Cybersecurity teams evolve to proactively identify and manage risks

2019 Digital Trust Insights China Report

Introduction 2

Risks arising from digital transformation 4

Business alignment of cybersecurity programmes 6

Maturity of cybersecurity activities 9

Ways for cybersecurity teams to advance 12

Research methodology 15

Contacts 17

1

Introduction

Building digital trust is no longer a priority, but a necessity. Companies are undergoing digital transformation at a rapid pace in an effort to modernise and improve the speed and efficiency of their operations. This is causing a rise in the cybersecurity and data privacy risks they face thus making it more challenging to build digital trust. Mainland Chinese firms are no exception.

The country has been promoting cyber governance as it advances rapidly along the digital curve. This year, the annual plenary “Two Sessions” proposed to further strengthen information security including the regulation of collection of personal data and construction of national cybersecurity. In addition, enhancing and upgrading information infrastructure to improve the level of cybersecurity protection is emphasised in the Outline Development Plan for the Guangdong-Hong Kong-Macao Greater Bay Area.1

2

Regulators have been proactively involved in China’s digital transformation since the country’s Cybersecurity Lawi came into effect on 1 June 2017. More detailed rules and regulations, for example, the new Multi-level Protection Scheme (MLPS) 2.0 and the exposure drafts of the Administrative Measures on Data Security and the Measures on Security Assessment of Cross Border Transfer of Personal Information, are also being implemented to further oversee the digital environment. Though the environment for the digital transformation seems stricter, detailed regulations are helping companies consider legal requirements at an early stage while developing their business strategy. As national and regional regulations evolve, Chinese businesses and their cybersecurity teams are being driven to play a significant role in the process of regulating cyber activity. In order to do so cybersecurity teams need to undergo a shift in mindset to support the strategic goals of the business.

Emerging technologies such as artificial intelligence, Blockchain and cloud computing have also become a force to be reckoned with. 5G mobile technology, which is set to replace the 4G standard over the next few years, is 100 times faster and has 1,000 times more capacity to facilitate the growth and integration of these emerging technologies by facilitating greater connectivity.2 Companies are under pressure to use these innovations in their operations in order to realise growth. As these new technologies help create more accessible, customised products and services, they also give rise to an increase in demand for privacy and data protection.

Risk management increasingly looks at how new technologies are being used responsibly in order to promote digital trust.3 Given the impact of country-specific laws or regulations on a company’s digital transformation, firms are taking on this responsibility from the very beginning. C-suite executives are leading effectively by working with regulators and policymakers on how to navigate privacy and data protection issues.

PwC’s 2019 Digital Trust Insights China Report assesses what Mainland Chinese businesses are doing to build digital trust and the role of their cyber teams in accomplishing this. It offers cyber teams with recommendations on how they can enhance competitiveness by pursuing business-driven cybersecurity. The report draws on the findings of the Global Digital Trust Insights survey (previously called Global State of Information Security® survey) of more than 3,000 executives and IT professionals in 89 territories worldwide. The China report presents the views of the 121 respondents based in Mainland China (hereafter referred to as China). The survey was conducted between March and April 2019.

i. China’s Cybersecurity Law is the most recent legislation that regulates the protection of digital information by businesses and the defence of systems against cyber-attacks.

3

Risks arising from digital transformation

China’s private sector is developing at a rapid pace as businesses undergo digital transformation. In terms of the value that Chinese companies expect to obtain from their digital journey, 32% of those surveyed expect to grow their revenue (Global: 27%), 26% expect to create new products or innovate their products (Global: 9%) and 12% hope to create better customer experiences (Global: 16%).

While digital transformation offers ample opportunities to spur growth and innovation, it also poses unique risks that businesses need to account for. From the perspective of Chinese executives and IT professionals, the most acute risk stemming from their digital journey is data governance or privacy (China: 28%; Global: 11%). Strengthening information security and the collection of personal data is a national strategic priority given the concern over data collection and transfer practices among Chinese companies.ii

Organisations’ cybersecurity teams will need to address how their customers, employees and other business stakeholders interact with the advancements brought about by new technology. Chinese respondents also face innovation risk from digital transformation, namely the risk from the introduction of new products, services and processes (China: 19%; Global: 8%). We would expect this to be the case given that over one quarter of Chinese respondents expect to create or innovate products through digital transformation. Managing this risk will involve educating business units on the digital strategy of the firm and how innovation will affect their business operations.

