《塔塔咨询(TCS):2023年全球风险评估与网络安全战略研究报告(英文版)(34页).pdf》由会员分享,可在线阅读,更多相关《塔塔咨询(TCS):2023年全球风险评估与网络安全战略研究报告(英文版)(34页).pdf(34页珍藏版)》请在三个皮匠报告上搜索。
1、Building on beliefCyber confidenceTCS Risk&Cybersecurity StudyMaster Reportoull find a lot of data,correlaons,answers,insights,and examples in this report.But the most important thing to take away from it all is some idea of where to start and what to do to beer equip your enterprise with a risk and
2、 cybersecurity strategy that can deliver on the implied promise of a 2What were recommendingMaster Report|TCS Risk&Cybersecurity StudyY Chart a long-term strategy that aligns security technology and funcons around both regulatory compliance and protecng the applicaons,data,and infrastructure most cr
3、ical to the business.Take an integrated approach to governance and implementaon of cybersecurity that makes it the responsibility of all funconal and business units in the enterprise as well as third pares and vendors involved with relevant processes.Consider creang a board-level commiee charged spe
4、cifically with cyber risk and security.Focus on cyber resilience because even the best-guarded organizaon can become a vicm of a malicious cyber breach.Embed security as a foundaonal layer in every aspect of the organizaon.Make supply chain and partner ecosystem security a higher priority.Leverage t
5、he cloud and cloud services to enhance your security profile.And maintain cybersecurity vigilance and regulatory compliance by weaving established cybersecurity frameworks into cloud adopon,including insight into third-party vendors compliance with cybersecurity controls.Coordinate the cybersecurity
6、 and risk funcons closely.business-aligned approach to the digital risks and threats of modern business.We recommend the following acons,which you can read more about on page 24.The keys to confidence Security&the enterpriseTop threats&priories Tools,challenges&plansBoard&business unit engagementClo
7、ud plaorm securityInvestment&skillsOur recommendaonsConfidence in the face of certain aackMethodology4642932Contents3Master Report|TCS Risk&Cybersecurity Studyespite years of investment in risk assessment and security tools,many chief informaon security officers and chief risk officers fe
8、el worried or even overwhelmed about their ability to meet current and emerging cyber threats.Protecng their organizaons from a rising de of cyber threats requires advanced technology.But just as important,it requires engaged leadership and strategically aligned stakeholders if an organizaon is to f
9、ight off the most crical developing threats and recover quickly from aacks when they occur.Those were among the top findings from a TCS study of more than 600 chief informaon security officers(CISOs)and chief risk officers(CROs)conducted early in 2022 amid an unprecedented upsurge in increasingly so
10、phiscated cyberaacks from criminals,sovereign states,and other bad actors exploing global socio-polical and economic tensions.The survey respondents were drawn from North American,European,and UK-headquartered companies in four industries facing an unprecedented onslaught of cyber threats and increa
11、sed risks,whether to business data,customer data,their operaons,trade secrets,or their supply chains:banking and financial services,manufacturing,ulies,and media and informaon services.Our survey,along with in-depth interviews with business and security leaders,shows the importance of processes,coll
12、aboraon,and awareness in aligning all stakeholders on the top-priority risks and the most effecve remediaon taccs.This coordinaon must extend from the board to C-level execuves and business units down 4The keys to confidenceMaster Report|TCS Risk&Cybersecurity StudyD Companies where the board of dir
13、ectors and C-suite are proacve about its cyber strategy are more likely to see beer-than-average revenue and profit growth and fewer problems recruing and retaining advanced cyber skills.Financially successful companies are also more likely to regard cloud-based tools and plaorms as more secure than
14、 on-premises data centers.While companies rightly see much promise for future revenues and producvity by parcipang in emerging digital ecosystems,most companies are too complacent about the risks and threats inherent in such exchanges of data.Recruing and retaining top talent with the relevant skill
15、 sets to manage,engineer,and support cybersecurity technology is the number one challenge for cyber professionals today.Essential takeawaysto funconal organizaons such as technology,finance,and legal.Our findings uncovered that,above all,such efforts require real collaboraon between the CISO and CRO
16、 offices,as many of them have told us.Our study found 30%of CISOs and CROs coordinate their efforts several mes a week and even daily.Another 42%confer weekly or at least several mes a month.Perhaps more telling,collaboraon at least several mes a week between CROs and CISOs is more likely to be foun
17、d at the companies who lead their industry peers in revenue and profit growth;in our study,these are the companies we call“Paceseers.”Meanwhile,at a majority of the companies struggling to compete on such financial terms “Followers”coordinaon between the CISO team and the CRO funcon occurs no more o
18、en than“several mes a month,”at most.Yet even here among the Followers,more than a quarter of CROs and CISOs say they work together daily or several mes a week.Beyond top-down alignment of business and security strategies,Paceseer companies seem to enjoy other advantages over their Follower peers.Fo
19、r example,theyre experiencing less difficulty in recruing or retaining top talent with cung-edge cyber risk and security skills.And theyre more likely to be leveraging cloud plaorms because theyve discovered cloud-based infrastructures to be as or more secure than on-premises servers and tradional d
20、ata centers.To unearth best pracces and gain an insight to some of the thinking of industry-leading companies and the execuves who work for them,we cross-tabulated many of our study findings against the financial success of these companies,dividing the 607 parcipang companies into“Paceseers,”“Follow
21、ers,”and“all others.”Paceseers reported growth in both revenue and profit from 2017 to 2021 that was higher than the average reported by all respondents in the same industry or,for those with at least 30 respondents,the same subsector.Followers,by contrast,reported lower than the same averages for b
22、oth revenue and profit.For the companies that might have higher than average revenue growth,but lower than average profit increases or vice versa they fell into the“all others”camp.This way we can compare what financially successful companies do and how their execuves approach business and technolog
23、y issues,and how that contrasts with the acons and atudes of the companies struggling to compete in their industry.Pacesetters&FollowersThe study showed interesng correlaons between the level of aenon that corporate boards of directors give to cyber risk and security issues compared against other me
24、asures of success,including financial.Two out of five corporate boards cover risk and cybersecurity issues at every meeng,or at every meeng of a commiee of the board.Other boards,however,only do so“periodically,”“occasionally,as necessary,”or even in some cases “almost never or never.”Yet our findin
25、gs reveal that the more successful a company has been in growing both revenue and profitability,the more oen its board probably engages on cyber issues.Going forward,all corporate boards will need to focus aenon on cyber risk and security,given the vulnerabilies of,threats against,and aacks on the e
26、merging digital ecosystems of global business.In short,our study showed that the challenges for CISOs and CROs are less about budgets and technology than they are about people-centric issues,such as board engagement,skills recruitment and retenon,and confidence:confidence in the cloud,confidence in
