Findings from the 2024 Global Digital Trust Insights- India edition

The C-suite playbook: Putting security at the epicenter of innovation

Global Digital Trust Insights
  • Issue
  • 10 minute read

This year we had a record number of respondents to our survey of which 33% of respondents represented organisations which had >10 billion USD in revenue, 20% of the respondents were from publicly listed organisations and 55% of the respondents belong to the tech and security function.

The India highlights

This year we had a record number of respondents to our survey of which 33% of respondents represented organisations which had >10 billion USD in revenue, 20% of the respondents were from publicly listed organisations and 55% of the respondents belong to the tech and security function.

Table 1: Top cyber threats to organisations over the next 12 months (% ranked top three)

table 1
  • From a cyber risk perspective and over the next 12 months, Indian organisations are most concerned around cloud-related threats (52%), attacks on connected devices (45%), hack-and-leak operations (36%) and software supply-chain compromise (35%).
  • Almost half of respondents felt that the outcome of a cyber attack could result in loss of customer data and revenue, followed by more than a third of them highlighting operations downtime to be a key outcome of a cyber attack.

  • Cyber budgets continue to rise. 99% of the respondents stated an increase in cyber budgets, out of which 50% of them envisaged an increase between 6% and 15% in the next 12 months.

Table 2: Changes to cyber budgets in 2024

table 2
  • More than 90% of respondents use an integrated suite of cyber technology or have plans to migrate towards an integrated suite in the next two years. More than 90% of respondents adopted a multi-cloud or private cloud strategy. However, only a third of the respondents highlighted that the cloud service provider has implemented a risk mitigation strategy.
  • As the focus on zero-trust sharpens, 55% of respondents prioritised software-defined perimeter and networking and software-defined access while only 26% focused on securing endpoints and identities.
  • Breach costs and the number of large-scale data breaches continues to be on the rise. Out of the 54 respondents, 50% of them have estimated the costs anywhere between USD 1 million and USD 20 million in the last 3 years.

Table 3: Estimated costs to organisations most damaging data breach in the past three years

table 3
  • More than 90% of respondents felt that generative AI will help them add new lines of business over the next 12 months and they are focused on ethical and responsible use of generative AI in their organisations.
  • 91% of the respondents strongly agreed that employees’ personal use of generative AI will lead to tangible increases in their productivity within the next 12 months.
  • However, 73% of the respondents felt that generative AI will lead to catastrophic cyber attacks in the next 12 months.
table 4
  • 38% of the respondents felt that harmonising data protection laws in the countries where they operate will have an impact to secure future revenue growth.
  • 46% of them have highlighted regulation of AI to be an important driver for their organisations’ future growth plans.
  • 35% of the organisations highlighted the need for mandatory reporting of cyber risk management and governance.
  • 62% of the respondents follow cyber resilience reviews to report their organisation’s readiness and a third of the respondents use NIST and ISO 27001 to report their cyber posture.
table 5

Dare to break cyber-as-usual: The 2024 C-suite playbook

It’s no longer business-as-usual at your organisation. But most companies are still locked into cyber asusual, as the 2024 Global Digital Trust Insights survey shows. Fragmented initiatives. An ever-expanding array of technological complexities. A risk management programme that, with its gaps, is risky in itself. Transformations and projects that don’t produce the results you want. These stumbling blocks and others remain in the way of cybersecurity that’s truly trustworthy.

In the 2023 playbook, we identified critical challenges that C-suite executives should address together, as partners. These are still relevant.

Regulations that could change cybersecurity

The top initiatives in this chart are cyber-focused; the bottom, business-focused


Creating or improving Business Unit Information Security Officer (BISO) roles
%
%
Developing a new model for DevSecOps to better integrate security and technology development
%
%
Creating a new operating model focused on business enablement
%
%
Using large language models or generative Al in risk detection and mitigation
%
%

Using managed services in new areas
%
%
Using data to quantify cyber risks and allocate cyber budgets
%
%
Integrating fully with the organisation’s resilience strategy and activities
%
%
Shifting to zero trust concept
%
%
Implemented and realising benefits
Implemented across the organisation but not realising benefits yet

Q10. To what extent is your organisation implementing or planning to implement the following cybersecurity initiatives?
Base: All respondents= 3876. Analysis technique utilised is factor analysis
Source: PwC, 2024 Global Digital Trust Insights.

