Adopting a security first mindset: Learning from the top 5%

Costly breaches are on the rise. Cloud attacks are a common occurrence. Threat actors are growing in sophistication — with new tools, like Generative AI, at their disposal. As a result, organizations are feeling pressured to invest and modernize their technology infrastructure. However, too few are doing so alongside consolidation of tech stacks and streamlining systems so as not to create more risks and vulnerabilities. And all of this is happening against the backdrop of macroeconomic, geopolitical and regulatory uncertainty. Suffice it to say: Companies have a lot on their plates.

The findings from our 2024 Global Digital Trust Insights survey highlighted significant discrepancies between the top 5% of companies — we call them stewards for digital trust — and the majority of companies who are leaving a lot of room for improvement.

• DefenseGPT. Organizations are eager to deploy generative AI tools for cyber defense—in fact, more than two-thirds (69%) say they’ll use GenAI for cyber defense in the next 12 months. That said, proper AI governance will be key here. And it’s worth noting that those who feel equipped to harness GenAI for defense are also less concerned about it as a catastrophic risk. The top 5% are more positive about the potential impact of GenAI, for example, they strongly agree it will develop new lines of business (49% vs 33% overall) and they will use Gen AI tools for cyber defense (44% vs 27%). They are also more likely to disagree that ‘Gen AI will lead to a catastrophic cyber attack’ (33% vs 22% overall).
• It’s all about the Cloud. Cloud-related threats and attacks on connected devices are the top-rated cyber threats over the next 12 months, with nearly half (47%) saying it’s their top concern. And yet, only 3% have implemented a plan and continually update risk management across all areas. In contrast, the top 5% are 4x more likely to be continually updating their risk management plan to mitigate cloud risks.
• The proportion of costly cyber breaches ($1M+) has increased since last year. But the top 5%, who pride themselves on the maturity of their cybersecurity initiatives, report a greater number of benefits and a lower incidence of costly cyber breaches. Only 29% of the top performing companies experienced a breach of $1 million or more, vs 36% of organizations overall who experienced a $1M+ cyber breach.
• Digital and technology risks are most interconnected with cyber risks. It’s important that CISOs and tech leaders position themselves at the epicenter of innovation within their organizations—so that any new endeavors are approached with a security-first mindset. However, less than a third of organizations reported that they are performing key leading cyber-related practices on a ‘usual’ basis.

Rather than wag the finger at companies who are trying to simultaneously keep pace with the increasingly complex and escalating threat landscape we find ourselves in and the latest and greatest developments in technology—let’s simply take our cues from the top 5%, and uncover the recipe for their success so that it can be recreated.

Not surprisingly, it starts with putting security at the epicenter of innovation.

• They take a more responsible approach to all things AI. The top 5% are excited—as many others are—to lean into GenAI. That said, they’re less likely to deploy AI tools until they’ve implemented the proper internal policies—with 31% of these stewards of digital trust disagreeing with deploying these tools before proper governance, vs. 19% overall. Harnessing the potential of AI is appealing to the masses—but not when it compromises security and integrity.
• They are more mature when it comes to optimizing and improving all cyber resilience actions. With breaches becoming more common—viewing them not as a matter of if, but when—is what separates the top 5% from the pack. Their continuous investments in tools and technologies, and their agile defenses and overall sophistication of their cyber risk management programs are what fuel their resiliency. It’s how they’re able to limit the scope of a breach’s impact, including time and money, when they inevitably become a target. And this is something every organization should be prioritizing in light of the new SEC cyber rules. Companies that are equipped to quickly assess the impacts of a breach will be better positioned to report on it in a timely fashion in the 8-K, and those with better cybersecurity risk management programs will have an easier time articulating the specifics of that program in the 10-K.
• They implemented key cybersecurity initiatives from which they are already realizing benefits. And, they are more likely to be very satisfied with their current technology capabilities in key cybersecurity areas. Surprisingly, there are still many companies who struggle with the basics. There is no shame and no consequence in revisiting the fundamentals of your cybersecurity risk management program. In fact, resilience hinges on your company’s agility. As both the tech and threat landscape continue to evolve, excelling at the basics will be key.
• They’re not clouded by hyperscaler challenges. Another way top performers are remaining agile is via a diversity of cloud providers. They’re more likely to currently use a hybrid of public and private cloud providers (57%) and have implemented a plan that is continually updated to mitigate hyperscaler challenges, a winning strategy that all companies should consider.