Are you securing against the most important risks today and tomorrow?

Only one in three Canadian organizations uses data and intelligence when making decisions. Those with the best cybersecurity outcomes globally over the past two years are 18x more likely to say data and intel are integral to their operating model.

Size up your risks—using data and intel—to realize opportunities

Chances are good that neither you nor your competitors are letting data inform your cyber risk management.

Fewer than two in five Canadian survey respondents (one in three globally) say they’ve integrated analytics and security intelligence tools into their cyber operating model.

These Canadian respondents scored lowest in their ability to turn data into insights for threat modelling, scenario building and predictive analysis—all critical technologies for smart cybersecurity decisions.

So many entities fail to benefit from today’s advanced intelligence tools and approaches. New types of internal data, data from new external sources, new data partnerships and information-sharing platforms can be important sources of security intelligence, but only about a quarter of respondents say they’re reaping benefits from these tools.

The other three-quarters are missing out. Businesses predicting an increase next year in their cybersecurity spending are in many cases the same enterprises whose operational models use security intelligence and data analytics. Data can not only help you spend your cyber budget wisely, but it can also help you get more to work with. The most improved (top 10% in cyber outcomes) global organizations are 18x more likely to state that these advanced approaches are integral to their operating model—a scenario we frequently see in Canada as well.


Executives underutilize data and intel for better decisions and risk management.


Canada
Global

Percentage who say these are integral to their operating model today:

Real-time threat intelligence
%
%
Cyber risk quantification, using FAIR or other methods
%
%
Use of generally accepted standards and frameworks in assessment and diagnostic tools
%
%
Policy and regulatory strategic intelligence platform
%
%
Common industry metrics and dashboards
%
%
Autonomous threat detection, including cognitive security
%
%
Threat modeling, scenario building and predictive analysis
%
%

Percentage who report realizing benefits from these tools and approaches:

New types of internal data we’ve not traditionally used
%
%
New data partnerships to complement and enrich our first-party data sources
%
%
Information sharing platforms with industry
%
%
Information sharing platforms with government agencies
%
%
New external sources of information we’ve not traditionally used
%
%

Questions: To what extent does your organization use the following tools and approaches when making decisions about cyber investments and responding to cyber risk? What best describes your organization's plans for using the following tools and approaches for better operational intelligence?
Base: 114 Canadian respondents; 3,602 global respondents
Source: PwC, 2022 Global Digital Trust Insights, October 2021

“In today’s system-of-systems world, cybersecurity can no longer be treated as a ‘too-hard-to-measure’ problem”

“In today’s system-of-systems world, cybersecurity can no longer be treated as a ‘too-hard-to-measure’ problem,” the US Cybersecurity & Infrastructure Security Agency argues. Still, as we saw above, only 30% of Canadian organizations quantify cyber risks today (26% globally).

The data you use to spot and understand threats, put a dollar figure on risks and prioritize them and predict cybercrime trends can be a powerful tool for convincing boards and the CEO to invest in your cyber program. On the other hand, if you’re having trouble getting the funding you need for cyber, you may need to do a better job of quantifying your cybersecurity risk.

By the same token, data can help you stay apprised of real-time risks and adjust security tactics and strategies as the business shifts. Globally, respondents in five business sectors said the most important reason to quantify cyber risk is “to continuously evaluate our risk landscape and priorities against changing business objectives.” Enterprise leaders recognize that risks are always in a state of flux and that data is the tool that lets them monitor and measure changes.

Sizing up risks is also important for sizing up opportunities and linking cyber-threat narratives to business narratives that the C-suite and boards can understand. A growing number of Canadian organizations recognize the importance of cybersecurity to business—but many still have a long way to go. Between 33% and 49% claim “significant progress” linking the two (37% and 42% globally), while 9% to 16% say they’ve made little or no progress aligning cyber and business goals (16% to 18% globally).


Executives want to size up cyber risks in continually changing risk landscape

Canadian rank Global rank
To help evaluate and communicate risks in line with a defined risk tolerance 1 3
To provide information on the return on security investments 2 9
To measure the contribution of our security capabilities to risk mitigation 3 4
To identify and justify improvements to, or transformation in, protective capabilities 4 2
To continuously evaluate our risk landscape and priorities against changing business objectives 7 1

Question: What are your organization’s most important reasons to quantify cyber risk?
Base: 114 Canadian respondents; 3,602 global respondents
Source: PwC, 2022 Global Digital Trust Insights, October 2021

The 2022 threat outlook

Our Canadian respondents do make predictions about the next 12 months. Seventy percent expect an increase in cybercrime (60% globally), and 55% say nation-state attacks are likely to grow (53% globally). Mobile, the Internet of Things and cloud top the list of anticipated targets. But the type of attack could take almost any form, in our respondents’ minds.

Ransomware (23% in Canada; 21% globally) narrowly edged out compromised business email (22% in Canada; 20% globally), cloud service attacks (22% in Canada and globally) and disinformation (22% in Canada; 19% globally) as most likely to see significant increases. And a long line of other attack types scored between 10% and 21%. Notably, 54% expect a rise in breaches via their software supply chain (56% globally), with 19% of Canadian and global respondents eyeing significant increases.


The 2022 threat outlook: Executives expect a surge in attacks and reportable incidents

Increase significantly Canada Global Increase Increase significantly Increase Reportable incidents 23% 38% 21% 36% Ransomware Attack on cloud services Disinformation Business email compromise Attack on hardware supply chain State-sponsored attack on critical infrastructure Attack on software supply chain Malware via software update Cryptomining Foreign influence in research and development 22% 37% 22% 36% 22% 37% 19% 33% 22% 33% 20% 35% 21% 34% 16% 34% 21% 29% 20% 33% 19% 34% 19% 36% 18% 43% 20% 36% 17% 39% 21% 33% 10% 46% 19% 34%
Threats via vectors Mobile Internet of Things Cloud service provider Third party Social engineering 25% 43% 27% 38% 24% 39% 26% 39% 24% 38% 23% 38% 20% 34% 19% 36% 13% 44% 23% 37%
Threats via actors Cyber criminals Current employee Third party or contractor Hacktivist/hacker Competitor Nation states Past employee 32% 39% 25% 35% 22% 32% 18% 30% 20% 31% 18% 33% 18% 40% 22% 36% 18% 32% 17% 33% 15% 40% 19% 34% 15% 33% 16% 26%

Questions: How do you expect a change in reportable incidents for these events in your organization? How do you expect threats via these vectors/actors to change in 2022 compared to 2021?
Base: 114 Canadian respondents; 3,602 global respondents
Source: PwC, 2022 Global Digital Trust Insights, October 2021
Takeaways

For the CFO and CRO

  • Work with the CISO in taking a quantified and risk-based approach to cyber budgeting that ties to business objectives.

For the CISO

  • Create a roadmap from cyber risk quantification to real-time cyber risk reporting.
  • Don’t stop at cyber risks. Tie the cyber risks to overall enterprise risks and, ultimately, to effects on the business.
  • With a fuller accounting of cyber risks, identify what works in your business model and where you might need to simplify.
Follow PwC Canada

Contact us

Jennifer Johnson

Jennifer Johnson

Strategy & Transformation Leader, PwC Canada

Tel: +1 416 947 8966

Sajith Nair

Sajith Nair

Managed Services Leader, PwC Canada

Hide