The C Suite Report WSJ Forcepoint PDF

The C-Suite Report:
The Current and Future State of Cybersecurity
Sponsored by
1
Goals & Methodology
An online quantitative survey of CEOs and CISOs, conducted by WSJ Intelligence and sponsored by
Forcepoint, explores the current state of cybersecurity — and what the ideal cybersecurity system
would look like if IT and business leaders were in a position to design it from the ground up.
The survey also assesses the challenges that lie between current cybersecurity systems and the
ideal, as well as the technologies and risks to watch going forward.
In field: November 6-26, 2019
2
Respondent Profile
Annual Revenue
Region Industries
(USD)
Life sciences 15%

Average: $10.4B
Health care 13%
under
APAC Manufacturing 13% $2B
21% 22%
Finance 13% $10B
Europe
55% 41%
Transportation 13%
U.S. $2B-$4.9B
25% Retail 12% 18%
Energy 12% $5B-$9.9B

20%
Telecom 12%
Europe: U.K. (25%), France (15%), Germany (15%)

APAC: India (5%), Hong Kong (6%), Singapore (5%), Australia (5%)
May not equal to 100% due to rounding.

3 Source: The C-Suite Report: The Current and Future State of Cybersecurity, November 2019. Base: Total Respondents n=200.
I. CEOs & CISOs Are Largely Aligned
on the Importance of Cybersecurity
Cybersecurity is a top priority throughout the professional world.
Executives are confident they are doing everything they can to minimize the risks they face,
but CEOs are at a remove from the ongoing development of cybersecurity strategy.
4
Not Surprisingly, Nearly All Agree Cybersecurity Is a Top Priority
Cybersecurity is…
99%
95% 96% A high priority
93% 93%
11% 86%
22% The top priority
29% 38%
35%
28%
In the context of evaluating

88%
various potential risk
73% factors, cybersecurity is a
64%
58% 58% 58% top priority for virtually all,
with little difference
between CEOs and CISOs.
CEO CISO Leaders APAC Europe U.S.
Source: The C-Suite Report: The Current and Future State of Cybersecurity, November 2019. Base: CEO n=100, CISO n=100, Leader n=66, APAC n=44, Europe n=109, U.S. n=50.
5 Q3. When your organization assesses the risk factors facing it, what level of priority is assigned to cybersecurity?
CEOs and CISOs Are Aligned on the Value of Cybersecurity
CEOs primarily rate the business value of CISOs primarily rate their CEOs’ understanding of
cybersecurity as “excellent.” current cybersecurity ROI as “excellent.”
68% Excellent 59%
25% Good 32%
7% Fair 6%
0% Poor 3%
Source: The C-Suite Report: The Current and Future State of Cybersecurity, November 2019. Base: CEO n=100, CISO n=100.
Q4. (CEOs only) How would you rate the business value obtained by your organization from its cybersecurity spending?
6 Q5. (CISOs only) How would you rate your CEO’s understanding of current cybersecurity ROI?
Most Agree Their Organization Is Above Average or Leading in
Key Digital/Cybersecurity Dimensions
CISOs are more confident than CEOs.
Organization Relative to Peers (Leader/Above Average)
87% 87%
83%
77%
74%
66%
CEO CISO
Digital maturity Effectiveness of Cybersecurity talent

cybersecurity (acquisition & retention)
7 Q1. Please rate your organization’s performance in each of the following areas relative to its peers.
Executives Are More Confident About the Strength of
Their Own Cybersecurity Measures
Rated as “Very Effective”
72%
69%
60%
54%
They see themselves as more
prepared than their industry in
general. This can be interpreted
as confidence: not that no threat
exists, but that they are taking
appropriate steps to meet the
current threat.
Your organization Your industry
CEO CISO
Source: The C-Suite Report: The Current and Future State of Cybersecurity, November 2019 Base: CEO n=100, CISO n=100.
8 Q2. How would you describe the state of cybersecurity today: in your organization, In your Industry
Fewer Than Half of CEOs Have an Ongoing Cybersecurity
Strategy
State of Organization’s Cybersecurity Strategy
34% Intermittent or less review, update or no

54% formal strategy
Ongoing reivew, update &

implementation of cybersecurity
strategy
66%
46%
CEO CISO
9 Q7. Which of the following best describes the state of your organization’s cybersecurity strategy?
Two-Thirds of Respondents’ C-Suites Connect Weekly or More
Frequently With CISO About Cybersecurity
Frequency of Conversations About Cybersecurity Among Members of C-Suite and CISO
37% 36% 37%

