In our annual survey among 4,744 global respondents around the current state of cybersecurity resilience, we found 85% of CISOs agree or strongly agree that the cybersecurity strategy is developed with business objectives, such as growth or market share, in mind. Yet, 81%, also said that “staying ahead of attackers is a constant battle and the cost is unsustainable” compared with 69% in 2020.
Cyber attacks are up: There were on average 270 attacks per company over the year, a 31% increase over 2020. Third-party risk continues to dominate: successful breaches to the organisation through the supply chain have increased from 44% to 61%.
Increase in the average number of attacks per company since 2020
Security investment continues to rise: More than 80% of our survey respondents say their budgets have increased in the last year. IT security budgets are now up to 15% of all IT spending, 5 percentage points higher than reported in 2020.
Report budget increases
Cloud still has a complex relationship with security: Despite most respondents believing in secure cloud, 32% say security is not part of the cloud discussion from the outset and they’re trying to catch up. Reasons preventing take-up of the cloud revolve around security issues: about one-third of all respondents say poor governance and compliance is a problem, that cloud security is too complex and that they do not have the internal skills to structure a proper cloud security framework.
Security is not part of the cloud discussion
This year, we identified four levels of cyber resilience including an elite group of Cyber Champions—organisations that excel at cyber resilience, but also align with the business strategy to achieve better business outcomes.
There’s money on the table. Organisations stand to reduce their cost of breaches by 48% to 71% if they increase their performance to Cyber Champion levels.
We also continued to explore how winning organizations tackle cyber resilience, evaluating their responses based on the following performance criteria: they stop more attacks, find and fix breaches faster and reduce breach impact.
Key measures of cyber resilience
Click on the arrows to explore how organizations perform.
Cyber Risk Takers
How to be a Cyber Champion
Cyber Champions demonstrate that, with the right balance of alignment between business strategy and cybersecurity, organisations can achieve strong business performance while maintaining superior cyber resilience. Cyber Champions:
Are among the top 30% in at least three of the four cyber resilience criteria.
Experience fewer successful breaches – 8 percentage points lower than Business Blockers and 36 percentage points lower than Cyber Risk Takers.
Have speedier detection and remediation response times.
Better protect themselves from loss of data—only 4% of Cyber Champions lose more than 500,000 records—6.5X less than Cyber Risk Takers.
To be more like Cyber Champions:
Give CISOs a seat at the top table
By drawing on the experience and insights of the wider leadership team, CISOs can gain a broader perspective that serves the whole business well.
Be threat-centric and business aligned
Security leaders must closely align with the business as partners in driving down risk. This alignment helps to embed security into business priorities.
Get the most out of secure cloud
Organisations should seize the opportunity to reset their security posture, earlier and more effectively to the cloud—like our Cyber Champions do.
Organizations that focus solely on business objectives are missing out on the benefits of cyber resilience. By aligning their cybersecurity efforts with the business strategy, organizations can not only achieve better business outcomes, but also seize the advantage in the race to cyber resilience.
The authors would like to thank Edward Blomquist, Julia Malinska, Anna Marszalik, Eileen Moynihan, Vincenzo Palermo and Ann Vander Hijde for their contributions to this report.