According to the Academy of Information and Communications Technology, China’s digital economy was valued at US $4.6 trillion in 2018, which was equivalent to roughly 35% of the country’s GDP.4 Given how far the private sector has advanced along the digital curve, businesses are more likely than ever to be vulnerable to cybersecurity breaches. As such cybersecurity is another major risk faced by Chinese executives and IT professionals (China: 18%; Global: 29%).

In terms of the ability of organisations to manage risks faced from digital transformation, fewer Chinese executives and IT professionals (24%) compared to global (31%) believe that they are very effective at doing so. The majority of Chinese respondents (55%) are less optimistic and feel they are only somewhat effective at managing these risks (Global: 40%).

ii. According to the work report of the Supreme People’s Court, courts in the country concluded 8,907 Internet-related criminal cases, including cases of online fraud, illegal use and collection or purchase of personal information, online pyramid selling and stealing of business secrets through Internet technologies in 2018.

4

Although most Chinese respondents state that building digital trust is a business priority (China: 90%; Global: 85%), they are facing gaps in their ability to do so given the rapid pace of digital transformation. For the executives and IT professionals surveyed, the most important gaps that exist in their ability to build digital trust include uncertainty about achieving the goals of their business transformation (China: 17%; Global: 11%), uncertainty about whether their digital strategy anticipates changes coming in the next decade (China: 15%, Global: 11%) and uncertainty about achieving the outcomes of their digital initiatives (China: 14%; Global: 13%).

Tech conglomerates Baidu, Alibaba Group Holding and Tencent Holdings (BAT) are leading China’s digital transformation and are disrupting industries such as financial services, retail and tourism. These Internet giants are putting pressure on traditional companies by moving the technological goalposts thus causing incumbents to fall behind.

As 88% of Chinese survey respondents are from non-technology sectors such as industrial manufacturing, financial services or the retail and consumer sector, it is apparent that some of these organisations cannot keep up with the speed of disruption impacting their industries from these BAT titans, and find themselves uncertain about meeting their business transformation goals or digital objectives. In order to tackle these gaps, Chinese companies are beefing up their cybersecurity programmes and reframing the way their cybersecurity teams work. Some companies are considering outsourcing digital innovation processes to third-party technology service providers and others are undergoing digital transformation facilitated by industry associations (alongside regulators) that are strengthening the ecosystem and supporting companies to advance digitally.

Figure 1: Most acute risks stemming from organisations’ business transformation or digital initiatives

Data governance or privacy

Risks from introduction of new products, services,

processes (Innovation risk)

Cybersecurity

Risk from failed business decision (Strategic risk)

Brand or reputation

4%12%

28%11%

19%8%

18%29%

7%11%

China

Global

5

Business alignment of cybersecurity programmes

As companies actively adopt technology-driven business models, it is important for cybersecurity programmes to be aligned with business goals in order to build digital trust. For this to happen, cybersecurity teams need to get up to speed on business strategy, develop an understanding of the business risk appetite, and most importantly manage risks along the digital transformation journey.

In fact, Chinese respondents at large demonstrated greater business alignment than their global counterparts across a number of measures. 83% agree that their cybersecurity team is being embedded in the business, is conversant in business strategy and has a cybersecurity strategy that supports business imperatives (Global: 72%). 83% agree that their cybersecurity team works in strategic partnership with all the other functions that manage risk in the organisation to protect against the most serious threats and risks to the business (Global: 68%). While 81% are in agreement that their cybersecurity team communicates effectively with the board and senior executives about cyber risks and adjacent risks (Global: 70%).

6

Figure 2: Level of agreement with the following statements about organisations’ cybersecurity and their cybersecurity team

Our cybersecurity team takes a risk-based approach in securing the ecosystem, rather than a transactional approach.

Cybersecurity is woven throughout our operations and R&D.

Our cybersecurity team is embedded in the business, conversant in our business strategy, and has a cybersecurity strategy that supports

the business imperatives.

Our cybersecurity team works in strategic partnership with all the other functions that manage risk in the organisation to protect

against the most serious threats and risks to the business.

Our cybersecurity team communicates effectively with the board and senior executives about cyber risks and adjacent risks.

The cybersecurity team builds digital trust. (We mean the level of confidence in people, processes, and technology to build a secure

digital world.)

The organisation assesses the cybersecurity team’s capabilities, compared to peers, using standard frameworks.

The cybersecurity team uses automation and emerging technologies for threat intelligence, defence, and recovery.