In 2024, we’re raising the challenge:

  • Do you dare, as a C-suite leader, to break out of the stasis and make the one or two bold moves that will matter most for your organisation?
  • Or to take that one imaginative leap that could finally clear the hurdles blocking your company from its goals? 
  • We see some enterprises already picking their best bets. The array of options is broad.

What’s right for your organisation?

Speak a new language.

CISO

CFO

General Counsel

Placing yourself at the epicentere of innovation means meeting your leadership teams where they are and helping them to overcome the intimidation they might feel regarding what you do. Using insider terms such as cyber landscape, attack surface and even zero trust can only further mystify those outside your profession. 

Dare to talk about cyber in business-speak, tech-speak, finance-speak or everyday-speak. Speak to your customers, investors and business partners in annual security reports in ways that inform and engage. Using common vocabularies can help executives wrestle with the trade-offs, tensions and chaos that inevitably happen at the epicentere of innovation

Try bold, new ways of managing cyber risk

CISO

CRO

Internal audit

CCO

COO

Use more sophisticated approaches to cyber-risk modelling such as scanning for threats using formulas specific to your company’s sector, vision and strategy. Create a risk-linked performance incentive for every bonus-eligible employee in the company, to build a risk culture. Invent new ways to find and strengthen your weaknesses, perhaps with a modern bug bounty programme that incentivises independent security research. Finally, procure and begin using a cloudfirst, centrally managed identity solution to secure your business expansion goals. 

Shape guardrails

CISO

CIO

General Counsel

Regulatory Affairs

Speak the language of trust, not just regulatory compliance. Involve yourself early and often for a better chance at influencing any new rules and ensuring that they boost, not hinder, business success. AI, the metaverse, cryptocurrency, privacy - the regulatory topics could well benefit from your experience and insights. Remember, regulators can feel as befuddled as anyone by the workings of cyber and tech.

Free your teams for creative thinking (automation, GenAI, managed services).

CISO

CIO

CTO

CRO

COO

Providing you with round-the-clock eyes is one benefit of automation, GenAI and managed services. Performing mundane chores so your teams don’t have to is another.

Liberated from the tyranny of tedious tasks, your people may find time and space to ponder new cyber threats and create new ways to thwart evolving threats.

Welcome cyber into the boardroom.

CISO

Board

CEO

Cyber tops the risk register in most companies and on many executive surveys. But is it a staple topic in your boardroom? Are you getting quality information not only on cyber risks and controls, but also on how major strategic initiatives are furthering business and revenue growth? Security provides the underpinnings for everything the organisation does: finance, development, personnel, technology and other areas of the business you likely discuss every time you meet.

Looking your cyber programme squarely in the eye can be a daring move.

Think like the business owner.

CISO

CEO

Business transformation is one thing. Cyber transformation is not another. They are the same. The CISO and CEO together need to embrace cyber as a whole-of-business endeavour, putting themselves in the business owner’s shoes. Wouldn’t they want every aspect – financial records, proprietary research, application development, customer data and the like - protected from unauthorised viewing or use? Wouldn’t they want to safeguard their brand? Couldn’t cybersecurity spur innovations that save money and help the business to grow? This is the raison d’être of cyber.  


GenAI for cyber defence

69%

 

More than two-thirds say they’ll use GenAI for cyber defence in the next 12 months.

 

47%

 

Nearly half are already using it for cyber risk detection and mitigation.

 

21%

 

One-fifth are already seeing benefits to their cyber programmes because of GenAI — mere months after its public debut.

 

Q7. To what extent do you agree or disagree with the following statements about Generative AI? Q10. To what extent is your organisation implementing or planning to implement the following cybersecurity initiatives?
Base: All respondents=3876
Source: PwC, 2024 Global Digital Trust Insights.


 

GenAI comes at an opportune time in cybersecurity.

