PwC Urges Boards to Give CISOs a Seat at the Table

Cyber-resilience efforts are lagging among global organizations, partly because they’re failing to get CISOs involved in strategic technology investments, according to PwC.

The consulting giant polled over 4000 business and technology executives to compile its annual Global Digital Trust Insights report.

It found that just 2% of responding organizations have implemented cyber resilience actions across all areas surveyed. That could be because CISOs are not given enough power and autonomy. Less than 50% are involved to a large extent in strategic planning on cyber investments, PwC claimed.

“Give your CISO a seat at the table,” the report urged. “Their insights are vital for proactively navigating cybersecurity as a core business enterprise risk. Involving them at the highest level helps your organisation align its approach to safeguarding critical assets and driving resilience.”

Read more on CISO strategy: A Third of CISOs Have Been Dismissed “Out of Hand” by the Board

In fact, the gap between tech and business executives’ outlook and priorities is also noticeable elsewhere. Two-thirds (66%) of tech executives ranked cyber as the highest risk for mitigation, versus half (48%) of business executives. On the other hand, business execs are more concerned about inflation (53%) than their tech peers (44%).

Another symptom of poor alignment between business and cyber goals is the fact that just 15% of respondents are measuring the financial impact of cyber risks to a significant extent. That’s despite the vast majority (89%) agreeing that this is key to prioritising cyber-risk investment.

Among the main barriers to improvement in this regard are uncertainty around the scope of risk, data and reliability issues, and compliance concerns, the report claimed.

“It’s time to realise the full potential of cyber risk quantification. The gap between recognition and implementation is a missed opportunity that can no longer be ignored,” PwC argued.

“Organizations that don’t measure cyber risk or haven’t fully developed this capability are leaving critical intelligence on the table, particularly when it comes to informing board decisions and capital allocation.”

Compliance Concerns

Another key area where business and tech executives are not yet aligned is compliance. The report highlighted a 13 percentage-point gap in confidence between CISO and CEOs regarding compliance with AI and resilience regulations.

“Because CISOs are more attuned to the day-to-day operational difficulties, resource constraints and potential vulnerabilities that can hinder cyber compliance, it’s vital that they more effectively communicate these risks to the leadership team,” PwC said. “What’s preventing them? Potential obstacles include barriers to CISO participation in strategic decisions and an inability to justify the amount of cyber risk investment needed.”

Greater CISO-board alignment will require CISOs to make a more forceful business case for more involvement in strategy. It will also demand the board to take a closer interest in cyber risk program developments, and the CEO/CFO/CIO to participate in cyber-resilience exercises and assessments, PwC concluded.