PwC recently released its 26th Annual CEO Survey, our research into the attitudes and opinions of 4,410 business leaders globally. Our survey reveals a resolute commitment among UK CEOs[1] to invest in talent and technology. It sheds light on how they’re responding to major short-term challenges. But it also highlights how they’re balancing that response with urgent action to transform their organisations for longer-term growth, pursuing diversification, greater integration with their supplier and partner ecosystem and more rapid product innovation to deliver competitive advantage. Cyber security will continue to be a priority for TMT CEOs, and their CISOs will need to deliver a more agile, data driven approach to security to support the high pace of change.
UK Tech, Media and Telco (TMT) CEOs are generally more optimistic regarding the global economy with 28% believing it will improve compared with 21% of UK CEOs overall. In line with this, 60% expect the global economy to decline compared with 71% of UK CEOs overall. Focusing in on the UK economy[2], 21% of UK TMT CEOs foresee an improving picture, much higher than the 9% of CEOs in general.
Looking past the higher optimism (albeit against a low base) of TMT CEOs then, what can we find to inform chief information security officer (CISO) agendas for 2023? Drilling down into the specifics of the responses of CEOs in the TMT industries reveals some notable differences with the broader executive population as a whole.
Over a fifth of UK CEOs as a whole think their business will no longer be viable in its current form within ten years. TMT CEOs are marginally less confident than cross industry peers, but they are less likely to be considering radical transformation of their organisation (37% vs 51% of all CEOs) or of its supply chain (31% vs 46%). Unsurprisingly, however, they rank technology transformation as a higher priority.
UK TMT CEOs are also considering widening and diversifying their supply chains and the ecosystem which brings innovation to their businesses. They reported a greater desire to collaborate and engage with smaller businesses, startups and entrepreneurs (40% considering, vs 21% of all UK CEOs), potentially opening up the business ecosystem and its attack surface significantly.
The survey also suggests that stasis in the business operating model for TMT may be about focusing on putting in place a stable platform for growth. Diversification in other ways comes through in the results too. 77% of UK TMT CEOs reported that product/service diversification will be considered to drive growth and mitigate risk in the next twelve months.
So what does this mean for CISOs? How should their strategies evolve to support their CEO’s agenda?
Despite the economic picture, it’s clear that most CEOs see both the need and the opportunity to continue investing in their strategy: although budgets are under scrutiny, retrenchment of the transformation agenda across TMT is less likely that we might imagine with only 21% of CEOs slowing their investment plans.
Risk
Transformation is likely to continue, particularly increasing the complexity of the third party ecosystem around high tech businesses - suppliers, innovation partners, collaborations and acquisitions. CISOs need to continue to remodel their third party risk management approach to consider a wider range of possible relationships, move from away from standardised transactional assessments to gaining deep understanding of how their business’s strategic partnerships create value. The traditional indicators of third party cyber risk may not truly reflect the strategic importance of some of these nascent partnerships.
This need for a dynamic approach to risk management extends beyond the third-party ecosystem. As my colleague Tom Nash comments in his recent article on regulatory compliance, tech organisations who are able to adapt rapidly to events, and use a wide range of internal and external risk data to manage compliance dynamically, will be able to take competitive advantage. The same increasingly applies to risk management. As TMT organisations become entwined in wider ecosystems, deploy more integrated customer propositions, and push into new markets, a network effect is created. CISOs need to move away from static governance, risk and compliance (GRC) approaches where long lists of “point” risks are managed, towards a data-driven approach which recognises the network effect of product and partner ecosystems.
Key building blocks of this journey are to work closely with stakeholders across the business’s ecosystem to build a clear view of the internal and third party value chain, and develop a strategy for collecting near-real-time data on control effectiveness and coverage, and external threats. With this understanding and real-time data, it becomes possible to understand these networked impacts and produce live risk management information which can enrich decision making.
Identity
Identity is likely to become an increasingly interconnected, and even more important, topic in these increasingly complex ecosystems. Being able to securely and nimbly enable the development of integrated value propositions requires robust management of shared identities. This has been a topic high on the agendas for many of our TMT clients for several years, the trend towards companies working as part of an ecosystem to create value for shared customers requires even greater focus.
At the centre of this strategy should be a focus on business-to-business identity and authentication models, and how they can rapidly be shared/ federated between entities so data and services can be shared and the overhead costs of identity and access management reduced.
Geopolitics
Macroeconomic risk and cyber risk are the two risk areas which TMT CEOs feel most exposed to. Geopolitical risk comes in at number three, but clearly given recent world events there is a strong connection between geopolitics and cyber security. Many organisations we work with are developing external threat horizon scanning as part of their operational resilience agenda, but many CISOs will already have access to threat intelligence capabilities.
CISOs with well developed threat intelligence networks and capabilities which deliver strategic threat intel beyond tactical IOC feeds and other technical data points will be well placed to help their organisation’s leadership understand and react to the external threat. If they are able to interpret and use their cyber threat intel data to inform a more strategic view, it could represent a real opportunity for a value adding conversation with their business leaders.
And a final thought…
In their 2023 Trust Barometer, Edelman suggest that business is now viewed as the only global institution to be both competent and ethical. Their research suggests that business now holds a staggering 53% lead over government in competence and is 30% ahead on ethics. Together these paint an encouraging “macro” picture of trust in business and business leaders. Given some of the themes we explore here, there is clearly an important role for CISOs (and their emerging peers - trust and safety leaders) in helping their leaders maintain that trust through a period of exceptional external instability and internal change.
[1] Sample size: 191 UK CEOs.
[2] Note that the fieldwork for this survey coincided with the period of extreme turbulence in the UK economy in October 2022, which may have particularly impacted forward looking sentiment on the UK economy specifically.
Contact us