For defence. Organisations have long been overwhelmed by the sheer number and complexity of human-led cyberattacks, both of which continually increase. And GenAI is making it easier to conduct complex cyber attacks at scale. Researchers found a 135% increase in novel social engineering attacks in just one month, from January to February 2023. Services like WormGPT and FraudGPT are enabling credential phishing and highly personalised business email compromise.

To secure innovation. Businesses eager to reap GenAI’s many potential benefits to develop new lines of business and increase employee productivity invite serious risks to privacy, cybersecurity, regulatory compliance, third-party relationships, legal obligations and intellectual property. So to get the most benefit from this groundbreaking technology, organisations should manage the wide array of risks it poses in a way that considers the business as a whole.

 

The promise of GenAI for cyber defence

From reconnaissance to action, GenAI can be useful for defence all along the cyber kill chain. Here are the three most promising areas.

Threat detection and analysis. GenAI can be invaluable for proactively detecting vulnerability exploits, rapidly assessing their extent — what’s at risk, what’s already compromised and what the damages are — and presenting tried-and-true options for defence and remediation. GenAI can identify patterns, anomalies and indicators of compromise that elude traditional signature-based detection systems.

GenAI is strong at synthesising voluminous data on a cyber incident from multiple systems and sources to help teams understand what has happened. It can present complex threats in easy-to-understand language, advise on mitigation strategies and help with searches and investigations.

Cyber risk and incident reporting. GenAI also promises to make cyber risk and incident reporting much simpler. Vendors already are working on this capability. With the help of natural language processing (NLP), GenAI can turn technical data into concise content that non-technical people can understand. It can help with incident response reporting, threat intelligence, risk assessments, audits and regulatory compliance. And it can present its recommendations in terms that anyone can understand, even translating confounding graphs into simple text. GenAI could also be trained to create templates for comparisons to industry standards and leading practices.

GenAI’s reporting capabilities should prove invaluable in this new era of heightened cyber transparency. To wit: A recent law will soon require critical infrastructure entities in the US to report cyber incidents. Also, the Securities and Exchange Commission (SEC) has released rules requiring disclosures of material cyber incidents and material cyber risks in SEC filings. The European Union’s Digital Operational Resilience Act calls for timely and consistent reporting of incidents that affect financial entities’ information and communication technologies. Imagine having a tool that makes preparing these reports much easier.

Adaptive controls. Securing the cloud and software supply chain requires constant updates in security policies and controls — a daunting task today. Machine learning algorithms and GenAI tools could soon recommend, assess and draft security policies that are tailored to an organisation's threat profile, technologies and business objectives. These tools could test and confirm that policies are holistic throughout the IT environment. Within a zero trust environment, GenAI can automate and continually assess and assign risk scores for endpoints, and review access requests and permissions. An adaptive approach, powered by GenAI tools, can help organisations better respond to evolving threats and stay secure.

And more. Many vendors are pushing the limits of GenAI, testing what’s possible. As the technology improves and matures, we’ll see many more uses for it in cyber defence. It could be some time, however, before we see “defenceGPT’s” broad-scale use.

Invest in your security teams

GenAI tools could help relieve the acute cyber talent shortage. Attrition is a growing problem for 39% of CISOs, CIOs and CTOs, according to our 2023 Global DTI survey. It’s hindering progress on cyber goals for another 15%.

Once GenAI frees security professionals from routine and mundane tasks such as detection and analysis, they may turn their focus to understanding — not just knowing — the causes of breaches and how best to respond to them. They can be better positioned to make fast decisions and take swift actions. ​​They might cultivate true “deep learning” — in a human sense — of LLMs, and use them to invent new ways to secure the enterprise.

And they’ll be well equipped to pivot from finding answers — GenAI’s purview, now — to asking more meaningful questions not only of their AI models but also of one another, sparking imagination and insights that are truly new. You can help your security teams develop traits that AI won’t learn or automate, such as curiosity, empathy and intuition.

Brace for regulatory uncertainty

The use of GenAI for cyber defence — just like the use of GenAI across the business — will be affected by AI regulations, particularly concerning bias, discrimination, misinformation and unethical uses. Recent directives including the Blueprint for AI Bill of Rights from the White House and the draft European Union AI Act emphasise ethical AI. Policymakers around the world are scrambling to set limits and increase accountability — treating generative AI with urgency because of its potential for affecting broad swathes of society profoundly and rapidly.

