1. Make risk and cybersecurity a
boardroom agenda
TCS Risk and Cybersecurity Study
on.tcs.com/risk-cybersecurity
TCS Thought Leadership Institute
2. 2
The objective
To learn how the C-suite officers in charge of corporate strategy for cyber risk and security in key industries are
preparing for cyber threats and attacks.
• How involved are boards of directors and other CXOs in ensuring cybersecurity?
• How confident are CISOs and CROs of their cybersecurity capabilities in the face of advanced threats?
• What are the priority areas for securing enterprises and improving cyber resiliency?
• What are the obstacles to implementing cybersecurity initiatives?
• Do companies trust the security of cloud platforms?
TCS Risk and Cybersecurity Study
3. 3
We identified two special categories within our 607 respondents.
Learning from the leaders
Pacesetters = Companies with higher revenue
and net profit growth than the industry
average (2017 to 2021)
Pacesetters and Followers
49%
17%
34%
17% Pacesetters
34% all others
49% Followers
Followers = Companies with lower revenue
and net profit growth than the industry
average (2017 to 2021)
TCS Risk and Cybersecurity Study
4. 4
Two out of every five boards of directors discuss cyber risk and security at
every meeting…
How often the board includes cyber risk and security in its agenda
1%
40%
43%
13%
4%
40% at every board meeting
43% periodically
13% occasionally or as necessary
4% almost never or never
1% don’t know/can’t say how often
…but one in six boards engage on the issue never, occasionally, or only
as necessary.
TCS Risk and Cybersecurity Study
5. 5
The more financially successful a company is, the more likely the board is to
focus on cyber risk and security.
How often the board includes cyber risk and security in its agenda
1%
44% 46% 5% 5%
42% 41% 14% 3%
36% 44% 14% 4%
Very regularly/every board meeting
Periodically
Occasionally/as necessary
Almost never or never
Don’t know/can’t say
Pacesetters
All others
Followers
TCS Risk and Cybersecurity Study
6. 6
Most CISOs and CROs feel at least somewhat confident they can avoid a major
cybersecurity incident.
CISO and CRO confidence in their company’s ability to avoid a major cyber
incident in the next 3 years resulting in significant financial or reputational loss
14%
46%
31%
9%
0.33%
Very confident
Somewhat confident
Neutral/not sure
Increasingly less confident
Not at all confident
TCS Risk and Cybersecurity Study
7. 7
While 4 in 10 C-suite executives could be said to be proactive on issues of risk
and cybersecurity, over half tend to be reactive, at best.
How much attention is given to cyber risks and security issues
by business unit leaders and its C-level executives
42%
18%
33%
7%
42% of CISOs/CROs say other executives actively and frequently discuss
cyber risks and security
33% of CISOs/CROs say other executives discuss cyber risks and security,
but usually only when cyber threats are brought to their attention
18% of CISOs/CROs say other executives discuss cyber risks and security
only when a cyberattack hurts business
7% of CISOs/CROs say other executives have hardly addressed cyber risk
and security
TCS Risk and Cybersecurity Study
8. 8
Platforms and databases related to cash flow, customer data and intellectual
property are the highest targets.
The supply chain and, especially, the digital ecosystem enabling much of global business should
get higher consideration, given the increasing number of attacks using these as a vector.
8
Finance
Customer databases
Rank
4
7
3
1
5
2
6
9
10
Corporate functions where CISOs and CROs expect to see the greatest number
of cyberattacks between now and 2025
R&D
Sales/ecommerce
Marketing
Manufacturing plants/production/procurement
Human resources
Legal
Distribution/supply chain
Ecosystem partners
TCS Risk and Cybersecurity Study
9. 9
Boards of directors are less likely to think ecosystem risks warrant closer
focus–which may represent a blind spot.
not included: “There have been no cyber risk or security priorities arising out of board discussions” (3%)
Rank
Cyber risk and security priorities arising out of board-level discussions
TCS Risk and Cybersecurity Study
4
3
1
5
2
6
Increasing cybersecurity maturity of our company relative to industry peers and adopting emerging models like zero trust
Ensuring cyber risks are holistically managed and mitigated across our company and its larger ecosystem
Creating and adopting a comprehensive cybersecurity governance model
Focusing on ecosystem risks and collaboration for oversight, monitoring, and mitigation of those risks
Creating a “resilience-by-design” culture and adopting such standards and controls
Improving visibility of cyber risks and ensuring compliance to regulatory and industry requirements
10. 10
Cloud platforms have edged out on-premises servers and traditional
data centers as the more secure option.