27、how integrated their cyber and business strategies are,and confidence in their ability to stay ahead of data thieves,digital terrorists,state-sponsored criminal ouits,and the greatest threat of all complacency.5Master Report|TCS Risk&Cybersecurity Study6Master Report|TCS Risk&Cybersecurity StudyAs b
28、usinesses struggle to protect themselves against a growing scale and variety of cyber threats,the TCS Thought Leadership Instute conducted this study to understand:We found two out of five boards include cyber risk and security on their agendas at every meeng,but almost one in five boards are mostly
29、 disengaged from the topic.Given the increasing regulaons and reporng requirements around privacy and security,especially for exchange-listed corporaons,companies with publicly traded shares are more likely to have boards that focus on risk and cybersecurity at every meeng.(See Figure 1.)CISOs and C
30、ROs reported similar if slightly less proacve engagement from their fellow C-suite execuves.What are board of directors and C-suite levels of engagement in preparing for and protecting companies from attacks and incursions by malicious actors?Only six in ten CISOs and CROs have any confidence their
31、firms can avoid a major cyber incident in the next three years.Another three in ten are“neutral/not sure”and one in 10“increasingly less confident.”We found confidence was higher where the board is more involved in cyber risk and security.Significantly,about 30%of CISOs said they can only address th
32、e most pervasive kinds of threats,such as signature-based malware or denial of service aacks.This leaves them vulnerable to more advanced and serious threats such as ransomware,web applicaon hacking,insider and privilege misuse,andtargeted intrusions.How strong is CISO and CRO confidence in their cy
33、bersecurity capabilities?Security&the enterpriseFigure 140%43%13%4%44%41%12%3%30%49%15%5%TOTALPublicly tradedPrivately heldVery regularly/every board meengOccasionally or as necessaryPeriodicallyAlmost never or neverCorporaon type,vs boards engagement oncyber risk&security issuesn=607;not shown:Dont
34、 know/cant say about board discussion frequencyFigure 2Cyber risk and security strategists say their board of directors most commonly charges them to:1)improve visibility of cyber risks and ensure compliance to regulatory and industry requirements;2)increase the companys cybersecurity maturity and a
35、dopt emerging models such as“zero trust”;and 3)ensure cyber risks are holiscally managed and migated across their companies and partners(see Figure 2).What are the top priorities for cyber defense and business resiliency?7Master Report|TCS Risk&Cybersecurity StudyThe low priority given specifically
36、to focusing on the risks inherent in a companys(otherwise advantageous)parcipaon in digital ecosystems(#5)contrasts with findings in the TCS 2021 Global Leadership Study,1which found that:Yet in this study focused on risk and cybersecurity execuves,only 15%of respondents said focusing on these risks
37、 and collaborang with other ecosystem partners to idenfy,monitor,and migate them was the top priority for their board.This disconnect between the high priority of digital ecosystems in conducng global business and the lack of aenon paid to the risks accompanying those ecosystems also showed up elsew
38、here in our study.45%of companies today include digital ecosystems in their strategic planning;and Execuves expect,on average,nearly half of their revenue to come from new industry ecosystems by 2025.Cyber risk&security priories arising out of board-level discussionsn=587;not included:“There have be
39、en no cyber risk or security priorities arising out of board discussions”(3%)Improving visibility of cyber risks&ensuring compliance to regulatory&industry requirementsIncreasing cybersecurity maturity of our company relave to industry peers&adopng emerging models like“zero trust”Ensuring cyber risk
40、s are holiscally managed&migated across our company&its larger ecosystemCreang&adopng a comprehensive cybersecurity governance modelFocusing on ecosystem risks&collaboraon for oversight,monitoring&migaon of those risksCreang a“resilience-by-design”culture&adopng such standards&controlsRank4315261TCS
41、 2021 Global Leadership Study: 3CISOs and CROs agree that data the is both the most likely and the most potenally damaging threat facing them today,followed by malicious damage(whether physical or digital),and ransomware.The top three challenges in fighng these threats were finding skilled security
42、staff,changing work environments(such as work from home and bring-your-own-device),and assessing cyber risks and quanfying their costs.And more than half of CISOs say their cyber tech is inadequate to the more advanced threats(see Figure 3).What are the threats on which CISOs and CROs are focused an
43、d the challenges they face?1.Skill sets to manage,engineer,and support cybersecurity technology2.Workforce changes/requirements(e.g.,work from home,bring-your-own-device,etc.)3.Assessing cyber risks and quanfying relevant costsCyber executives top 3 challenges8Master Report|TCS Risk&Cybersecurity St
44、udyA majority of CISOs say theyre unable to defendagainst the most sophiscated cyber threatsn=30646%24%30%We are leveraging arficial intelligence,automaon&other advanced technologies to successfully combat the most sophiscated threatsWe are deploying the most advanced technology,but it isnt adequate
45、 to addressing the threatsOur current state of readiness only allows us to address pervasive threats such as signature-based malwares,DOS aacks&the likeBack in 2018,a survey of CIOs conducted by industry analyst firm IDG Communicaons found that“nearly60 percent believe apps that touch crical data an
46、d systems must remain on-premises for security reasons.”2A threshold seems to have been crossed,with now more than 60%of surveyed CISOs and CROs saying their companies have decided that the security of cloud plaorms is at least as secure as and over a third believe even more secure than on-premises
47、servers or tradional data centers(see Figure 4).And the more successful a company is,the more likely they are to regard the cloud as the more secure opon.What impact has pervasive migration to cloud platforms had on their security posture?9Master Report|TCS Risk&Cybersecurity Study34%28%32%6%Most co
48、mpanies find cloud plaorms as or more securecompared to on-premises infrastructuresn=607Figure 4Weve determined cloud plaorms present less cyber risk than on-premises servers or tradional data centers and are planning accordinglyAs far as we can tell,the cyber risks of cloud plaorms present no more
49、or less risk than the cyber risks inherent in on-premises servers or tradional data centersWeve determined cloud plaorms present more cyber risk than on-premises servers or tradional data centers and are planning accordinglyWe cant come to an agreement about the cybersecurity risks of cloud plaorms2
50、Enterprise CIO,“Why CIOs say the cloud isnt replacing on-premises systems,”January 23,2018:www.enterprise- Report|TCS Risk&Cybersecurity StudyTop threats&prioritiesata the,more sophiscated hacker taccs,and the lack of skills to combat them will be the primary concerns for cyber risk and security str
51、ategists in the near term.CISOs are most concerned with criminal incursions based on methods of decepon that,psychologically,people are likely to fall prey Dto.These methods are known as“social engineering”aacks,which includes such techniques as creang“watering holes”(hole,pretexng,whaling,etc.),aac
52、ks leveraging AI/machine learning,and open-source exploitaon.(See Figure 5.)Defending against these will require robust identy management for bots as well as people,leveraging high-quality security-as-a-service offerings,and the use of AI-aided tools to proacvely detect and fight aacks.Figure 5Taccs
