Is your organization too complex to secure?

Eighty-two percent of Canadian respondents say their organizations are too complex. But those that have had the best cybersecurity outcomes globally over the past two years are 5x more likely to have streamlined operations enterprise-wide.

Be deliberate about simplicity and simplification


%

of Canadian respondents to our survey (75% globally) say their companies are too complex, avoidably and unnecessarily so, and nearly as many say complexity poses “concerning” cyber and privacy risks to their organizations in 11 key areas.

Data seems to be a chief point of concern. Data governance and data infrastructure are considered to be areas of “unnecessary and avoidable” complexity by a majority of Canadian respondents (80% and 81%, respectively, compared to 77% for both globally). Most large companies’ technology architectures, which include legacy systems, are complicated. Mergers with other entities may multiply risks by connecting already complex networks and systems.

The most worried about all this complexity are CEOs. Globally, they assign a complexity level of ten to 7 of 11 areas in their organizations. CEOs tend to be more concerned about cyber and privacy risks arising from complexities in the cloud environment, governance of tech investments and crossover from IT to operational technology (OT). We’ve heard similar concerns from Canadian CEOs and executives.

The costs of complexity

Complexity isn’t bad in and of itself. Often, it’s a by-product of business growth. The larger an organization, the more complex it will naturally be, needing more people and technologies to serve a growing customer base. The costs of creating unnecessary complexity aren’t obvious, and it’s hard to create urgency around combatting complexity—that is, until an attack occurs.

Asked to highlight the top consequences of operational complexity, our Canadian respondents selected:

  1. Inability to innovate as quickly as the market opportunities offer.
  2. Financial losses due to successful data breaches or cyber attacks.
  3. Inability to sustain growth for the long term.

Complexity not only threatens today’s fortunes, in the view of executives. It also prevents organizations from creating new opportunities quickly and pursuing future ones.

The move to simplification

Businesses know the risks of complexity, yet only 35% of global respondents have performed any streamlining of their operations, and a quarter say they’ve done nothing at all or are just getting started. But a shift appears to be underway.

Simplifying an organization takes time, requiring changes in viewpoints and company culture. That’s not easy to achieve, but the payoffs are mighty. Globally, the companies that have had the best cybersecurity outcomes over the past two years (most improved) are 5x more likely to have streamlined operations enterprise-wide. We see similar results among Canadian organizations.

More and more CISOs and CIOs are taking a hard look at their tech investments, no longer just entertaining or chasing the latest products from tech vendors. We’re seeing consolidation of tech vendors and applications to reverse the hard-to-manage and risky tangle of disparate and vulnerable software and tech stack.

Simplification of cyber

To be fair, simplifying cybersecurity can be challenging. Asked to prioritize among nine initiatives aimed at simplifying cyber programs and processes, Canadian respondents displayed a slight preference for adoption of a cloud-technology strategy, but numbers otherwise were very similar.

CISOs who are building layers of control, for defence in depth, are well intentioned but must guard against introducing more complexity and cost. More controls and security technologies don’t always make a company more secure.

Moving to the cloud can help simplify business processes and IT architecture, provide flexibility and accelerate innovation. Yet companies typically waste an average of 35% of their cloud budgets on inefficiencies. Runaway complexity can quickly result from extensive technology options, new architectural approaches, complicated service plans, unused capacity and confusing billing and pricing, especially when the technologies offered are constantly changing.

Done right, however, cloud transformations can be secure, efficient and successful. Cloud security is among the top investment priorities of our Canadian survey respondents. That’s encouraging—but only 20% of Canadian respondents report realizing benefits from these investments (16% globally). Thirty-four percent haven’t fully benefited from cloud security investments (35% globally), and 42% are just starting or planning theirs (45% globally).

Whether or not you’re using the cloud to simplify, minimizing and combining your tech stack and processes may feel like a bold move. Doing so requires asking hard questions and maintaining a keep-it-simple mindset. To get there, your organization will need security-minded leadership starting at the very top.


Simplification in organizations: At least 1 in 4 Canadian respondents has streamlined over the last two years


Canada
Global
Defined a new mix of remote/virtual and on-site work
%
%
Reorganized functions and ways of working
%
%
Automated standard, repetitive processes
%
%
Created an integrated data governance framework
%
%
Defined or re-aligned the mix of in-house resources and managed services
%
%
Consolidated technology vendors
%
%
Created an integrated dashboard for key metrics
%
%
Rationalized technologies, including decommissioning legacy technologies
%
%
Removed redundancies in processes
%
%

Question: In the last two years, to what extent has your organization streamlined operations in the following ways? Percentage responding “completed enterprise-wide.” Other potential responses were “partially completed,” “just started” or "not at all.”
Base: 114 Canadian respondents; 3,602 global respondents
Source: PwC, 2022 Global Digital Trust Insights, October 2021

Simplification of cyber: Spending is spread across several initiatives

Average share of total spending on cyber simplification


Adopting a cloud-first technology strategy
%
%
Integrating controls and processes across disciplines
%
%
Creating an integrated governance structure for data
%
%
Rationalization of technology
%
%
Rationalizing the supply chain
%
%
Restructuring the security team
%
%
Creating an integrated third-party risk management office
%
%
Creating an integrated resilience playbook
%
%
Reduction of outdated or end-of-life technology
%
%