Global

28% 42%

44%

39%

37%

39%

41%

41%

38%

28%

29%

33%

30%

27%

29%

25%

Strongly Agree Agree

China

43%43%

18%65%

31%52%

33%48%

33%45%

30%45%

32%41%

21%48%

Agree Strongly Agree

7

What are Chinese cybersecurity teams doing differently to be more strategic and business-oriented? In the survey, we asked those that are significantly transforming to meet the needs of the business to rank the ways in which their cybersecurity team is evolving. The highest proportion, 26%, said their team is working more closely with the business to ensure alignment of cybersecurity strategy to their business imperatives (Global: 18%). 15% stated their team is using automation and emerging technologies to improve cybersecurity capabilities (Global: 11%) and 8% are strengthening third-party risk management (Global: 13%).

Where Chinese cybersecurity teams are lagging however, is in reporting more regularly on cyber risks to the company’s board (China: 4%; Global: 5%) and to the C-suite (China: 4%; Global: 7%). It is critical for teams to integrate the board and senior management into discussions on cybersecurity risks. In this way, the board and senior management are held accountable for the company’s cyber risk strategy in areas such as preparation and response to a cybersecurity event as well as enhancement of employees’ cyber awareness.iii

iii. Holding the board and senior management accountable is part of the five principles of cyber risk governance as outlined in ‘Guiding Principles for Cyber Risk Governance: Principles for Directors in Overseeing Cybersecurity’, a report released by the DCRO, an organisation promoting risk governance with over 2,000 board-level company members from over 115 countries.

Figure 3: Specific ways in which organisations’ cybersecurity team is evolving

Work more closely with the business to ensure alignment of cybersecurity strategy to our business imperatives

Use automation and emerging technologies to improve capabilities

Strengthen third-party risk management

Work closely with the risk functions on holistic risk-based approach

Understand the data footprint across the ecosystem- internally

and with external parties

Create a digital strategy that takes into account potential changes in

business models in the future

Report more regularly on cyber risks to the board

Report more frequently on cyber risks to the C-Suite

8

26%

15%

8%

7%

6%

4%

4%

4%

18%

11%

13%

7%

4%

4%

5%

7%

China Global

iv. The NIST Cybersecurity Framework uses a common language to address and manage cybersecurity risk based on business and organisational needs without placing additional regulatory requirements on businesses. Respondents ranked themselves based on discrete categories using CMMI (Capability Maturity Model Integration) Maturity Levels which in increasing levels of maturity are: Initial, Managed, Defined, Quantitatively Managed and Optimising. In this report, the highest two maturity levels are isolated to display the results.

Maturity of cybersecurity activities

While it is important to drill down into what cybersecurity teams are doing to better align with the business, it is also useful to gauge their current level of maturity in terms of existing cybersecurity activities. The survey assessed businesses in this regard, based on discrete categories of the US National Institute for Standards and Technology (NIST) Cybersecurity Framework5 which cover five main cybersecurity functions, namely: Identify, Protect, Detect, Respond and Recover.iv

In terms of maturity levels, Chinese cybersecurity teams were the most mature in the “Respond” and “Protect” functions and were least mature in the “Identify” function. This is worrying as it indicates that survey respondents are in a reactive mode and are mitigating risk after it occurs rather than adequately identifying and preparing for it. It suggests teams are weak in identifying the critical resources and business context to enable the company to focus its cybersecurity efforts in line with its risk management strategy and business needs. Instead, the teams are only able to do damage control and support the firm’s ability to respond to a detected incident or to protect the firm by limiting or containing the impact of an event.

Figure 4: Level of maturity of organisations’ cybersecurity activities, China

Communications (Respond)

Identity Management, Authentication and Access Control (Protect)

Protective Technology (Protect)

Supply Chain Risk Management (Identify)

Mitigation (Respond)

Data Security (Protect)

Response Planning (Respond)

Recovery Planning (Recover)

Risk Management Strategy (Identify)

Asset Management (Identify)

Improvements (Recover)

Detection Processes (Detect)

Risk Assessment (Identify)

Governance (Identify)

Business Environment (Identify)

Information Protection Processes and Procedures (Protect)

Security Continuous Monitoring (Detect)

Maintenance (Protect)

Anomalies and Events (Detect)

Awareness and Training (Protect)

Analysis (Respond)

12%

16%

11%

9%

7%

7%

8%

7%

7%

7%

6%

7%

9%

7%

5%

5%

5%

3%

4%

2%

6%

23%

16%

17%

17%

18%

17%

14%

15%

13%

14%

14%

11%

9%

11%

12%

11%

11%

9%

11%

12%

7% Quantitatively managed

Optimising

9

The reason for this might be that, relative to other categories, fewer Chinese respondents find that their cybersecurity team takes a risk-based approach in securing their ecosystem, rather than a transactional approach (China: 69%; Global: 63%) (See Figure 2). Few also agree that their company assesses the cybersecurity team’s capabilities, compared to their peers, using standard frameworks such as the NIST Cybersecurity Framework (China: 75%; Global: 68%) (See Figure 2). By taking a risk-based approach to executing activities and using a standard framework to organise themselves, Chinese cybersecurity teams can appropriately predict and manage cybersecurity risk across systems, people, assets, data, and capabilities.