53、 which most concern CISOs when thinking about cybersecurity between now&2025 n=3068Advanced social engineering aacks(watering hole,pretexng,whaling,etc.)Aacks leveraging AI/machine learningOpen-source exploitaonCrime-as-a-ServiceOver-the-air(wireless chip)exploitsWeb cache poisoningBotnetsChatbotsRa
54、nk473152611Master Report|TCS Risk&Cybersecurity StudyFigure 6When asked which areas of the company CISOs and CROs expect to see the greatest number of cyberaacks,finance,customer databases,and research and development,were regarded as the top three.Similarly,in our own work with organizaons,we also
55、found that cyber criminals are most likely to target processes that can generate them cash(such as payments and receipts),customers personal financial data,and a corporaons intellectual property.These same top three corporate funcons(in the same ranking order)were validated by theTCS 2021 Global Lea
56、dership Study3 of corporate strategy leaders,operaons vice presidents,and chiefoperang officers.Corporate funcons where CISOs&CROs expect to see the greatest number of cyberaacks between now&2025 n=6078FinanceCustomer databasesR&DSales/ecommerceMarkengManufacturing plants/producon/procurementHuman r
57、esourcesLegalRank4731526Distribuon/supply chainEcosystem partners910Similar to the findings regarding board priories(see Figure 2 earlier),the lack of concern for the digital ecosystem and its related domain,the distribuon and supply chain ranked tenth and ninth,respecvely is a cause for concern.Dig
58、ital ecosystems may not yet warrant one of the top posions,and many respondents may only be worrying about what happens to their ecosystem partners insofar as it eventually affects the other nine.It may signal a lack of regard for threats they dont feel they have as much direct control over compared
59、 to the funcons and offices they deal with regularly in their own companies.But given the interconnected nature of global business today,for only 15%of CISOs and 18%of CROs or 16%of the total sample to name the digital ecosystem as a concern among likely targets suggests a blind spot in corporate cy
60、ber risk and security strategy today.Priorizing threats involves both the likelihood of a successful aack and its impact.The two biggest threats facing one US financial services firm,its CRO told us,are a loss of data and an aack that disrupted the business.“The first one is more likely but potenall
61、y less impact,”he says.“The second is less likely because of some of the controls we have.But if it does happen,its going to have significant reputaonal damage and potenal financial impact.”3TCS 2021 Global Leadership Study: 7To fight data the,data protecon and privacy tools are the primary defenses
62、 CISOs intend to deploy.Those are followed by cloud security management,and the emerging suite of more advanced defenses such as decentralized identy and 5G security soluons.The more financially successful companies are also placing a premium on identy management,ranking it second in importance.Less
63、 successful companies ranked it seventh.(See Figure 7).Where CISOs expect to priorize their informaon security budget between now&2025 n=3068Data protecon&privacyCloud security managementEmerging security technologies(such as decentralized identy,5G security,etc.)Threat management(including ransomwa
64、re protecon)Identy managementManaged detecon&responseGovernance,risk&complianceVulnerability remediaon automaonRankPaceseersFollowers4731526Advisory consulngOperang technology(OT)security9073642715109612Master Report|TCS Risk&Cybersecurity Study13Master Report|TCS Risk&Cybersecurity Study
65、Figure 8The challenges to implemenng cybersecurity and risk migaon tend to be more taccal than technical:a lack of skilled personnel,a changing work environment,and difficulty in assessing security risks and quanfying their costs are considered the biggest obstacles to improving security by CISOs an
66、d CROs(see Figure 8).The greatest challenges to cybersecurity&risk migaon iniaves according to CROs&CISOs n=6078Skill sets to manage,engineer&support cybersecurity technologyWorkforce changes/requirements(e.g.,work from home,bring-your-own-device,etc.)Assessing cyber risks&quanfying relevant costsRe
67、liance on legacy IT systemsAccumulated complexity of our own business processes&operaonsDifficulty in demonstrang return on cybersecurity investmentsLack of collaboraon across enterprise units(business,IT&security)Lack of diversity(including of thought&experience)in staff assessing cyber risks&threa
68、tsRank473152612Difficulty in mandang that our current vendors adopt advanced technologies&policiesBudget constraintsCompeng interests for the board or senior leadershipOutdated,siloed&non-integrated security tools11910Across banking and financial services,ulies,and media and informaon services,CISOs
69、 consistently ranked enhancing security governance and risk management(e.g.,assessing the security posture of the company,defining controls and standards,etc.)as their top priority;in manufacturing,CISOs ranked it third,ed with acquiring or developing security talent,which also ranked third among al
70、l respondents(see Figure 9).The US Naonal Instute of Standards and Technology defines cyber resiliency as“the ability to ancipate,withstand,recover from,and adapt to adverse condions,stresses,aacks,or compromises on systems that use or are enabled by cyber resources.”For CROs,this means understandin
71、g their highest concentraons of risk,whether in informaon assets,suppliers,geographies,or other such elements;integrang the companys cyber and business strategies;and idenfying the most crical,but oen lile known,operaons that support their core business(see Figure 10).Cyber leadership&alignment14Mas
72、ter Report|TCS Risk&Cybersecurity StudyFigure 11Figure 9Figure 10One encouraging sign is that CISOs and CROs largely share top priories.They include security governance,risk concentraon and management,and the integraon of cyber and business strategies.As well as having similar priories,CISOs and CRO
73、s believe they are successfully coordinang their work.In fact,over half(51%)say they confer with their counterparts at least weekly;1 out of 8 do so daily.And the more financially successful the company,the more likely CISOs and CROs are to collaborate frequently(see Figure 11).CRO cyber resiliency
74、priories n=301Understanding concentraon riskIntegraon of cyber&business strategiesIdenficaon of crical operaons for core business linesIdenficaon&clear ownership of digital assetsPlans for business connuity/disaster recoveryMeasurements of resiliencePartnerships with industry groups,government agenc
75、iesFostering an organizaonal culture of resiliencyRank12345678CISO work priories n=306Enhancing security governance&risk managementEstablishing a more robust cybersecurity strategySecurity talent acquision&developmentStrengthening enterprise-wide cyber hygiene Enterprise-wide employee awareness&trai
76、ningImplemenng models like“zero trust”/perimeterless securityExecuve/board mandates on cybersecurity risksRegulatory or industry compliance mandatesManaging ecosystem&supply chain risksOutsourcing our security operaonsRankFrequency of collaboraon&coordinaonbetween CISOs&CROsn=60737%33%27%
77、41%40%43%21%23%27%1%4%4%PaceseersAll othersFollowersDaily/several mes a weekMonthly/quarterlyWeekly/several mes a monthRarely/never15Master Report|TCS Risk&Cybersecurity StudyThe CISO at a UK-based financial services firm told us he meets daily with his CRO counterpart,who he sees as an“absolutely c
78、rical stakeholder.”He envisions himself as the first line of cybersecurity defense,with the CRO“the second line.”Over me,he sees these two“lines of defense”overlapping,resulng in more and closer collaboraon.Somemes the issue is not collaboraon between CISOs and CROs but among CISOs in various busine
