25 Jun What the Top 25% of Cybersecurity Pros do Differently in Strategy, Risk and Communication
There’s a talent shortage in cybersecurity, but talent alone won’t solve the problem at the core of security. That’s according to the Digital Trust Insights (DTI) survey, of some 3,000 IT professionals, by PwC.
“Adding more cybersecurity professionals is not enough,” according to the consulting firm. “Companies need to reframe what cybersecurity professionals do and how they do their job.”
Indeed, the report itself is an indication of how much the role of security has evolved. The DTI survey is a “rebooting” of a study – the Global State of Information Security Survey – the firm has run for nearly two decades. This is because the “landscape has evolved to be less about ‘information security’ and more about managing digital risk.”
The study found that some security professionals are better at this than others. It identified the top 25%, which it calls “trailblazers.” According to the analysis, this cohort tends to be more proactive, optimistic and “far more likely to be credited with adding significant value” to the business.
Specifically, the study quantified what this top 25% does differently across three key areas: strategy alignment, risk-based approach, and coordination in execution. The chart below is an illustration of the overall data.
The company provides an interactive tool to explore the data more closely. We used it to cull through the information to better understand what the top cybersecurity performers do differently. Below is what we found.
Note: Click images for higher resolution. Used with permission – © PwC – see credits below.
1) Top security pros are better aligned with the business strategy.
The study measured alignment with business strategy across several areas. It provided emphasis on where security falls on the list of business priorities and how well security is integrated with other teams:
- Top performers come from businesses that see security as urgent. 40% of trailblazers say their organization ranks security as “urgent” on a 5-point scale – vs. 22% from all respondents
- Top performers are well integrated into the business. 65% of trailblazers strongly agreed that the cybersecurity team was “embedded in the business, conversant in our business strategy and has a cybersecurity strategy that supports business imperatives” – vs. 28% of all respondents;
- Top performers say security is part of R&D. 54% of trailblazers strongly agreed that “cybersecurity is woven throughout our operations and R&D” – vs. 28% of all respondents;
- Top performers more likely to use new tech and automation. 59% of respondents strongly agreed their team “uses automation and emerging technologies for threat intelligence, defense and recovery” – vs. 29% of all respondents; and
- Top performers are focused on building trust. 61% of trailblazers strongly agree with the idea that their “cybersecurity team builds digital trust” – vs. 30% of all respondents.
2) Top security pros partner with other risk managers and are always involved in transformational projects.
PwC examined the risk-based approach across four categories and found security teams are not just well integrated with other risk management functions, but also report working well together:
- Top performers work well with other risk managers. 64% of trailblazers strongly agreed their “team works in strategic partnership with all other functions that manage risk” – vs. 29% of all respondents;
- Top performers develop a common operating picture of threats. 76% of trailblazers strongly agreed their team works “with the risk, internal audit and compliance teams” to develop “a common view of risk and threats across the ecosystem” – 50% of all respondents;
- Top performers are risk-based rather than a transactional. 56% of trailblazers strongly agree their team “takes a risk-based approach in securing the ecosystem, rather than a transactional approach” – vs. 25% of all respondents; and
- Top performers are “always” involved in transformation activities. 89% of trailblazers say security is “always involved” in managing “risks stemming from” their “organization’s business transformation or digital initiatives – vs. 53% of all respondents.
3) Top security pros communicate and coordinate effectively with business leaders.
The study revealed a big difference in the communications and interactions security leaders and their teams have with business leaders:
- Top performers communicate effectively with business leaders. 71% of trailblazers strongly agreed their security “team communicates effectively with the board and senior executives about cyber risks and adjacent risks” – vs. 33% of all respondents;
- Top performers regularly interact with senior leaders. 77% of trailblazers strongly agreed their security “team has sufficient interaction with senior leaders [CFO, COO, CISO] to develop an understanding of the company’s risk appetite around core business practices”; and
- Top performers belong to teams more likely to offer a service catalog. 39% of trailblazers say they offer an accessible “catalog of security services” complete with service levels, metrics and associated costs – vs. 14% of all respondents.
PwC suggests benchmarking your organization in each of the five functions in the Cybersecurity Framework by the NIST – Identify, Protect, Detect, Respond and Recover – against the six levels of maturity defined by the CMMI Institute – Optimizing, Quantitatively Managed, Defined, Managed, Initial and Incomplete.
The study also did just that with respondents. For example, we’ve embedded a chart that compares trailblazers to all respondents for the “Detect” function below.
The numbers at the mature end of the model work out like this:
- 17% of trailblazers are at the “optimizing” level of detection – vs. 12% of all respondents;
- 31% of trailblazers are at the “quantitatively manage” level of detection – vs. 21% of all respondents;
The numbers in the middle and low-maturity end of the model flip:
- 26% of all respondents are at the “defined” level of detection – vs. 21% of trailblazers;
- 25% of all respondents are at the “managed” level of detection – vs. 18% of trailblazers;
- 10% of all respondents are at the “initial” level of detection – vs. 4% of trailblazers; and
- 4% of all respondents are at the “incomplete” level of detection – vs. 1% of trailblazers.
“Businesses that embed cybersecurity in every corporate action will be better positioned to deliver the advantages of digital transformation, manage related risks and build trust,” concludes the report. “This behavior is bound to generate attention in the marketplace as today’s trailblazers – and those who join their ranks – crowd out the competition over time.”
The resource PwC has put online around this study is free and does not require registration. The chart is interactive and allows you to sort the data by industry and geography – and provides a handy tool for generating images that illustrate the data based on the filters you’ve applied. It could be a very useful tool for producing benchmarks that more specific for your organization.
If you enjoyed this post, you might also like:
The 10 Tenets of CISO Success Frank Kim Presented at RSA
Image credits: Images used with written permission. © PwC. Not for further distribution without the prior written permission of PwC. PwC refers to the US member firm or one of its subsidiaries or affiliates, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.