Cybersecurity: strengthen your strategy

Discover four avenues of reflection that stand out from conventional practices

There is a revival in cybersecurity funding. However, a larger budget is not the only answer to the problem. Could cyber investments still be more effective in protecting governance and processes?

While branches are expressing increasingly high levels of expectations around cyber issues, they may be reluctant to respond to investments that have not demonstrated sufficient effectiveness.

This does not deter them from investing because more than half of the executives surveyed expect an increase in their budget dedicated to cybersecurity of 6% and more (against 30% in 2020) (Global Digital Trust Insights Survey 2022, PwC).

Leaders’ views on cybersecurity investments for 2022

Also, to maximize the effectiveness of your cyber investments and meet the return on investment requirements of your executives, your decisions should be based on your risk analysis and the identification of your needs. But establishing a cybersecurity investment strategy is not necessarily intuitive.

To help you, here are four ideas to explore that differ from conventional practices:


1- Use cyber initiatives to create and maintain value, rather than simply protect it

Cybersecurity investments are often made in response to an attack and in a defensive posture. While many organizations remain focused on protecting the value of their business, the need for value creation is evolving. Make your branch your ally and accelerate the digital transformation of your organization by aiming to reduce costs and increase revenues, while keeping an eye on the evolution of threats. In our experience, 30-40% of cybersecurity investments should be spent on protection, about 30% on detection and the remaining 30% on response to attacks and recovery. By adopting this approach, you opt for a balanced distribution of your investments, making your choices clear to your management.

Cyber investments must now be seen as value-creating and not siloed to security, control and defence issues. Cybersecurity contributes more broadly to business growth, improving customer experience and cost management. It must be seen as the cornerstone of trust.


2- Don’t let technology solutions determine your investment strategies

To avoid the “hodgepodge” effect of software solutions, it is essential to have a preliminary plan for their use. This is because some tools may have redundant functions, not synchronize properly, or not provide adequate coverage, resulting in wasted time and money.

An effective overall cybersecurity investment plan should:

  • ensure coverage of your most important risks and limit their main shortcomings;
  • develop your organization’s ability and agility to combat the next threat;
  • but also and above all be directly related to the main business objectives of your organization.

For example, companies often purchase separate solutions for consent management, preference management, and authentication. Yet, it makes sense to address the issue of identity management and consumer access as a whole, to make it an essential part of improving the customer experience. Thus, some solutions offer a full range of services to consumers, beyond the security dimension which includes the collection, data protection, identity verification or anti-fraud features. By knowing your customers' preferences and behaviours, you personalize their digital experience and improve your interactions with them, including reducing irrelevant communications. This overview is also key to building consumer confidence and indirectly supporting your revenue growth.

A good practice is also to ensure a frequent review of its tools and other software to disable those that do not serve or no longer serve, but can be an additional complexity and serve as a potential entry point for attacks.

3- Adopt a data-driven investment approach

When it comes to cybersecurity investments, there is no single strategy. Don’t be guided by fear, uncertainty and doubt. What works for your organization is not necessarily what has proven itself in your competitor and the latest technology is not necessarily what you need.

However, the most relevant cybersecurity decisions depend on your ability to collect data and turn it into actionable insights. These will be key to quantifying cyber risks, threat modeling, scenario creation and predictive analytics. To maximize your ability to turn data into useful information, it is therefore important to integrate analysis tools into your decision-making model, making your cyber risk management and investment choices more relevant. Only a third of the companies that responded to PwC’s 2022 Global Digital Trust Insights survey have adopted decision support tools, giving them a head start in cyber risk management.

By quantifying cyber risks, you take a systematic approach to assessing new threats. For example, a company that wants to make acquisitions assesses transaction opportunities more quickly and systematically. A financial institution can assess threats and vulnerabilities on a daily or weekly basis to protect millions of transactions per day and remain vigilant about the effectiveness of its controls.

4- When embarking on cloud adoption, focus on shared responsibility

While 56% of executives see the cloud as a strategic platform for growth and innovation, 53% of companies say they have not yet exploited the full potential of their cloud investments, often due to lack of effective collaboration between RSSI and risk managers (PwC US Cloud Business Survey - June 2021).

When transitioning from an on-premise to a cloud-based system, it is important to re-evaluate your existing procedures and regulations to determine if your expectations apply to this new environment. Adjustments may be required to accommodate the shared responsibility model.

Your cloud strategy must also align with your business strategy. Your investment must therefore be sufficiently calibrated and must focus on areas that are most suitable, such as change management or the development of new processes. Otherwise, you can expect a lower than average return on investment.

The challenge of the Cloud is a reality for security managers: 48% of CIOs said that cybersecurity is the Cloud feature to be deployed as a priority over the next 12 months (Global Digital Trust Insights 2022, PwC). A well-planned cloud-based security program can speed up your migration to the cloud. Also, be sure to design your program when you start planning your migration, the sooner the better.

In summary...

Do not fight the threats of yesterday, do not equip yourself only to meet the challenges of today. Instead, create solutions that fit into your long-term vision and strategy, even during turbulent times.

Being prepared to respond to today’s cyber threats is not enough. Leverage advances in automation, data analytics and artificial intelligence to focus your resources on the biggest vulnerabilities. Build a sustainable strategy based on innovative technologies. The cyber protection of tomorrow requires you to invest in critical capabilities that will give you the agility to respond to the next generation of threats.

© 2023 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity.
Please see for further details.

The PwC Store uses open source software.