79、ss units.At one large US ulity holding company,the CRO wanted help consolidang cybersecurity funcons across its main organizaon and operang companies.A third-party review found the CISO of each holding company was operang independently not just of the corporate CISOs team,but from the CISOs in other
80、 business units.This lack of coordinaon resulted in duplicate spending for common projects,an inability to adopt lessons learned,inadequate security and risk migaon training for employees,widespread non-com-pliance with control measures,and,ulmately,a cyber breach.Consolidang CISO governance helped
81、in the short term,but the company sll faces challenges in funding addional projects,training and awareness,and in making the organizaonal changes required to improve alignment among CISOs.“I meet with my CISO all the me two or three mes a week at least,”says the CRO of a US-based financial services
82、firm.For each current or potenal threat,they assess“is the risk going from green to amber to red?And if its red,what sort of acons do we need to take and how are we progressing on the acons?”They also review their response to successful or“near miss”aacks,with the CRO doing a root cause analysis of
83、the failure and lessons learned for sharing with the corporate board and risk commiee.He sees his role as“independently kicking the res and tesng and challenging”the security technology and processes suggested by the CISO to assure they fit the companys acceptable levels of risk.In some cases,he say
84、s,he will lobby for more and faster security spending to counter fast-changing threats.“I would push the board and the CISO to say,Maybe the defense against a current threat needs higher spend to solve the problems now,because who knows what well be tackling 12 months from now,he says.One example of
85、 such collaboraon is data privacy,which requires ght integraon between the data protecon technology and processes executed by the CISO and the legal and regulatory understanding of the CRO.The CRO staff oversees“the collecon of data,the fair processing of it,the sort of informaon governance aspect o
86、f it.I make sure that the custodian and owner are really doing their job in terms of access rights,that data loss prevenon is working and tuned around the kind of data that were most worried about,”says the CISO.The two teams meet monthly to discuss issues such as the business data needs and any sec
87、urity events in a combinaon of objecve reports and“a collaborave discussion-based aspect,”he says.“I would push the board and the CISO to say,Maybe the defense against a current threat needs higher spend to solve the problems now,because who knows what well be tackling 12 months from now.”CRO,US-bas
88、ed financial services firmMaster Report|TCS Risk&Cybersecurity StudyFigure 12Board&business unit engagementMaster Report|TCS Risk&Cybersecurity Studys the ulmate decision makers and allocators of budget,boards of directors play an essenal role in ensuring a proper focus on security.Our survey found
89、mixed results about their engagement in security.Although 40%of boards discuss cyber risk and security issues very regularly,at every meeng or every meeng of a commiee of the board,another 43%do so with some regularity,but only periodically,rather than proacvely.And 1 in 6 boards address security oc
90、casionally or even never(See Figure 12).AIn the last 12 months,how oen has your companys board of directors(or a commiee of the board)discussed cyber risk&security issues as an agenda item or in depth?1%40%43%13%4%Very regularly or in every board meengRegularly at periodic intervalsOccasionally or a
91、s necessaryAlmost never or neverDont know/cant sayn=6071617Master Report|TCS Risk&Cybersecurity StudyFigure 13The CISO at a UK-based financial services firm says he briefs his board on security issues more frequently and longer than in years past,as more tech-savvy members join the board and members
92、 who sit on other boards bring their experience of security breaches at those firms.In communicang with the board,he uses“a very formal,fact-based objecve set of measures that turn the words in a risk appete statement into numbers that can be measured by technical people,”such as the IT organizaons
93、success at patching applicaons or liming successful phishing aacks.“Then we hold people accountable for achieving those targets in public.And generally,that drives the behaviors we need,”he explained.He also combines“theorecal paper-based,KPI(key performance indicator)-driven mathemacal analyses of
94、risk with a descripon of heres what happened the last me we paid someone to hack us.And that brings it to life and gets the heart rate moving.”The CRO for a US financial services firm has seen his boards awareness of cyber threats increase dramacal-ly.“Theyre extremely engaged on that topic.Five or
95、seven years ago,it was a conversaon on What does it really mean?Is this really our problem?Can this happen here?Today,the conversaon is,Of course,it can happen here.”Our research also showed Paceseer firms boards are the most engaged on the issues of cyber risk and security(see Figure 13).Very regul
96、arly or in every board meengRegularly at periodic intervals(e.g.,every other or every third meeng)Occasionally or as necessaryAlmost never or neverDont know/cant sayPaceseersFollowers1%44%46%5%5%All Others42%41%14%3%36%44%14%4%In the last 12 months,how oen has your companys board of directors(or a c
97、ommiee of the board)discussed cyber risk&security issues as an agenda item or in depth?n=60718Master Report|TCS Risk&Cybersecurity StudyFigure 14However,C-level execuves and business unit leaders oen put less of a priority on security,with one in five only engaging with cybersecurity aer a breach or
98、 other aack has materially affected the business,our study found.Another third only address cybersecurity issues when its brought to their aenon,respon-dents noted.How much aenon is given to cyber risks&security issues by your firms business unit leaders&its C-level execuves?n=60742%18%33%7%Our firm
99、s C-suite&business unit execuves acvely&frequently discuss our cyber risks&securityOur firms C-suite&business unit execuves discuss cyber risks&security,but usually only when cyber threats are brought to their aenonOur firms C-suite&business unit execuves discuss cyber risks&security only when a cyb
100、eraack hurts our businessOur firms C-suite&business unit execuves have hardly addressed cyber risk&securityThis disconnect between the board and C-level execuves“is a really,really hot point,”said the CISO at a UK-based financial services firm.“I dont know any CISO thats fully overcome it.”Misalignm
101、ent is oen caused by a security team that wants to ensure every business funcon is secure and business unit heads that want to bring new products or business models to market quickly.When compromises must be made between security and speed,he added,how much of that decision“belongs to the CEO?How mu
102、ch of it belongs to the CTO?How much of it belongs to me?”That can also lead to fricon between CIOs and CISOs,the CISO for a US-based financial services firm says.CIOs,he noted,“want fast delivery,cheap delivery,low-operang cost from a technology perspecve.They do want to have good security,but that
103、 comes second to having fast delivery,low cost,and quick implementa-on.So,the reality is the CIO and the CISO oen find themselves at loggerheads.”The CISO at a US-based media firm told us hes seen increased aenon to security from business unit heads aer theyve gone through tabletop security exercise
104、s and seen their counterparts in other organizaons suffer security breaches.19Master Report|TCS Risk&Cybersecurity StudyFigure 15Cloud platform securitys the hyperscale cloud providers Amazon Web Services,Microso Azure,Google Cloud Plaorm,Alibaba AliCloud,and others have improved their security and
105、as more companies in every industry have moved their applicaons and data to the public cloud,businesses are becoming more comfortable with the security that cloud plaorms offer.A majority of CISOs and CROs we surveyed(62%)said their companies now believe cloud plaorms offer as good as or beer securi
