Are you securing against the most important risks today and tomorrow?

Organisational leaders recognise the importance of verifying and safeguarding their business information. Asked to frame the cybersecurity mission, the number-one response was, “A way to establish trust with our customers with respect to how we use their data ethically and protect their data.” Eighteen percent of CEOs and 20% of non-CEOs selected customer trust as the way the CEO frames the cyber mission in their organisation.

Data infrastructure and data governance rank as the two most needlessly complex aspects of business operations in PwC’s 2022 Global Data Trust Insights Survey: 77% say both have “avoidable, unnecessary” levels of complexity. About three-quarters say complexity in these areas poses “concerning” risks to cybersecurity and privacy. Complexity of data can stymie any organisation’s ability to effectively use the information it collects and generates. 

A foundation for data you can trust for better business decisions

Organisations first need to set up that good foundation we call data trust: making sure your data is accurate and verified and secure so you can rely on them for business decisions. (And when it comes to customer data, you want to make sure customers know they can trust you to keep their information safe from unauthorised eyes.)

But only about a third of respondents report having mature, fully implemented data-trust processes in four key areas: governance, discovery, protection and minimisation. Nearly a quarter of our respondents say they have no formal data-trust processes in place at all.

Only about one-third of organisations report having a full, formal data governance program — a surprisingly low number. Once you’ve crafted your data strategy, governance — the policies, procedures and processes for fulfilling the strategy — should follow immediately.

Securing your data from tampering as well as theft is also critical to success, yet only about one-third of respondents report having in place fully implemented, formal data security processes including encryption and secure data-sharing (34%). Verifying and protecting the integrity of your data is essential as well. Not doing so is like hiring workers without fact-checking their resumes. You can’t be certain of the quality of the information.

And only 35% have mapped all their data, meaning they know where it comes from and where it goes. The same goes for those who have mature data minimisation processes.

Data is the asset attackers covet most. Your companies can minimise that risk by minimising the target. You must govern, discover and protect only the data you need — and eliminate the rest. Drafts, duplicates, superseded data, legacy data and employee personal data are common candidates for elimination. Low-value data not only creates unnecessary risk, it also crowds out or buries your high-value data.

The two-thirds of organisations that haven’t formally implemented data trust practices may be at risk in more ways than one. Effective data governance is important not only for operational resilience but also for compliance with regulations such as the European Union’s General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA). New, more stringent regulations loom on the horizon as well. When someone asks for information about their data — what you’re keeping and what you’re doing with it — you’d better be able to answer quickly and accurately. If it’s a regulator doing the asking, the wrong answer could bring heavy fines. 

Turning data into true assets that can increase your revenues is one benefit of good data security — as some leading businesses are discovering. Our “most improved” are more than 10x more likely to have a formal process fully in place for all data trust practices.

According to our Trust in Data Survey, companies with more mature data trust practices tend to be ahead in many respects. They earn revenues from data monetisation by personalising services, operating more efficiently and better serving their customers. They strongly agree that higher customer trust leads to demonstrably higher revenue. They’ve made significant moves in the past year to improve customer and investor trust. And they’re more confident in their third-party risk management program because they monitor their third parties more.

Data trust practices have yet to become the norm

Percentages who say they have fully implemented formal processes around these data trust practices

“In today’s system-of-systems world, cybersecurity can no longer be treated as a ‘too-hard-to-measure’ problem,” the US Cybersecurity and Infrastructure Security Agency argues. Still, as we saw above, only 26% quantify cyber risks today. 

The data you use to spot and understand threats, put a dollar figure on risks and prioritise them, and predict cybercrime trends can be a powerful tool for convincing boards and the CEO to invest in your cyber program. On the other hand, if you’re having trouble getting the funding you need for cyber, you may need to do a better job of quantifying your cybersecurity risk.

By the same token, data can help you stay apprised of real-time risks, and adjust security tactics and strategies as the business shifts. Respondents in five business sectors said the most important reason to quantify cyber risk is “to continuously evaluate our risk landscape and priorities against changing business objectives.” Enterprise leaders recognise that risks are always in a state of flux and that data is the tool that lets them monitor and measure changes.

Sizing up risks is also important for sizing up opportunities and linking cyber-threat narratives to business narratives that the C-suite and boards can understand. A growing number of organisations recognise the importance of cybersecurity to business — but many still have a long way to go. Between 37% and 42% claim “significant progress” linking the two, while 16% to 18% say they’ve made little or no progress aligning cyber and business goals. 

Executives want to size up cyber risks in continually changing risk landscape