said: “Normally, there is a lot to address – technological controls, procedural controls, cultural controls. We work with partners to determine a ‘target state’ that is proportionate.” He added: “We do have clients who see technology as an answer to everything. That gives false comfort. If you don’t address training, you only address part of the problem.” Third-party suppliers provide additional security challenges. Gooch said: “The GDPR helped boost documenting and assessment of third parties.” However, he identified at least two challenges: “One, many programmes are tick-box exercises. They provide evidence that an organisation has been through a process, but is it really getting value from the process? You need a risk-based approach.” Second, he said: “There is a need for
due diligence around third parties when there is an acquisition or an organisation takes on a third party. It could be this introduces new vulnerabilities.” Yet the biggest challenge in
cybersecurity remains “the breadth of the topic”, he said. “It’s a genuine struggle for organisations to get their heads around. Boards put cyber at the top of the risk agenda, but it is massively complex. It’s difficult for a board to know ‘Is this money well spent?’” He also noted: “Cybersecurity is a
fragmented and very competitive market, and there is a recognised shortage of cyber skills in the UK.” At the same time, Gooch said:
“Developing threats are a challenge. You have to be constantly re-evaluating your security. The technological landscape can change. What was good two years ago may no longer be good enough. There may be a big shift to the cloud or to outsourcing. You may need to ask for more money. It’s not an environment in which you can ever say ‘Well done’.” However, he identified one sign of
improved understanding of the risks, saying: “I rarely have to explain what I do these days.”
BIGGEST CHALLENGES
FIGURE 67: CYBER RISK:
%
10 15 20 25 30 35
0 5
All responsible for cyber security, all sectors
34% 32% 18% Shadow IT 16%
Cyber transformation Cyber
‘hygiene’ Hybrid IT
%
10 15 20
0 5
FIGURE 69:
CYBER MANAGEMENT: BIGGEST CHALLENGES
%
‘SHADOW IT’ unmanaged by IT departments and cyber transformation top the risks identified by cyber professionals
(Figure 67). Data security is only one of the challenges (Figure 68). The speed of change, lack of skills and inadequate funds hamper security (Figure 69), when 90% of major companies suffered a
‘sensitive data disclosure’ in the last 12 months (Figure 70)
10 15 20
0 5
Frequency on board agenda
Ad hoc 1%
Annually 15%
yearly 31%
Half
Quarterly 49%
FIGURE 70: CYBERSECURITY AS BOARDROOM ISSUE cyber threats Top-3 % Monthly 4%
10 15 20 25 30 35
0 5
35% 32% 31% Data integrity
Employee action
Tech vulnerabilities
%
10 20 30 40 50
0 49% 41% None
One to five Five-plus
10% *In testing/ development Base: 500 executives with cyber responsibility, annual revenue $500m-plus. Source: Deloitte 2019 Travel Weekly Insight Report 2019-20 41
Suffered sensitive data disclosures* in last 12 months
16% 15% 15% All sectors 14% 14% 13% 12%
Data management Risk prioritisation Rapid IT changes Lack of skills
Management alignment Lack of funds
Inadequate governance 16% 14% 14% 13% 11% 11% 10% 10%
Data security Infrastructure security Cyber transformation Identity solutions Application security Incident response Technical resilience Threat detection
FIGURE 68: CYBER BUDGET ALLOCATION All sectors
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52