Question: In the next two years, what proportion of your cybersecurity spend will your organization allocate to each of the following initiatives to simplify cybersecurity?
Base: 114 Canadian respondents; 3,602 global respondents
Source: PwC, 2022 Global Digital Trust Insights, October 2021

A foundation for data you can trust for better business decisions

Organizations first need to set up that good foundation we call data trust: making sure you’re using data responsibly, securely, accurately and ethically so you can rely on it for business decisions. (And when it comes to customer data, you want to make sure customers know they can trust you to keep their information safe from unauthorized eyes and inappropriate use.)

But only approximately a third of respondents, both in Canada and globally, report having mature, fully implemented data trust processes in four key areas: governance, discovery, protection and minimization. Nearly one in five Canadian respondents (one in four globally) says they have no formal data trust processes in place at all. Once you’ve crafted your data strategy, governance—the policies, procedures and processes for fulfilling the strategy—should follow immediately.

Securing your data from tampering as well as theft is also critical to success, yet only about one-third of Canadian and global respondents report having in place fully implemented, formal data security processes including encryption and secure data-sharing (30% in Canada; 34% globally). Verifying and protecting the integrity of your data are essential as well. Not doing so is like hiring workers without fact-checking their resumés. You can’t be certain of the quality of the information.

And only 36% have mapped all their data (35% globally), meaning they know where it comes from and where it goes. Even fewer—29%—have mature data minimization processes (35% globally).

The two-thirds of organizations that haven’t formally implemented data trust practices may be at risk in more ways than one.

Effective data governance is important not only for operational resilience, but also for compliance with regulations such as Bill 64 in Quebec and the expected reintroduction of the federal Consumer Privacy Protection Act (Bill C-11). Both bills include significant regulatory changes in the way companies operating in Canada must protect personal information and are backed by substantial fines for non-compliance. When someone asks for information about their data—what you’re keeping and what you’re doing with it—you need to be able to answer quickly and accurately.


Data trust practices have yet to become the norm

Percentage who say they’ve fully implemented formal processes around these data trust practices


Canada
Global
Data governance
Combined strategy for data management, cyber, privacy and other info governance functions
%
%
Capability and process for valuing data assets and continuously improving data quality
%
%

Data discovery
Understanding of where personally identifiable information (PII), sensitive data, intellectual property and high-value data reside throughout the enterprise
%
%

Data protection
Data inventory, knowledge of where data comes from, how data moves through business processes and systems, and how it’s transformed
%
%
Ability to share data securely with third parties, business partners and suppliers, and to potentially “audit” their compliance to terms
%
%
Deployment of processes and technologies that provide encryption, tokenization, redaction/masking technologies
%
%

Data minimization
Data retention and data elimination policies and schedules
%
%

Question: For each of the following, please rate how mature your organization’s data trust practices are. Percentages are for the response “formal process, fully implemented.”
Base: 114 Canadian respondents; 3,602 global respondents
Source: PwC, 2022 Global Digital Trust Insights, October 2021
Takeaways

For operations and transformation leaders

Ask: What’s the cyber plan for that? You can ignite major change—operational and cultural—simply by asking this one question of every business executive in charge of a transformation or new business initiative. By placing cybersecurity front-row centre, you can avoid the unnecessary and costly complexities you may see now, when it’s an afterthought.

Include the CISO and security teams early in cloud migration and adoption, mergers and acquisitions, and other organizational initiatives. That way, every executive at the helm of a major business initiative will be able to readily answer the cyber-plan question.

For the CISO, CDO and CIO

Dare to subtract. Left on their own, technology and data tend to multiply, divide and conquer efficiency and security. Whittle down excess with security goals in mind: assess your data stores and eliminate everything you don’t need now. Move your disparate apps and solutions into a cloud environment for easier management and consolidate, liquidate and automate where you can. Also, rethink your tech and cyber investment processes. Focus first on simplifying where benefits are greatest for the whole organization.

For the CPO

With regulatory updates including big fines on the horizon, now is the time to take a strategic data trust approach. Build an ecosystem that will allow your organization to create, use, share and retire data securely and transparently. Invest as needed to improve your customer experience and build the trust you’ll need to unlock data value. This will help you better protect customer and employee privacy and manage your privacy risk exposure—and get the buy-in that's needed of the business and enable your company’s strategic data-related priorities.

Follow PwC Canada

Contact us

Naren Kalyanaraman

Naren Kalyanaraman

Partner, Cybersecurity, Privacy and Financial Crime National Leader, PwC Canada

Tel: +1 416 815 5306

Alvin Madar

Alvin Madar

Partner, Cybersecurity, Privacy and Financial Crime and National Cybersecurity Leader, PwC Canada

Tel: +1 604 806 7603

Joanna Lewis

Joanna Lewis

Partner, Cybersecurity, Privacy and Financial Crime, PwC Canada

Tel: +1 416 687 9139