Most companies find cloud platforms as or more secure compared to on-premises infrastructure
34%
28%
32%
6%
34% say cloud platforms are more secure than on-premises servers or data centers
28% say the cyber risks of cloud platforms and on-premises services or data centers are about the same
32% say cloud platforms are less secure than on-premises servers or data centers
6% of companies can’t come to an agreement about the cybersecurity
risks of cloud platforms
TCS Risk and Cybersecurity Study
11. 11
Firms that are more financially successful are also more likely to opt
for the security of cloud platforms over traditional infrastructures.
Enterprise attitudes toward cloud platforms
44% 27% 25% 4%
38% 25% 31% 6%
27% 31% 36% 6%
Pacesetters
All others
Followers
TCS Risk and Cybersecurity Study
Cloud platforms are more secure than on-premises servers or data centers
The cyber risks of cloud platforms and on-premises services or data centers are about the same
Cloud platforms are less secure than on-premises servers or data centers
We can’t come to an agreement about the cybersecurity risks of cloud platforms
12. 12
The cyber executives of cloud-friendly companies are more likely
to feel confident about their security posture toward internal risks and
external threats.
Perceptions of external/internal risks and threats, versus enterprise attitudes
toward cloud platforms
n = 607; not shown: companies that can't come to an agreement about cybersecurity risk of cloud platforms
We have external/internal risks and threats well in hand
Our ability to handle external/internal risk and threats is typical for our industry
External/internal risks and threats outstrip our defenses, policies and controls
41% 34% 25%
34% 38% 29%
29% 39% 32%
Cloud platforms are more secure than
on-premises servers or data centers
The cyber risks of cloud platforms and on-premises
services or data centers are about the same
Cloud platforms are less secure than
on-premises servers or data centers
TCS Risk and Cybersecurity Study
13. 13
Recruiting and retaining advanced cyber skills are the greatest
challenges for CISOs and CROs
8
Rank
4
7
3
1
5
2
6
12
11
9
10
Skill sets to manage, engineer and support cybersecurity technology
The greatest challenges to cybersecurity and risk mitigation
initiatives according to CROs and CISOs
Workforce changes/requirements (e.g., work from home, bring-your-own-device, etc.)
Assessing cyber risks and quantifying relevant costs
Reliance on legacy IT systems
Accumulated complexity of our own business processes and operations
Difficulty in demonstrating return on cybersecurity investments
Lack of collaboration across enterprise units (business, IT and security)
Lack of diversity (including of thought and experience) in staff assessing cyber risks and threats
Difficulty in mandating that our current vendors adopt advanced technologies and policies
Budget constraints
Competing interests for the board or senior leadership
Outdated, siloed and non-integrated security tools
TCS Risk and Cybersecurity Study
14. 14
Getting and keeping top talent is becoming more difficult for
cybersecurity positions.
Recruiting and retaining needed cyber skills
We have not had a difficult time doing so this past year
We have had a difficult time doing so this past year
Recruiting top talent with cyber risk
and security skills
Retaining top talent with cyber risk
and security skills
56% 44%
58% 42%
TCS Risk and Cybersecurity Study
15. 15
Cloud-friendly organizations have a five-point advantage in recruiting and
retaining top talent compared to cloud-avoidant companies
Embrace of cloud platforms, vs challenge in recruiting and retaining top talent with cyber skills
combined "recruiting" and "retention" answers; not shown: "We can't come to an agreement on cloud"
We have not had a difficult time recruiting/retaining top talent with cyber skills
We have had a difficult time recruiting/retaining top talent with cyber skills
Cloud platforms present less cyber risk than on-premises
servers or traditional data centers
59%
59%
54%
41%
41%
46%
The cyber risks of cloud platforms present no more or less risk than the
cyber risks inherent in on-premises servers and traditional data centers
Cloud platforms present more cyber risk than on-premises
servers or traditional data centers
TCS Risk and Cybersecurity Study
16. 16
2 roles, 2 continents, 4 industries: 607 participants
• Chief risk officers: 50%
• Chief information security officers: 50%
• North America HQ: 54%
• Europe/UK HQ: 46%
• Banking and financial services: 25%
• Utilities: 25%
• Media and information services: 25%
• Manufacturing: 25%
TCS Risk and Cybersecurity Study
17. 17 TCS Risk and Cybersecurity Study
To learn more about how chief risk and
information security officers perceive
the challenges they’re up against, visit
on.tcs.com/risk-cybersecurity
18. 18
Make risk and cybersecurity
a boardroom agenda
TCS Risk and Cybersecurity Study
TCS Thought Leadership Institute
TCS Risk and Cybersecurity Study