopting more aggressive goals. The

percentage of technology firms that are still “cybersecurity beginners” is problematic

given the industry’s role in enabling the increased digitalization of business.

03The importance of adequate funding cannot be overemphasised, especially

for firms looking to gain the critical mass needed to move past the beginner

stage. This is likely to require the CEO and possibly the board to champion the

organisation’s ownership of its cyber risk.

04Examine cybersecurity strategic planning to refine how it prioritises the potential

threats that may emerge in the coming years. Inventory the array of tools currently

used and consider the benefit of adopting a wider range of solutions. Review both

current infrastructure and personnel capabilities to ensure that they are able to

adapt to the next generation of cybersecurity threats and countertactics.

05Firms that are not yet using, or have not made plans to use, quantitative

methods for cybersecurity risk assessment should consider doing so.

Approaching cybersecurity with a quantitative mindset brings a range of

benefits, including better cybersecurity performance and decision-making.

Our survey results highlight a number of steps that technology industry decision-makers may wish to consider

so that their cybersecurity function stays ahead of evolving threats:

24 · Protiviti

How Protiviti Can Help

Protiviti works with organisations to focus on

foundational information security questions:

• Do we know what we need to protect (e.g., the data

and information systems assets that are most

important — the “crown jewels”) and where those

assets are located? Concerning these assets:

– Are we properly caring for them? How do

we know?

– Who are we protecting them from, to whom

should we permit access, and how can we tell

the difference?

– Are our defences effective? Are they working

as intended?

– How will we know if things are not working as

we planned?

• Are we able to recognise a new threat to our

environment and detect likely attack techniques

on a timely basis and align our protection

measures to meet the threat?

• Are we ready to respond if something bad were

to happen? Are we capable of managing such

incidents? And when incidents occur, are we able

to keep them from happening again?

Protiviti provides a wide variety of security and

privacy assessment, architecture, transformation,

and management services to help organisations

identify and address security and privacy exposures

(e.g., loss of customer data, loss of revenue or

reputation impairment) before they become

problems. Working with companies in all industries,

we evaluate the maturity of their information

security programs and the efficacy of their controls

— and help them design and build improvements

when needed. We have a demonstrated track record

of helping companies react to security incidents,

establish proactive security programs, deal with

identity and access management, and handle

industry-specific data security and privacy issues.

Our experience and dedication to developing world-

class incident responses have resulted in deep

expertise in security strategies, response execution,

forensic analysis and response plan development.

A Path for Accelerating Progress · 25protiviti.com

ABOUT PROTIVITI

Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Protiviti and our independently owned Member Firms provide consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit to our clients through our network of more than 75 offices in over 20 countries. 

We have served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

CYBERSECURITY CONTACTS

United Kingdom

Roland Carandang Managing Director London +44.20.7389.0443 roland.carandang@protiviti.co.uk

Thomas Lemon Managing Director London +44.20.7024.7526 thomas.lemon@protiviti.co.uk

United States

Gordon Tucker Managing Director Global Technology Industry Practice Leader +1.415.402.3670 San Francisco gordon.tucker@protiviti.com

Cal Slemp Managing Director Security and Privacy Program and Policy Services Segment Lead New York City +1.203.905.2926 cal.slemp@protiviti.com

Scott Laliberte Managing Director Global Leader of Security and Privacy Philadelphia +1.267.256.8825 scott.laliberte@protiviti.com

Michael Ebert Managing Director Healthcare Industry Cyber Lead Philadelphia +1.267.234.9735 michael.ebert@protiviti.com

Andrew Retrum Managing Director Financial Services Industry Cyber Lead Chicago +1.312.476.6353 andrew.retrum@protiviti.com

Jeffrey Sanchez Managing Director Data Security and Privacy Segment Lead Los Angeles +1.213.327.1433 jeffrey.sanchez@protiviti.com