33%
23%
19%
7%
4% 4%
0%
Ongoing conversation Weekly check-ins Monthly check-ins Quarterly check-ins Triggered by issue
CEO CISO
10 Q9. Which of the following best describes the frequency of conversations about cybersecurity between members of the C-suite and the CISO in your organization?
Leaders vs. Non-Leaders
We’ve defined “Leaders” as the executives who give their

organizations the highest possible rating for digital
maturity, cybersecurity effectiveness, and cybersecurity
talent and acquisition.
The “Leaders” group is diverse in terms of geography,

(slightly high concentration among U.K. respondents, along
Leaders
33% with Hong Kong and Singapore, although from a very small
base), industry (small skew to energy, manufacturing and
health care) and revenue (35% among companies with
Non-leaders under $10B in revenue, 30% among those with more than
67% $10B). By company size, those with $2B-$4.9B in revenue
were most likely, with 51%, to qualify as “Leaders.”
“Leaders” report that cybersecurity is the top priority

compared to “Non-Leaders” (88% vs. 48%) and derive
excellent value from cybersecurity spending (88% vs. 58%).
11 Source: The C-Suite Report: The Current and Future State of Cybersecurity, November 2019. Base: Leader n=66, Non-Leader n=134.
Leaders Have a More Disciplined Approach to Cybersecurity
Strategy
We review, update and implement our cybersecurity strategy on an 76%

ongoing basis 46%
We review and update our cybersecurity strategy intermittently, but 14%

maybe not often enough
39%
Can’t remember when we last performed a full review of our 9%

cybersecurity strategy
14%
2%
We don’t have a formal cybersecurity strategy
1%
Leaders Non-leaders

Source: The C-Suite Report: The Current and Future State of Cybersecurity, November 2019. Base: Leader n=66, Non-Leader n=134.
12 Q7. Which of the following best describes the state of your organization’s cybersecurity strategy?
Boards of ‘Leader’ Organizations Are More Engaged in Their
Cybersecurity Strategy
The Board of Directors recognize…
Cybersecurity is critical, and is fully engaged with it as part of a key 82%

business strategy 39%
Cybersecurity is important, and is fairly well-engaged with it as part of 14%

a key business strategy
43%
Cybersecurity is fairly important, and is somewhat engaged with it as 3%

part of a key business strategy
16%
Does not recognize that cybersecurity is important, and does not 2%

engage with it as part of a key business strategy 2%
Leaders Non-leaders

13 Q10. Which of the following best describes the mindset of the Board of Directors in your organization toward cybersecurity?
II. About Cybersecurity Strategy
Most respondents see cybersecurity as a major driver for both business and digital
transformation and stay engaged with the CISO.
But collaboration at the highest levels is badly hampered by the lack of a common vocabulary.
14
Most Value Agility Over Cost and Protecting Customer Data Over
Organizational IP
Cybersecurity strategy: Bipolar choice
Increase agility 62% 38% Reduce costs
Protect Protect
58% 42%
customer data organization IP
Inside out Outside in

(understand employee 56% 44% (keep intruders out)
behavior to prevent valuable
data from escaping)
Open & collaborative 54% 46% Zero trust

work environment
Safeguard most 51% 49% Protect

valuable assets everything

Source: The C-Suite Report: The Current and Future State of Cybersecurity, November 2019. Base: Total Respondents n=200.
15 Q8. Where is your organization’s current cybersecurity strategy positioned across the following dimensions?
Among Leaders: Agility and Protecting Customer Data Are Even
More Important, Stronger Priority Around ‘Protecting
Everything’ Leaders vs. Non-leaders
70% 30%
Increase agility Reduce costs
57% 43%
63% 37%
Protect Protect
56% 44%
58% 43%
(understand employee (keep intruders out)
data from escaping)
54% 46%
50% 50%
Open & collaborative
Zero trust
work environment
56% 44%
46% 54%
Safeguard most Protect
52% 48%
Leaders Non-leaders

Source: The C-Suite Report: The Current and Future State of Cybersecurity, November 2019. Base: Leaders n=66 Non-Leaders N=134.
U.S.: Agility and Protecting Customer Data Are Even More
Important, Stronger Priority Around ‘Protecting Everything’
U.S. vs. Total
65% 35%
62% 38%
62% 38%
Protect Protect
58% 42%
50% 50%
data from escaping) 56% 44%
58% 42%
Zero trust
work environment
54% 46%
Safeguard most 38% 62% Protect