Savvy enterprises will want to get ahead of AI mandates. Our respondents are well aware of their imminence: they’ve told us that AI regulations, more than any other, could significantly affect their future revenue growth.

Among the 37% of respondents anticipating AI regulation, three-quarters think the costs of compliance will also be significant. About two-fifths say they’ll need to make major changes in the business to comply.

 

 

Amid regulatory uncertainty, companies can control one thing: how they deploy GenAI in a responsible way in their environments, which can position themselves for compliance. Seven major developers of LLMs are showing the way. At the heart of a voluntary pledge they recently signed with the US government is an agreement to start placing guardrails around the technology’s capabilities.

Channel your enthusiasm into trusted, ethical practices

Enthusiasm for AI is so high that 63% of our executive respondents said they’d personally feel comfortable launching GenAI tools in the workplace without any internal controls for data quality and governance. Senior execs in the business are even more so inclined (74%) than the tech and security execs.

However, without governance, adoption of GenAI tools opens organisations to privacy risks and more. What if someone includes proprietary information in a GenAI prompt? And without training in how to properly evaluate outputs, people might base recommendations on invented data or biased prompts.

Employees also need to be on guard against prompt injection risks, which Open Source Foundation for Application Security (OWASP) highlighted as the top security risk related to using LLMs. Prompt injections, also called jailbreaks, refer to prompts designed to elicit unintended responses by LLMs by overwriting system prompts or manipulating inputs from external sources.

 

 

The place to start with GenAI — as with almost any technology — is by laying the foundation for trust in its design, its function and its outputs. This foundation begins with governance, but concentrating on data governance and security concerns is especially important. The lion’s share of respondents overall say they intend to use GenAI in an ethical and responsible way: 77% agree with this statement.

 


Don’t overlook people

GenAI tools will be able to quickly synthesise information from multiple sources to aid in human decision-making. And, given that 74% of breaches reportedly involve humans, governance of AI for defence ought to include a human element as well.

Enterprises would do well to adopt a responsible AI toolkit, such as PwC’s, to guide the organisation’s trusted, ethical use of AI. Although it’s often considered a function of technology, human supervision and intervention are also essential to AI’s highest and ideal uses.

Ultimately, the promise of generative AI rests with people. Every savvy user can — should — be a steward of trust. Invest in them to know the risks of using the technology as assistant, co-pilot or tutor. Encourage them to critically evaluate the outputs of generative AI models in line with your enterprise risk guardrails. Rally security professionals to follow responsible AI principles.

Select a country or region from the list to explore local insights

About the survey

The 2024 Global Digital Trust Insights is a survey of 3,876 business, technology and security executives (CEOs, corporate directors, CFOs, CISOs, CIOs and C-Suite officers) conducted in May through July 2023. 

Four out of ten executives are in large companies with $USD 5 billion or more in revenues. Importantly, 30% are in companies with $USD 10 billion or more in revenues.

Respondents operate in a range of industries, including industrial manufacturing (20%), financial services (20%), tech, media, and telecom (19%), retail and consumer markets (17%), energy, utilities, and resources (11%), health (9%) and government and public services (3%).

Respondents are based in 71 countries. The regional breakdown is Western Europe (32%), North America (28%), Asia Pacific (18%), Latin America (10%), Eastern Europe (5%), Africa (4%) and the Middle East (3%).

The Global Digital Trust Insights Survey was formerly known as the Global State of Information Security Survey (GSISS). In its 26th year, it’s the longest-running annual survey on cybersecurity trends. It’s also the largest survey in the cybersecurity industry and the only one that draws participation from senior business executives, not just security and technology executives.

PwC Research, PwC’s global Centre of Excellence for market research and insight, conducted this survey.

 

Follow PwC India

Required fields are marked with an asterisk(*)

By submitting your contact information you acknowledge that you have read the privacy statement and that you consent to our processing the data in accordance with that privacy statement including international transfers. If you change your mind at any time about wishing to receive material from us you can send an e-mail to privacy@pwc.com.

Contact us

Hide