106、ty than on-premises servers and tradional data centers(see Figure 4 earlier).Yet about one-third of respondents especially those who told us they were most concerned with data protecon over data privacy sll believe the cloud is riskier than on-premises systems.The trend,however,is clear:major cloud
107、providers business depends on securing their customers operaons and they have the resources to boost the security of their services.As the IT industry moves to more cloud-based infrastructures,whether in whole or as hybrid arrangements with more tradional data centers,cloud plaorms and cloud-based s
108、ervices will increasingly provide as good as or beer security than in-house data centers.That seems to be reflected in our study data by the fact that the more successful a company is(see Figure 15)and the more confident its execuves feel about its posture toward both internal cyber risks and extern
109、al hacker threats(see Figure 16),the more likely the company is to trust its data and processes to the cloud.AWeve determined cloud plaorms present less cyber risk than on-premises servers or tradional data centersAs far as we can tell,the cyber risks of cloud plaorms present no more or less risk th
110、an the cyber risks inherent in on-premises servers or tradional data centersWeve determined cloud plaorms present more cyber risk than on-premises servers or tradional data centersWe cant come to an agreement about the cybersecurity risks of cloud plaormsPaceseersFollowers44%27%25%4%All others38%25%
111、31%6%27%31%36%6%Enterprise atudes toward cloud plaormsn=60720Master Report|TCS Risk&Cybersecurity StudyFigure 16We have external/internal risks&threats well in handOur ability to handle external/internal risk&threats is typical for our industryExternal/internal risks&threats outstrip our defenses,po
112、licies and controlsPercepons of external/internal risks&threats,vs enterprise atudes toward cloud plaormsn=607not shown:cant come to an agreement about cybersecurity risk of cloud platformsCloud plaorms present less cyber riskthan on-premises servers/data centersCloud plaorms present no more or less
113、 cyber risk than on-premises servers/data centersCloud plaorms present more cyber risk than on-premises servers/data centers41%34%25%34%38%29%29%39%32%Companies choosing to host their data on-premises may oen be limited to older security soluons and taccs rather than the state-of-the-art cybersecuri
114、ty available in cloud plaorms a risky posion as cyber defense develops further and faster into an arms race.Even organizaons that,for regulatory and other reasons,choose to keep some applicaons and data in-house can use cloud-based security services to leverage the latest security technology and tac
115、cs.This assumes,however,that they idenfy and priorize protecon of their most crical data and compung resources with the most current capabilies,such as encrypon on the fly and zero-trust security,regardless of where their data is stored.One risk is not the applicaons that move to the cloud,but those
116、 older vulnerable applicaons that never make it as planned,said the CISO for a US-based financial services company.Known vulnerabilies in the legacy system arent always fixed,he explained,because that work would be thrown away when“applicaon XYZ migrates to the cloud in six months.”A year and a half
117、 later,the same app is sll running on legacy,on-premises hardware with the same vulnerabilies.“That situaon happens 1,000 mes a day across corporate America and the world.And its a challenge because those are the exact applicaons and entry points that are geng hit by the bad guys.”Finally,the CISO f
118、or the UK-based financial services firm noted that any applicaon or database on the cloud must be correctly configured if it is to be secure.“We see so many cloud breaches that are a result of misconfiguraons.And those misconfiguraons are not necessarily because people didnt understand the technical
119、 aspects.They just havent thought about what they needed properly.And that requires in-house knowledge.”In fact,two-thirds(67%)of CISOs and nearly half(47%)of CROs saw a budget increase last year(see Figure 17).Of those that saw an increase,CISO departments averaged an esmated4 18%budget increase ov
120、er the previous year;CRO departments averaged an esmated 13%budget increase.(The average esmated decrease for each was around 10%.)Paying for the right capabilies is less of a problem than finding and keeping the right skills to make the best use of those capabilies.A lack of security skills was cit
121、ed as a top challenge for most respondents.And indeed,more than 4 in 10 respondents said they had difficulty this past year either recruing top talent with cyber risk and security skills,difficulty retaining talent with those skills,or both(see Figure 18).While this has been an issue across the IT i
122、ndustry in the last couple of years,cybersecurity skills are especially in demand.One esmate5 for the US labor market says that cybersecurity roles will sit unfilled 21%longer than do other IT jobs.eeping abreast of the most advanced taccs of cyber criminals is less cost-related and more about spend
123、ing the available budget wisely.In fact,our study found that budget constraints rank low tenth out of 12 choices on the list of obstacles to effecve cybersecurity and risk migaon iniaves(see Figure 8 earlier).And only 8%of respondents cite it as the primary obstacle.Difficulty in demonstrang a retur
124、n on the investment in cyber risk and security capabilies ranks only sixth.Similarly,the connued use of outdated,siloed,and non-integrated security tools oen a budget-related issue,when it arises is also not generally a major obstacle,ranking last.21Investment&skillsMaster Report|TCS Risk&Cybersecur
125、ity StudyKIncreased budget67%47%Decreased budget9%16%Budgets that changed from last year to thisCISOsCROsn=607,not shown:“no change”;“cant or prefer not to answer”Figure 174Esmates based on average of reported range midpoints.5CyberSeek,April 2022:www.cyberseek.orgWhile there is no single soluon to
126、the staffing challenge,our report shows that the more frequently the board engages in risk and cybersecurity(see Figure 19),the more proacvely the C-suite engages on it(see Figure 20),and the more open to cloud compung the company is(see Figure 21),the more successful the company is in finding and h
127、olding onto their top talent with cyber risk and security skills.We have not had a difficult me doing so this past yearWe have had a difficult me doing so this past yearWe have not had a difficult me doing so this past yearWe have had a difficult me doing so this past yearRecruing&retaining needed c
128、yber skillsn=607Recruing top talent with cyber risk&security skillsRetaining top talent with cyber risk&security skills56%44%58%42%22Master Report|TCS Risk&Cybersecurity Study61%55%47%42%39%45%53%58%63%59%49%33%38%41%51%67%Recruing talentRetaining talentOur board focuses on cyber risk&security very
129、regularlyOur board focuses on cyber risk&security periodicallyOur board focuses on cyber risk&security occasionally/as necessaryOur board focuses on cyber risk&security almost never or neverBoard engagement on cyber risk&security,vs challengein recruing&retaining top talent with cyber skillsn=607;no
130、t shown:Dont know/cant say about board discussion frequencyFigure 18Figure 1923Master Report|TCS Risk&Cybersecurity StudyWe have not had a difficult me recruing/retaining top talent with cyber skillsWe have had a difficult me recruing/retaining top talent with cyber skillsWe have not had a difficult
131、 me recruing/retaining top talent with cyber skillsWe have had a difficult me recruing/retaining top talent with cyber skills64%58%48%41%36%42%52%59%Our firms C-suite&business unit execuves acvely&frequently discuss our cyber risks&securityOur firms C-suite&business unit execuves discuss cyber risks