51% 49%
U.S. Total

Source: The C-Suite Report: The Current and Future State of Cybersecurity, November 2019. Base: Leaders n=66.
Europe: A Focus on Protecting Customer Data and Safeguarding
Most Valuable Assets
Europe vs. Total
58% 42%
62% 38%
64% 36%
Protect Protect
58% 42%
58% 43%
behavior to prevent valuable 56% 44%
data from escaping)
53% 47%
Open & collaborative Zero trust
work environment 54% 46%
61% 39%
51% 49%
Europe Total

Source: The C-Suite Report: The Current and Future State of Cybersecurity, November 2019. Base: Europe Respondents n=109.
APAC: Agility, Protecting Organizational IP and Protecting
Everything Are More Important
APAC vs. Total
67% 33%
62% 38%
39% 61%
Protect Protect
58% 42%
61% 39%
data from escaping)
56% 44%
54% 46%
Zero trust
work environment
54% 46%
37% 63%
51% 49%
APAC Total

Source: The C-Suite Report: The Current and Future State of Cybersecurity, November 2019. Base: APAC Respondents n=41.
Not Surprisingly, Larger Organizations Have More Confidence
That They Are Consistently Ahead of Potential Threats
93%
87% 89%
84% 82%
78% 76%
26% 72%
22% 27% Somewhat agree
38%
39% 31% Strongly agree
35%
36%
67% 62% 60%

51% 47%
43% 41% 36%
Over $10B Under $10B Over $10B Under $10B Over $10B Under $10B Over $10B Under $10B
Cybersecurity is a top Our security team is Senior leadership is Possibility of being the next
organizational priority consistently ahead of cyber-aware & cybersecurity breach
cybersecurity threats data-literate keeps me up at night
Source: The C-Suite Report: The Current and Future State of Cybersecurity, November 2019. Base: Annual revenue under $10B n=118, over $10B n=82.
20 Q11. To what extent do you agree or disagree with the following statements?
Perception: Digital Transformation Initiatives Both Increase
Exposure to Cyberthreats and Make It Easier to Guard Against Them
85% of executives agree that their cybersecurity strategy is a major driver of business
and digital transformation.
Digital transformation has… Strongly Agree
Increased our CEO

66%
organizational exposure to CISO
cyberthreats 49%
Made it easier to guard 65%

against cyberthreats 62%
Been substantially 61%

accelerated by our
cybersecurity 47%
Not had a significant effect 4%

on our cybersecurity
strategy 5%
21 Q12. Which of the following statements best describes the impact of digital transformation on your organization’s cybersecurity strategy?
Leaders Indicate They Experience More Challenges in
Collaboration Due to the Lack of Common Vocabulary
This difference could be due to higher expectation of alignment and collaboration among “Leader”
organizations.
Severely Impacted
Identifying top 64%

organizational priorities 46%
53% Leader
Making technical decisions
26%
Non-leader
Presenting compelling 47%
business cases 23%
Interpreting strategy at the 45%

business-unit level 25%
Formulating enterprise- 44%

level strategy 25%
22 Q13. To what extent are each of the following areas of collaboration hindered by the lack of common vocabulary between senior management and cybersecurity specialists?
III. Starting Over & Looking Forward
The reality of cybersecurity generally falls short of the ideal.
But that ideal remains within reach for many, even as legacy infrastructure and a lack of support
at the top present formidable obstacles.
Executives want more vendors — not fewer — to help support their cybersecurity stack.
23
Respondents’ Ideal State For Cybersecurity Strategy is Proactive,
Marginally More Threat-Centric and Integrated
But there is a lack of a strong consensus for most dimensions.
Ideal Cybersecurity Strategy: Bipolar choice
Proactive & Reactive &

58% 42%
risk-focused incident-driven
Threat-centric 54% 46% Behavior-centric
Segmented
Integrated 53% 47% (owned by regions,
(owned by entire org.)
departments)
Rule-based 51% 49% Risk-adaptive
24 Q15. Where would this ideal cybersecurity strategy be positioned on the following dimensions?
Leaders Lean More Toward Proactive, Threat-Centric and
Rule-Based
But there is a lack of a strong consensus for most dimensions.
Leaders vs. Non-leaders
Proactive & 60% 40% Reactive & incident

risk-focused driven
58% 42%
57% 43%
Threat-centric Behavior-centric
54% 46%
49% 51% Segmented