David Taylor Managing Director Response and Recovery Segment Lead Orlando +1.407.849.3916 david.taylor@protiviti.com

Michael Walter Managing Director Cyber Intelligence and Response Center Lead Atlanta +1.303.898.9145 michael.walter@protiviti.com

Australia

Ewen Ferguson Managing Director Sydney +61.2.8220.9500 ewen.ferguson@protiviti.com.au

China and Hong Kong

Michael Pang Managing Director Hong Kong +852.2238.0438 michael.pang@protiviti.com

Germany

Kai-Uwe Ruhse Managing Director Frankfurt +49.699.6376.8148 kai-uwe.ruhse@protiviti.de

Italy

Enrico Ferretti Managing Director Rome +39.346.7981427 enrico.ferretti@protiviti.it

Japan

Fumihito Fujiwara Managing Director Tokyo +81.70.6962.9797 fumihito.fujiwara@protiviti.jp

Masato Maki Managing Director Tokyo +81.80.1177.3674 masato.maki@protiviti.jp

26 · Protiviti

PROTIVITI GLOBAL MARKET LEADERS

ARGENTINA

Pablo Giovannelli+54.11.5278.6345pablo.giovannelli@protivitiglobal.com.pe

AUSTRALIA

Garran Duncan +61.3.9948.1200 garran.duncan@protiviti.com.au

BAHRAIN

Arvind Benani +973.1.710.0050 arvind.benani@protivitiglobal.me

BRAZIL

Raul Silva +55.11.2198.4200 raul.silva@protivitiglobal.com.br

CANADA

David Dawson +1.647.288.4886 david.dawson@protiviti.com

CHILE

Soraya Boada +56.22.573.8580 soraya.boada@protivitiglobal.cl

CHINA (HONG KONG)

Albert Lee +852.2238.0499 albert.lee@protiviti.com

CHINA (MAINLAND)

David Cheung+86.21.5153.6900david.cheung@protiviti.com

EGYPT

Ashraf Fahmy +202.25864560 ashraf.fahmy@protivitiglobal.me

FRANCE

Bernard Drui +33.1.42.96.22.77 drui@protiviti.fr

GERMANY

Michael Klinger +49.69.963.768.155 michael.klinger@protiviti.de

INDIA

Sanjeev Agarwal +91.124.661.8600 sanjeev.agarwal1@protivitiglobal.in

ITALY

Alberto Carnevale +39.02.6550.6301 alberto.carnevale@protiviti.it

JAPAN

Yasumi Taniguchi +81.3.5219.6600 yasumi.taniguchi@protiviti.jp

KUWAIT

Sanjeev Agarwal +965.2242.6444 kuwait@protivitiglobal.me

MEXICO

Roberto Abad +52.55.5342.9100 roberto.abad@protivitiglobal.com.mx

NETHERLANDS

Anneke Wieling +31.20.346.0400 anneke.wieling@protiviti.nl

OMAN

Shatha Al Maskiry +968 24699402 shatha.maskiry@protivitiglobal.me

PERU

Marco Villacorta +51.1.208.1070 marco.villacorta@protivitiglobal.com.pe

QATAR

Andrew North +974.4421.5300 andrew.north@protivitiglobal.me

SAUDI ARABIA

Saad Al Sabti +966.11.2930021 saad.alsabti@protivitiglobal.me

SINGAPORE

Nigel Robinson +65.9169.2688 nigel.robinson@protiviti.com

UNITED ARAB EMIRATES

Arindam De +9714.438.0660 arindam.de@protivitiglobal.me

UNITED KINGDOM

Peter Richardson +44.20.7930.8808 peter.richardson@protiviti.co.uk

UNITED STATES

Scott Laliberte +1.267.256.8825 scott.laliberte@protiviti.com

VENEZUELA

Gamal Perez +58.212.418.46.46 gamal.perez@protivitiglobal.com.ve

© 2019 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. PRO-0319-103131-IZ-ENG Protiviti is not licenced or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

THE AMERICAS UNITED STATES

Alexandria

Atlanta

Baltimore

Boston

Charlotte

Chicago

Cincinnati

Cleveland

Dallas

Denver

Fort Lauderdale

Houston

Kansas City

Los Angeles

Milwaukee

Minneapolis

New York

Orlando

Philadelphia

Phoenix

Pittsburgh

Portland

Richmond

Sacramento

Salt Lake City

San Francisco

San Jose

Seattle

Stamford

St. Louis

Tampa

Washington, D.C.