132、&security only when a cyberaack hurts our businessOur firms C-suite&business unit execuveshave hardly addressed cyber risk&securityOur firms C-suite&business unit execuves discusscyber risks&security,but usually only when cyberthreats are brought to their aenonC-suite&business unit engagement on cyb
133、er risk&security,vs challenge in recruing&retaining top talent with cyber skillsn=607;combined recruiting&retention answers59%59%54%41%41%46%Cloud plaorms present less cyber risk thanon-premises servers or tradional data centersThe cyber risks of cloud plaorms present no moreor less risk than the cy
134、ber risks inherent in on-premisesservers or tradional data centersCloud plaorms present more cyber risk thanon-premises servers or tradional data centersEmbrace of cloud plaorms,vs challenge in recruing&retaining top talent with cyber skillsn=607;combined recruiting&retention answers;not shown:We ca
135、nt come to an agreement on cloudFigure 20Figure 21Chart a long-term strategy that aligns security technology and funcons around both regulatory compliance and protecng the applicaons,data,and infrastructure most crical to the business.Educate top management about the damage security breaches can cau
136、se through financial loss,damage to company and brand reputaon,and the loss of company data.Supplement stascs and hypothecal scenarios with real-world examples and the results of penetraon tests.Take an integrated approach to governance and implementaon of cybersecurity that makes it the responsibil
137、ity of all funconal and business units in the enterprise as well as third pares and vendors involved with relevant processes.Build on the knowledge and experience of staff in business lines to idenfy and implement steps needed to bring cybersecurity controls in line with me-tested security framework
138、s and keep the enterprise operang without interrupon.For example,aer a data breach a global biotech firm realized the need for increased focus by senior managers and increased collaboraon among business units.Mulple assessments by external vendors showed the need to increase responsibility of mulple
139、 business units for cybersecurity funcons,as well as to increase collaboraon among them and sharpen the focus by senior management on the responsibilies of groups including IT,informaon security,enterprise risk management,HR,finance,legal,and compliance.The increased focus by the board led to annual
140、 assessments and a notable improvement in how well the company aligned its spending to reducing cyber risk.Consider creang a board-level commiee charged specifically with cyber risk and security.This takes pressure off audit commiees that oen have far too many other responsibilies to give regular an
141、d sustained aenon to rapidly evolving cyber threats.In addion to strong business operaons 24Our recommendationsMaster Report|TCS Risk&Cybersecurity Studyhe findings from this study and TCS work with companies worldwide suggest some recommendaons as best pracces for enterprises today.TThe CISO at a U
142、S-based media firm told us hes seen increased aenon to security from business unit heads aer theyve gone through tabletop security exercises and seen their counterparts in other organizaons suffer security breaches.backgrounds,the members of this new Cyber Risk and Security commiee should have a str
143、ong familiarity with the enterprise IT landscape either as providers,praconers,or customers of advanced technology.At the very least,update the board regularly and frequently on cyber risks and migaon efforts.When updang the full board,each C-suite and business unit should include the cyber risk and
144、 security implicaons of any planned acvies,indicang their alignment with corporate-wide cybersecurity iniaves and strategy.Aenon to security from regulators and even investors is driving increased board engagement on the issues of cyber risk and security.Following the invasion of Ukraine,for example
145、,the US Department of Homeland Security advised boards of directors to improve their internal oversight and coordinaon of cybersecurity acvies.6 Among its recommendaons were that CISOs be empowered to act across the organizaon and that boards and senior managers parcipate in tests of cyber response
146、plans,focusing their enterprises on resiliency and understanding their companies plans for worst-case scenarios.Less than two weeks later,the US Securies and Exchange Commission proposed new rules7 requiring publicly traded companies to provide more informaon about their security posture in regulato
147、ry filings.These include disclosure about the boards oversight of cybersecurity risk,managements role in assessing and managing such risk,managements cybersecurity experse,its role in implemenng cybersecurity policies,procedures,and strategies,and whether and what experse board members have in cyber
148、security.Focus on cyber resilience because even the best-guarded organizaon can become a vicm of a malicious cyber breach.A serious effort to enhance cyber resilience should include establishing a program dedicated to this important goal and led by an individual whose ideal background would be a com
149、binaon of both informaon technology and business experience.This person would be explicitly supported by senior leadership and work in partnership with business execuves,with authority to examine current cyber processes,systems,and data in the various IT and business units and advocate resiliency im
150、provements.He or she would funcon as the cyber resiliency champion for the organizaon and should drive forficaon of core business processes in order to build resilience against cyber threats.The CROs we polled said their top resiliency priories are understanding where risk is most concentrated,integ
151、rang their cyber defense and business strategies,and idenfying the crical operaons in core lines of business.Because its so difficult to accurately predict the likelihood of a successful aack,“Ive been advising our execuve team and the board that we need to focus on the impact”and how to alleviate i
152、t,says the CISO at a US water ulity.“We sit down with our business owners and the folks that run the operaons and say,What would your worst day look like?”and then they idenfy the types of cyberaacks that could cause them.The team then gives the board examples,such as:“A major ransomware event can c
153、ost up to two weeks downturn on our operaons.This is the amount of boled water we would have to deliver when our system is not available,and this is the impact to our customer.For each crical business process,he then works with the business owners to understand what it would take to meet its recover
154、y me objecve that is,the target period it takes to restore a business service.25Master Report|TCS Risk&Cybersecurity Study6Cybersecurity&Infrastructure Security Agency,memo to members of the Naonal Associaon of Corporate Directors,February 25,2022:www.nacdonline.org/files/CISANote.pdf 7Securies and
155、Exchange Commission,“Cybersecurity Risk Management,Strategy,Governance,and Incident Disclosure,”March 23,2022:www.federalregister.gov/documents/2022/03/23/2022-05480/cybersecurity-risk-management-strategy-governance-and-incident-disclosureEmbed security as a foundaonal layer in every aspect of the o
156、rganizaon.From inial planning to end-of-life cycle,boardrooms to far-flung third-party partners,security must be embedded within every aspect of an organizaon,or the enterprise will,by definion,remain unsecured.Treat security measures as a crical element of design and operaons at the foundaonal laye
157、r,and deeply embed it within the company culture.One example is extending more advanced security methods such as mulfactor authencaon that combines a users identy,a device they have(such as a smartphone),and something they know,such as a password,to even consumer-facing applicaons,where appropriate.