Integrated
(owned by entire org.) (owned by regions,
53% 47% departments)
57% 43%
Rule-based Risk-adaptive
51% 49%
Leaders Non-leaders
Source: The C-Suite Report: The Current and Future State of Cybersecurity, November 2019. Base: Leaders n=66.
U.S. Respondents Lean More Toward Behavior-Centric vs. Total
But there is a lack of a strong consensus for most other dimensions.
U.S. vs. Total

risk-focused driven
58% 42%
47% 53%
54% 46%
56% 44%
Integrated Segmented
53% 47%
departments)
53% 48%
51% 49%
U.S. Total
Source: The C-Suite Report: The Current and Future State of Cybersecurity, November 2019. Base: U.S. Respondents n=50.
Europe Respondents’ Ideal State for Cybersecurity Strategy is
Proactive
Europe vs. Total

risk-focused driven
58% 42%
51% 49%
54% 46%
Integrated 53% 48% Segmented

53% 47% departments)
53% 48%
51% 49%
Europe Total
Source: The C-Suite Report: The Current and Future State of Cybersecurity, November 2019. Base: Europe Respondents n=109.
APAC Respondents Lean More Toward Threat-Centric vs. Total
APAC vs. Total
Proactive & 60% 40% Reactive & incident-

risk-focused driven
58% 42%
70% 30%
54% 46%
Integrated 49% 51% Segmented

53% 47%
departments)
53% 47%
51% 49%
APAC Total
Source: The C-Suite Report: The Current and Future State of Cybersecurity, November 2019. Base: APAC Respondents n=44.
Leaders Are Closer to Their Ideal Cyber Setup
Current Cybersecurity System vs. Ideal System While only about one-quarter of
executives (27%) say their current
2% 4% cybersecurity matches their ideal
8% system, over half say the their
24%
existing system is “very similar.”
That suggests they are likely
Don't resemble very much/at all
39% looking for tweaks and
Somewhat similar enhancements rather than a
wholesale overhaul.
Very similar
56%
Identical
48%
CEOs are more apt to call their
existing system ideal than are
16%
CISOs (31% vs. 23%).
Leader Non-leader
May not equal 100% due to rounding.

29 Q16. How closely does your organization’s current cybersecurity situation resemble the ideal system that you described in the previous question?
Legacy Infrastructure and C-Suite/Board Level Support Are the
Most Significant Obstacles to an Ideal System
CEOs and CISOs largely aligned.
Lack of C-suite and boar d-level under standing and support 45%
30% CEO
Legacy infrastructure
45% CISO
51%
Difficulty in creating a compelling business case

36%
35%
Short-term thinking 30%

36%
Budget shortfalls
26%
16%
Cultural issues
20%
26%
Complexity of migration 12%

19%
Geographic complexity
12%
22%
Employee resistance
4%
5%
30 Q17. What are the main obstacles that are preventing your organization from implementing the ideal system you described?
All Targets Are Largely Aligned in Looking for More, Not Fewer,
Cybersecurity Vendors/Solutions on Top of a Robust Number
Respondents currently have an average of 50 vendors in their cybersecurity stack.
There appears to be a perception that more equals better.
2% 4% 0% 4%
33%
36%
39% 40%
Fewer vendors
The same number
More vendors
62% 67%
57% 56%
CEO CISO Leaders Non-leaders
Q6. How many vendors does your organization currently have in its cybersecurity stack?
31 Q18. Ideally, would the number of vendors you work with be higher or lower than the number you currently work with?
Leaders Look to Behavior-Based Enforcement, While Biometric
Authentication and AI Are Attractive to Non-Leaders
49%
Behavior-based policy enforcement
39% CEO
56%
38%
CISO
50%
Biometric authentication
42% Leader
39%
49%
Non-leader
52%
Data masking/tokenization
45%
36%
54%
29%
Artificial intelligence
38%
33%
34%
4%
Integrated suites/platforms of broad security capability
21%
20%
9%
Source: The C-Suite Report: The Current and Future State of Cybersecurity, November 2019. Base: Leader n=66, Non-Leader n=134. CEO n=100, CISO n=100.
32 Q19. What innovative security technologies will be most valuable to your organization in three to five years?
Next Three to Five Years, Leaders Most Concerned About
Malware
CEOs and CISOs agree that identity theft is number one concern, and malware is the second
greatest concern in the near future.
52%
Identity theft (including 44% CEO
stolen credentials) 39%
52%
CISO
45%
Malware (including 36%
61% Leader
phishing) 31%
37% Non-leader
Accidental user error 27%
18%
39%
25%
Malicious insider 28%
21%
29%
13%
Distributed Denial of 18%
Service (DDoS) 18%
14%
13%
Poor patching 16%
11%
16%
2%
Poor system admin 11%
(including cloud… 2%
9%
Source: The C-Suite Report: The Current and Future State of Cybersecurity, November 2019. Base: Leader n=66, Non-Leader n=134. CEO n=100, CISO n=100.
33 Q20. Which of the following will pose the greatest overall threat to your organization’s cybersecurity in three to five years?
Regional Highlights
APAC
Derives the most business value from
cybersecurity spending (Q4: 95% vs. 61%
“excellent value”)
Makes cybersecurity a top priority (Q11:

76% vs. 61% “strongly agree”), has highly
aware and literate leadership (66% vs.
44%), and is consistently ahead of threats
(63% vs. 47%)
EUROPE
Sees no difficulty in creating a compelling
Derives the least business value from business case (Q17: 19% vs. 40%)
cybersecurity spending (Q4: 55% vs.
UNITED STATES 84% Rest of world “excellent value”)
Updates cybersecurity on a
Lags in making cybersecurity a
regular basis (Q7: 62% vs. 54%
Rest of world) priority (Q11: 57% vs. 73% ‘”strongly
agree”) and in having highly aware
Believes the greatest threat and data-literate leadership (40% vs.
will be identity theft (Q20: 62% 68% “strongly agree”)
vs. 43%)
Finds difficulty in presenting a
Believes biometric compelling business case for
authentication will be the cybersecurity (Q17: 46% vs. 23%)
most valuable technology
(Q19: 56% vs. 43%)
34 Source: The C-Suite Report: The Current and Future State of Cybersecurity, November 2019. Base: U.S. n=50, Europe n=109, APAC n=41.
Thank you.
Sponsored by
35

The C Suite Report WSJ Forcepoint PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

The C Suite Report WSJ Forcepoint PDF

Uploaded by

Copyright:

Available Formats

The C-Suite Report:

The Current and Future State of Cybersecurity

In field: November 6-26, 2019

Life sciences 15%

Energy 12% $5B-$9.9B

Europe: U.K. (25%), France (15%), Germany (15%)

May not equal to 100% due to rounding.

Cybersecurity is a top priority throughout the professional world.

In the context of evaluating

CEO CISO Leaders APAC Europe U.S.

68% Excellent 59%

25% Good 32%

Organization Relative to Peers (Leader/Above Average)

Digital maturity Effectiveness of Cybersecurity talent

Your organization Your industry

State of Organization’s Cybersecurity Strategy

34% Intermittent or less review, update or no

Ongoing reivew, update &

37% 36% 37%

We’ve defined “Leaders” as the executives who give their

The “Leaders” group is diverse in terms of geography,

“Leaders” report that cybersecurity is the top priority

We review, update and implement our cybersecurity strategy on an 76%

We review and update our cybersecurity strategy intermittently, but 14%

Can’t remember when we last performed a full review of our 9%

May not equal to 100% due to rounding.

The Board of Directors recognize…

Cybersecurity is critical, and is fully engaged with it as part of a key 82%

Cybersecurity is important, and is fairly well-engaged with it as part of 14%

Cybersecurity is fairly important, and is somewhat engaged with it as 3%

Does not recognize that cybersecurity is important, and does not 2%

May not equal to 100% due to rounding.

Increase agility 62% 38% Reduce costs

Inside out Outside in

Open & collaborative 54% 46% Zero trust

Safeguard most 51% 49% Protect

May not equal to 100% due to rounding.

May not equal to 100% due to rounding.

Safeguard most 38% 62% Protect

May not equal to 100% due to rounding.

May not equal to 100% due to rounding.

May not equal to 100% due to rounding.

67% 62% 60%

Digital transformation has… Strongly Agree

Increased our CEO

Made it easier to guard 65%

Been substantially 61%

Not had a significant effect 4%

Identifying top 64%

Interpreting strategy at the 45%

Formulating enterprise- 44%

The reality of cybersecurity generally falls short of the ideal.

Ideal Cybersecurity Strategy: Bipolar choice

Proactive & Reactive &

Threat-centric 54% 46% Behavior-centric

Rule-based 51% 49% Risk-adaptive

Leaders vs. Non-leaders

Proactive & 60% 40% Reactive & incident

49% 51% Segmented

But there is a lack of a strong consensus for most other dimensions.

U.S. vs. Total

Proactive & 56% 44% Reactive & incident