Winchester

Woodbridge

ARGENTINA*

Buenos Aires

BRAZIL*

Rio de Janeiro Sao Paulo

CANADA

Kitchener-Waterloo Toronto

CHILE*

Santiago

COLOMBIA*

Bogota

MEXICO*

Mexico City

PERU*

Lima

VENEZUELA*

Caracas

EUROPE, MIDDLE EAST & AFRICA

FRANCE

Paris

GERMANY

Frankfurt

Munich

ITALY

Milan

Rome

Turin

NETHERLANDS

Amsterdam

UNITED KINGDOM

Birmingham

Bristol

Leeds

London

Manchester

Milton Keynes

Swindon

BAHRAIN*

Manama

KUWAIT*

Kuwait City

OMAN*

Muscat

QATAR*

Doha

SAUDI ARABIA*

Riyadh

UNITED ARAB EMIRATES*

Abu Dhabi

Dubai

EGYPT*

Cairo

SOUTH AFRICA *

Durban

Johannesburg

ASIA-PACIFIC AUSTRALIA

Brisbane

Canberra

Melbourne

Sydney

CHINA

Beijing

Hong Kong

Shanghai

Shenzhen

INDIA*

Bengaluru

Hyderabad

Kolkata

Mumbai

New Delhi

JAPAN

Osaka

Tokyo

SINGAPORE

Singapore

*MEMBER FIRM

© 2019 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. PRO-0319-101116 Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

THE AMERICAS UNITED STATES

Alexandria

Atlanta

Baltimore

Boston

Charlotte

Chicago

Cincinnati

Cleveland

Dallas

Denver

Fort Lauderdale

Houston

Kansas City

Los Angeles

Milwaukee

Minneapolis

New York

Orlando

Philadelphia

Phoenix

Pittsburgh

Portland

Richmond

Sacramento

Salt Lake City

San Francisco

San Jose

Seattle

Stamford

St. Louis

Tampa

Washington, D.C.

Winchester

Woodbridge

ARGENTINA*

Buenos Aires

BRAZIL*

Rio de Janeiro Sao Paulo

CANADA

Kitchener-Waterloo Toronto

CHILE*

Santiago

COLOMBIA*

Bogota

MEXICO*

Mexico City

PERU*

Lima

VENEZUELA*

Caracas

EUROPE, MIDDLE EAST & AFRICA

FRANCE

Paris

GERMANY

Frankfurt

Munich

ITALY

Milan

Rome

Turin

NETHERLANDS

Amsterdam

UNITED KINGDOM

Birmingham

Bristol

Leeds

London

Manchester

Milton Keynes

Swindon

BAHRAIN*

Manama

KUWAIT*

Kuwait City

OMAN*

Muscat

QATAR*

Doha

SAUDI ARABIA*

Riyadh

UNITED ARAB EMIRATES*

Abu Dhabi

Dubai

EGYPT*

Cairo

SOUTH AFRICA *

Durban

Johannesburg

ASIA-PACIFIC AUSTRALIA

Brisbane

Canberra

Melbourne

Sydney

CHINA

Beijing

Hong Kong

Shanghai

Shenzhen

INDIA*

Bengaluru

Hyderabad

Kolkata

Mumbai

New Delhi

JAPAN

Osaka

Tokyo

SINGAPORE

Singapore

*MEMBER FIRM