158、Another example of“built-in”security is security and privacy controls that move with data as it is transferred across internal and external security boundaries,using encrypon,hashing,aggregaon,and other best pracces.Business today runs on data,and development and maintenance of the code that uses th
159、at data should have cybersecurity integrated into the life cycle of all IT projects.Commonly referred to as“DevSecOps”(for“development,security,and operaons),such environments integrate security end-to-end in the life cycle of digital work,rather than“bolng it on”aer the fact.Automang the inclusion
160、of applicaon security as part of a normal Agile development framework makes the product,service,or process more likely to be successful and to receive buy-in from stakeholders.Make supply chain and partner ecosystem security a higher priority.Maintain open,regular channels of communicaon and collabo
161、raon about security with partners,suppliers,vendors,and distributors.Boards of directors,CISOs,and CROs across several measures are not yet focusing as strongly as they should on the ecosystem risks or on collaboraon for oversight,monitoring,and migaon of those risks.For example,enterprise soware to
162、day leverages huge libraries of APIs(applicaon programming interfaces),which passes data from one applicaon to another,oen although certainly not exclusively using internet protocols.Besides interconnecvity,one benefit of APIs is that,if designed securely,they can allow two applicaons to interact wi
163、thout revealing the inner workings of either applicaon.However,these connecons can be exploited if security corners were cut or ignored in the development of the API.In fact,in our study,CISOs cited“open-source exploitaon”as the third most alarming threat they expect to face more of between now and
164、2025.(See Figure 5 earlier.)Despite this concern by CISOs for the points where the digital ecosystem is glued together,they also rated“ecosystem partners”last in their list of cyber target concerns.And of priories arising out of board-level discussions,“focusing on ecosystem risks and collaboraon fo
165、r oversight,monitoring,and migaon of those risks”was cited as the top priority by only 14%of respondents.CISOs also ranked“managing ecosystem and supply chain risks”as next to last(out of 10)when asked about their own departmental priories.But visibility between organizaons is necessary for the lead
166、ers of service providers,suppliers,and distribuon partners to maintain a higher level of security for major endeavors that involve many players.Ransomware and other hacker threats are increasingly relying on the open door oen provided by unsecured systems run by contractors,vendors,and suppliers.The
167、 CISO at a US-based financial services firm sees vendors,including those who serve his primary vendors,as his second-highest threat vector“just because we dont have as much visibility”into vendors with whom 26Master Report|TCS Risk&Cybersecurity Studythey may not have a close relaonship.To learn mor
168、e,he asks them to complete security quesonnaires,audit their security pracces,and test their security pracces in a controlled seng.The CISO of the US-based media company told us his company includes security requirements in its contracts with any vendor that can access its network or hosts crical in
169、formaon or services.Among the requirements,he noted,are that they have someone in charge of security,“implemented policies and pracces that help secure the environment,and that they nofy us within 24 to 48 hours if theres an incident.”Resistance from vendors to such language is declining,he explaine
170、d,as regulators begin pressuring all companies to divulge more of their security pracces.One Europe-based manufacturer requires vendors accessing their systems to use mulfactor authencaon,dedicated VPN tunneling,and establishes ght limits to the informaon they can see.“We actually put together stand
171、ard contractor clauses to make sure everyone is signing up on the same level of security that we are willing to support and also opening up to audit from a third party,”the companys CISO told us.Leverage the cloud and cloud services to enhance your security profile.Cloud-posive organizaons seem to h
172、ave a slight advantage in retaining and recruing talent with cyber skills,compared to those companies who think on-premises or tradional data center security is preferable to whats available via the cloud(see Figure 21 earlier).This makes sense,since more and more computer science and business gradu
173、ates today assume a cloud-based environment and marketplace as the rule,rather than the excepon.Addionally,our study data shows that organizaons that see cloud plaorms security capabilies as an improvement over on-premises infrastructures are likely to be more successful in terms of revenue and prof
174、it(see Figure 15 earlier).As your firm modernizes or replaces applicaons with cloud-based plaorms,maintain cybersecurity vigilance and regulatory compliance by weaving established cybersecurity frameworks into cloud adopon,including insight into third-party vendors compliance with cybersecurity cont
175、rols.In the event of a breach,this would establish evidence for demonstrang compliance,from both a maturity and assurance perspecve.Integrang on-premises and cloud security is not easy,the CISO for a US-based manufacturing firm told us.It requires the right level of oversight into which users are ac
176、cessing which systems,either on-premises or in the cloud,and what they are doing with the data on both plaorms.“All of those monitoring tools will have to be integrated with your strategy,”and the security operaons team must ensure any potenal breaches are correctly invesgated,he says.Coordinate the
177、 cybersecurity and risk funcons closely.CISOs and CROs should coordinate at least weekly to ensure the companys strategic interests,its approach to risk,and its cybersecurity iniaves are aligned and evolve as technologies and business needs change.Our study found that frequent collaboraon between th
178、e CISO and CRO offices correlates with corporate financial success(see Figure 11 earlier).Such collaboraon can also help a company determine when overly strict security measures might negavely impact the business.For example,while the CRO might want robust authencaon for every user of every applicao
179、n to meet the requirements of a security framework,the CISO might seek an exempon for an 27Master Report|TCS Risk&Cybersecurity Studye-commerce web site to avoid presenng potenal customers with an off-pung authencaon requirement before they can enter a storefront and make a purchase.At a US-based me
180、dia firm,the CISO and a vice president filling the CRO role run joint connuity planning exercises for events such as security breaches or natural disasters.The CISO draws on the risk units rigorous processes and connecons to key stakeholders to encourage adopon of cybersecurity 28Master Report|TCS R
181、isk&Cybersecurity StudyThe CISO at a UK-based financial services firm told us he meets daily with his CRO counterpart,who he sees as an“absolutely crical stakeholder.”He envisions himself as the first line of cybersecurity defense,with the CRO“the second line.”Over me,he sees these two“lines of defe
182、nse”overlapping,resulng in more and closer collaboraon.capabilies.Since two other companies in their industry suffered cyberaacks,the CISO office and risk unit are working even more closely to understand and migate the impact of an event on the business.CISOs and CROs at publicly traded companies wi
183、ll also need to bring investor relaons into their discussions as investors pay more aenon to cyber risk and security as part of an increased focus on environmental,social,and governance(ESG)issues,says the CISO for a UK-based financial services firm.The CISO and CRO can help investor relaons,along w
184、ith senior management and the board,understand the damage successful cyberaacks can do to a companys share price,market share,and reputaon.Yet,as this first-ever TCS study of enterprise risk and cybersecurity professionals shows,there is good news.For one thing,funding for cybersecurity and risk mig
185、aon iniaves isnt generally a problem(see Figure 8 earlier).For another,taking all other factors into consideraon,60%of cyber risk and security execuves feel some confidence their company will be able to avoid a major cyber event that results in significant financial loss or reputaonal damage(see Fig
186、ure 22).They know theyll be aacked,but they are either cauously confident or(for 14%)even very confident they will weather the onslaught.s the CROs and CISOs of large companies realize,the queson of cyberaacks is no longer“if”but“where”and“how.”Most large enterprises today are already dedicang sizab