Relative to other categories, executives and IT professionals are behind in the Asset Management category (within the Identify function) which entails identifying physical and software assets within the organisation for cybersecurity alignment. It follows that, relative to other categories, fewer cybersecurity teams helped businesses design “security and privacy” into new products and services over the past 12 months (China: 64%; Global: 60%) (See Figure 5).

10

Chinese companies are also less mature in the Governance category (within the Identify function) which involves identifying a governance programme or cybersecurity policies that meet external legal and regulatory requirements. This is in line with the fact that fewer cybersecurity teams had orchestrated a cross-functional effort to comply with new regulation over the past year (China: 60%; Global: 53%) (See Figure 5). It is very important for cybersecurity teams in the country to gain an understanding of China’s cybersecurity regulatory landscape and to align existing controls with current and upcoming legislations. While China’s Cybersecurity Law was enforced in June 2017, many provisions of the law still need to be detailed and clarified through implementation rules and regulations.6

Conversely Chinese cybersecurity teams excel in the Communications category (within the Respond function), thus are effective in managing communications during and after a cybersecurity event with internal and external stakeholders. They are also more mature in the Data Security category (within the Protect function) and firm data is managed to protect the confidentiality, integrity, and availability of this information.

Figure 5: Cyber teams’ accomplishments in the past 12 months

Improved operational technology security

Anticipated a new cyber risk related to digital initiatives that allowed us to manage it before it affected our

partners or customers

Helped the business recover quickly from a significant attack and minimised

potential losses

Improved supply chain risk management

Helped the business design “security and privacy” into new products and

services

Responded quickly to a breach or attack without significant harm to our

operations

Orchestrated cross-functional effort to comply with new regulation

Detected a significant cyber threat to our business and prevented it from

affecting our operations

China Global

81%

69%

67%

60%

80%

68%

64%

58%

66%

49%

55%

53%

67%

56%

60%

49%

11

Ways for cybersecurity teams to advance

Businesses in China have been evolving rapidly as a consequence of digital transformation over the past two decades causing a decline in digital trust. In order to build this trust, cybersecurity teams need to switch from reactive to proactive identification of critical risks which entails:

Ensure the alignment of cybersecurity strategy with business imperatives

This requires cybersecurity teams to get up to speed on business strategy, gain an understanding of business risk appetite and effectively manage business risks related to digital transformation. This might involve incorporating security and privacy into new business products and services for example.

Follow a risk-based approach and standard framework to strengthen their “Identify” function

Cybersecurity teams need to champion using a risk-based approach and adopting a standard framework when engaging in cybersecurity activities. In doing so they can strengthen their ability to identify the critical resources and business context to enable the company to focus its cybersecurity efforts in line with its risk management strategy and business needs.

12

Use automation and emerging technologies to improve cybersecurity capabilities

Automation through machine learning as well as the use of emerging technologies such as artificial intelligence, robotics process automation or Internet of Things (IoT) offer unique opportunities for cybersecurity teams to improve on threat intelligence, defence, and recovery.

Set up a governance programme to comply with external regulatory requirements

It is necessary for cybersecurity teams to set up a governance programme that satisfies external regulatory requirements for cybersecurity and data governance and privacy, particularly in China given its strategic importance and the fact that this landscape is evolving quickly.

13

Tackle cybersecurity as a business issue rather than an IT issue

Cyber risk is an enterprise-wide concern and therefore needs to involve the firm’s board of directors, management, business unit leaders along with the IT and security functions. Cyber teams need to integrate the board and senior management into cybersecurity risk discussions to hold them accountable for the company’s cyber risk strategy. In order to develop an adequate cybersecurity programme, companies also need to consider involving their employees. Employees can support cybersecurity through training and adhering to company standards and guidelines.7

Respond and improve in an agile way

Agility is a very popular concept in product or service development. This can be also integrated into cybersecurity programmes by focusing not only on the technology itself, but also the whole management process. By pursuing agile responses and a culture of improvement, teams can build efficiency and a high level of trust into the programmes they pursue.

By taking these steps, teams in China can ensure their businesses are well-poised to take advantage of the benefits of digital transformation while actively detecting and mitigating risks. By strengthening their defences, they can position themselves to enhance business competitiveness instead of being distracted by security, trust and reputational issues which in turn may impact profitability.

