Cyber security remains one of the key levers that CEOs can draw on to protect their organisation from evolving risk. 48 % of CEOs say they are increasing investment in cyber security or data privacy in response to rising geopolitical conflict. After a turbulent 12 months, it is no surprise that global CEOs identify inflation (40 %), macroeconomic volatility (31 %) and geopolitical conflict (25 %) as their top three risks for the year ahead. Cyber is fourth (20 %) and it's the top operational risk, remaining firmly on board agendas. The geopolitical environment and rapid digitisation continue to focus CEO attention on cyber risk. German CEOs rate cyber risks even higher than their international peer group (29 % to 20 %).
These are the findings of PwC's 26th Global CEO Survey, in which almost 4,500 CEOs worldwide took part.
“With digitalisation moving faster than ever and increasing threats to critical infrastructure, it's important that senior management keeps momentum with cyber programs. These will be absolutely critical to future business success.”
Although information security has been overshadowed as an acute field of action for executives due to rising energy prices and high inflation expectations, it remains absolutely relevant now and increasingly as a long-term topic, especially in Germany − not least in direct connection with the Russian invasion of Ukraine and geopolitical developments. Thus, cyber risks lead the list of expected operational threats in the next five years by a wide margin in this country (39 %), while CEOs worldwide do not rate them significantly higher (25 %).
A development with particular potential for damage because technological transformation remains the most important investment goal of German companies. 86 % of companies plan to invest in the automation of their processes and systems, and the use of new technologies is still on the agenda as an investment goal for 71 %. At the same time, the geopolitical development that is now causing the change in priorities is making companies and public institutions attractive targets for criminal actors to varying degrees – the probability of incidents occurring is increasing.
Last year's survey showed how aware German executives already are of the risk posed by cyber espionage, data theft, ransomware and other threats. In the face of global uncertainties, however, much more concrete business imperatives have now emerged – which in turn can open up new gateways for attackers. CEOs around the world report that they are planning on cutting operating costs (52 %) and diversifying their product and service offerings (48 %) or planning to do so in the next 12 months. The danger is if companies cut budgets for IT staff, IT infrastructure and security solutions and rush new services and products to market without security-by-design, then the damage in the event of an attack can be significantly higher than any savings.
Last year, cyber attacks were the top risk for the C-suite, this year they are in the middle – although they are becoming more likely. Why is that?
Grant Waterfall: Cyber security remains the top operational risk for CEO’s in 2023 reflecting CEO’s understanding of the importance of cyber security to their digital aspirations and the threats presented by a volatile geopolitical environment. The collective assessment of the next five years shows that the executives pushing cyber risk further up the agenda.
Why do German and international managers assess the long-term cyber security risks so differently?
Waterfall: German CEO’s rate cyber risk significantly higher than their international peers, particularly the USA. I believe that there are a few possible reasons for this. Firstly, the pandemic has given Germany a decent boost in digitalisation, resulting in much greater reliance on technology and greater CEO awareness of digital risks. Second, the geopolitical environment has raised cyber threats to critical infrastructure and the perception is particularly acute in Germany when compared to other Western peers. Third, there is an extremely active regulatory environment in Germany and across the EU for example the introduction of the Digital Operational Resilience Act (DORA) for Financial Services and the NIS 2 Directive covering critical infrastructure. Both these regulations bring significant penalties for non compliance and implementation will be a challenge for many organizations, especially in the light of talent shortages.
How can managers better secure their companies against cyber attacks in the future?
Waterfall: First of all, IT security must be firmly anchored strategically. This starts in the management with its own Chief Information Security Officers, continues in the corporate goals and also applies to service and product development. Cross-functional teams are a central factor in increasing digital resilience – the goal must be that security does not remain a silo issue. This can also help to reduce the complexity of one's own IT infrastructures – for example, through the decommissioning of old servers, clearer processes, stricter access management and ISMS. These are all points that are elementary for holistic cyber security.
PDF (0,5 MB, 24 pages)