187、le headcount and operang budgets to idenfying risks,defending the company against threats,and migang the effects of the aacks that are already occurring.Companies in every industry,government bodies,and non-governmental organizaons are all experiencing an unprecedented level of aacks from freelance
188、hackers,state-sponsored cyber terrorists,and criminal consora-for-hire.Its an arms race that requires staying one step ahead of malefactors just to connue doing business in todays increasingly interconnected digital ecosystem.29Confidence in the face of certain attackMaster Report|TCS Risk&Cybersecu
189、rity StudyACISO&CRO confidence in their companys ability to avoid a major cyber incident in the next 3 years resulng in significant financial or reputaonal lossn=607Very confidentSomewhat confidentNeutral/not sureIncreasingly less confidentNot at all confident14%46%31%9%0.33%Figure 22Companies that
190、have already adopted or adapted several of the recommendaons in this report enjoy even greater confidence in their ability to withstand the worst effects of a cyberaack.For example,companies where the board takes a proacve approach to cyber risk and security and where the CISOs and CROs collaborate
191、and coordinate frequently are both more likely to have cyber risk and security execuves with a degree of confidence greater than cyber execuves at companies where the board is less engaged and where coordinaon is more perfunctory or an aer-thought(see Figure 23).68%61%39%70%56%56%53%27%30%43%26%33%3
192、6%29%5%10%17%5%11%8%18%Very/somewhat confidentNeutralLess/not at all confidentFrequency of board engagement on cyber risk&security issuesFrequency of collaboraon&coordinaon between CISO&CROVery regularlyDaily/several mes a weekWeekly/several mes a monthMonthlyQuarterly,rarely,or neverPeriodicallyOcc
193、asionally,asnecessary,or neverConfidence in avoiding a major cyber incident resulng in financial loss or reputaonal damage between now&2025n=607;not shown:Dont know/cant say on board discussion frequency30Master Report|TCS Risk&Cybersecurity StudyFigure 23However,too many businesses sll feel they ca
194、nnot adequately protect themselves against todays threats,much less emerging dangers such as AI-aided aacks.While boards are increasingly focused on cyber risk and security,C-suites and lines of business are sll mostly only focusing on the issue when its brought to their aenon;18%of C-suites only fo
195、cus on it aer the organizaon has already been aacked(see Figure 14 earlier).A lack of security skills is a constant and difficult to meet challenge,which further complicates the challenge(see Figure 8 earlier).Our study and work with enterprises show a path forward:Looking beyond technology to impro
196、ved collaboraon and security and data protecon processes.Establishing formal mechanisms for collaboraon to ensure all stakeholders agree on the data and applicaons that most need protecon and coordinate the purchase and use of tools to protect them,with a complete accounng of the myriad soware soluo
197、ns different departments and businesses have deployed.Secure,advanced processes that leverage automaon for data migraon,protecon,access control,and training can migate many of the most common risks.To meet emerging risks,we recommend businesses require leadership across the organizaon to align its s
198、ecurity spending and efforts on the most crical risks,ensuring that all stakeholders have the informaon they need to idenfy and assess risks and can work together to improve cyber resilience.Companies can help fill the skills gap by using external service providers for harder-to-staff work,such as 2
199、4/7 network monitoring,while growing talent internally by giving them exposure to not only the technical but the business aspects of cybersecurity.Expand your pool of talent by seeking out more diverse recruits,and dont underesmate the importance of a high-quality workplace in retaining that talent.
200、Cyber security will always be an ongoing arms race between defenders who must protect every system and database all the me against all threats,and aackers who only need to find one vulnerability to steal data,bring down systems,or hold data for ransom.No CIO,CISO,or CRO can guarantee their organizao
201、n will never be hacked.However,the most successful organizaons can secure the most crical assets with the best use of their available funds by:Gaining high-level support for coordinated dynamic cybersecurity measures focused on the applicaons and data most crical to the business;Invesng the me and e
202、ffort required to align all stakeholders with those priories;Leveraging the cloud,and cloud-based security services,to tap the most current defenses against ever-changing threats;Building and tesng resiliency plans so you can recover the most important parts of your business if an aack succeeds;and
203、Becoming a preferred employer to aract and develop internal talent for the security funcons you need to do in-house,while leveraging outside providers for work requiring industry-leading experse.31Master Report|TCS Risk&Cybersecurity Study12Master Report|TCS Risk&Cybersecurity Studye surveyed 607 se
204、curity professionals,split between chief informaon security officers(CISOs)and chief risk officers(CROs)in North America and Europe between February 15 and March 21,2022.Respondents represented the banking and financial services,ulies,media and informaon services,and manufacturing industries,given t
205、he increasing number of cyberaacks being experienced by these industries in parcular.Approximately half of respondents were CISOs and half CROs.This report is based on their responses and on in-depth interviews with other CISOs and CROs in the geographies and industries represented in our survey.32M
206、ethodologyMaster Report|TCS Risk&Cybersecurity StudyWRespondents by industryRespondents by role54%44%9%46%16%6%6%5%3%3%2%2%2%1%USCanadaUKItalySpainGermanyFranceFinlandSwedenNetherlandsNorwayDenmarkNorth AmericaEurope/UKRespondents by region&countryn=607CISOsCROs306301Banking&financial servicesUliesM
207、edia&Informaon servicesManufacturing133Master Report|TCS Risk&Cybersecurity StudyAs part of the analysis,the most successful companies those who had both revenue and net profit changes from 2017 to 2021 that were higher than the average of all the companies surveyed in their industry(or,i
208、f at least 30 companies existed for a subsector,in their subsector)were deemed“Paceseers.”Those whose revenue and net profit growth were both lower than the industry or subsector average were,for comparison purposes,considered“Followers.”Paceseersn=104Followersn=294Banking&financial servicesUliesMed
209、ia&Informaon servicesManufacturing32%33%17%18%31%17%23%30%Percentagesin charts may not add up to 100%due to roundingAll respondentsCISOs=306CROs=301FollowerCROs,28%FollowerCISOs,21%OtherCROs,17%OtherCISOs,18%PaceseerCROs,5%PaceseerCISOs,12%Execuve championsSantha SubramoniGlobal Head,Cyber Security
210、Services,TCSRobert ScaliseManaging Partner,Risk&Cyber Strategy,TCSAll content/information present here is the exclusive property of Tata Consultancy Services Limited(TCS).The content/information contained here is correct at the time of publishing.No material from here may be copied,modified,reproduc
211、ed,republished,uploaded,transmitted,posted or distributed in any form without prior written permission from TCS.Unauthorized use of the content/information appearing here may violate copyright,trademark and other applicable laws,and could result in criminal or civil penalties.Copyright 2022 Tata Con
212、sultancy Services LimitedAbout Tata Consultancy Services Ltd(TCS)Tata Consultancy Services is an IT services,consulting and business solutions organization that has been partnering with many of the worlds largest businesses in their transformation journeys for over 50 years.TCS offers a consulting-l
213、ed,cognitive powered,integrated portfolio of business,technology and engineering services and solutions.This is delivered through its unique Location Independent Agile delivery model,recognized as a benchmark of excellence in software development.A part of the Tata group,Indias largest multinational
214、 business group,TCS has 592,000 of the worlds best-trained consultants in 46 countries.The company generated consolidated revenues of US$25.7 billion in the fiscal year ended March 31,2022 and is listed on the BSE(formerly Bombay Stock Exchange)and the NSE(National Stock Exchange)in India.TCS proact
215、ive stance on climate change and award-winning work with communities across the world have earned it a place in leading sustainability indices such as theMSCI Global Sustainability Index and the FTSE4Good Emerging Index.For more information,visit us at .Visit and follow TCS news TCS_News.Get more insightsIf you would like to have more information on the TCS Risk&Cybersecurity Study,please visit more information or any feedback,email TCS Thought Leadership Institute at TL.IFor the most up-to-date content and news,download the TCS Perspecves app for your iOS and Android device.34