14

Research methodology

The respondents’ profile is represented by the following charts in terms of respondents’ role, industry composition and annual global revenue.

Figure 6: Distribution of China sample by respondents’ role

*Others include Government Relations; Chief Risk Officer / Head of Risk Management; Chief Information Security Officer (CISO) VP; Chief Data Officer (CDO); Other Board Member; Network / System Administrator; Information Security Manager as well as Director of Risk.

Senior Project / Project Manager

CEO / President / Managing Director

Chief Operating Officer (COO)

Senior Consultant / Consultant

Chief Information Officer (CIO) / VP

Information Technology Manager

Information Systems Manager (MIS)

Information Security Staff/Coordinator

Chief Technology Officer (CTO)

Information Technology Director

Internal Auditor

Network / Systems Engineer

Line-of-Business Leader

Chief Financial Officer (CFO) / Finance Director (FD)

Information Security Director

Others*

Information Technology Executive

14%

11%

7%

6%

5%

2%

2%

2%

12%

9%

7%

5%

3%

2%

2%

2%

10%

15

16

$99 million or less

Industrial manufacturing

$500 million to $999 million

Retail and consumer

$50 billion or more

Pharmaceuticals and life sciences

Others*

$100 million to $499 million

Technology, communications, entertainment and media

$20 billion to $49.9 billion

Power and utilities

$5 billion to $9.9 billion

$10 billion to $19.9 billion

$1 billion to $4.9 billion

Financial services

Business services

Engineering and construction

Figure 8: Distribution of China sample by organisation’s annual global revenue (US $)

Figure 7: Distribution of China sample by industry

Note: Not all figures add up to 100%, as a result of rounding percentages and exclusion of ‘Unsure / don’t know’ responses.

21%

12%

8%

4%

18%

19%

12%

6%

11%

3%

18%

15%

14%

13%

6%

8%

7%

*Others include automotive; energy, including oil and gas; transportation and logistics; aerospace and defence; chemicals; forest, paper and packaging as well as hospitality and leisure.

Acknowledgements

Editorial and writingMonica UttamSanjukta Mukherjee

Project ManagementMonica UttamTerrance Lui

DesignerRay Liu

Endnotes1. Outline Development Plan for the Guangdong-

Hong Kong-Macao Greater Bay Area, February 2019, https://www.bayarea.gov.hk/filemanager/en/share/pdf/Outline_Development_Plan.pdf

2. Making 5G pay, April 2019, https://www.pwccn.com/en/services/consulting/publications/making-5g-pay.html

3. Risk trends 2019, March 2019, https://www.pwc. com/gx/en/ceo-agenda/ceosurvey/2019/themes/risk-trends.html

4. China's digital economy reaches 31.3t yuan in 2018, May 2019, http://www.chinadaily.com.cn/a/201905/07/WS5cd0fbb6a3104842260ba445.html

5. The Five Functions, August 2018, https://www. nist.gov/cyberframework/online-learning/five-functions

6. Ministry of Public Security Issued Rules on Supervision and Inspection internet Security, October 2018, https://www.bakermckenzie.com/en/insight/publications/2018/10/ministry-of-public-security-issued-rules

7. How your board can better oversee cyber risk, November 2018, https://www.pwc.dk/da/publikationer/2018/pwc-how-your-board-can-better-oversee-cyber-risk.pdf

Contacts

North Central South

Lisa LiPartner +[86] (10) 6533 2312lisa.ra.li@cn.pwc.com

Samuel SinnPartner+[86] (21) 2323 2296 samuel.sinn@cn.pwc.com

Kenneth WongPartner+[852] 2289 3822kenneth.ks.wong@hk.pwc.com

Ryan YaoPartner +[86] (10) 6533 7576ryan.h.yao@cn.pwc.com

Chun Yin CheungPartnerTel: +[86] (21) 2323 3927chun.yin.cheung@cn.pwc.com

Kok Tin GanPartner +[852] 2289 1935kok.t.gan@hk.pwc.com

Tony WanPartner+[86] (21) 2323 8149tony.wan@cn.pwc.com

Felix KanPartner +[852] 2289 1970felix.py.kan@hk.pwc.com

Ramesh Moosa Partner+[86] (21) 2323 8688 ramesh.moosa@cn.pwc.com

Danny WengPartner +[86] (20) 3819 2629danny.weng@cn.pwc.com

Dennis LiPartner+[86] (10) 6533 7800 dennis.y.li@cn.pwc.com

www.pwccn.com

© 2019 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.