2021 GLOBAL DIGITAL TRUST INSIGHTS SURVEY - ENERGY, UTILITY AND RESOURCES INDUSTRY REPORT - PWC
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
2021 Global Digital Trust Insights Survey Energy, Utility and Resources Industry Report
Contents
Research Background
Demographics
Sector Summary
Consequences of COVID-19
What’s next in threats and risks
What’s next in strategies and spending
What’s next in leadership and teams
Outcomes and goals related to what’s next
AppendixCybersecurity comes of age ● Mere decades after “coming out” from under IT’s wing, cybersecurity is now a business- critical threat which is increasingly handled by business leaders. ● CEOs and boards are leaning on CISOs to realize the ambitions for digital transformation. CISOs who understand the value at stake are securing digitization at an accelerated pace. ● No longer technology-focused — although tech is very much in the picture — security leaders are working closely with business teams to strengthen and increase the resilience of the organization as a whole. ● Cloud adoption and other security solutions in the tech stack have matured; tech- enabled approaches have started to make a significant difference. ● Pursuit of integration and simplification will raise standards for investment decisions and governance. Risks that live now in fragmented and complex systems will be managed better.
Research Background
Research
Western Europe Middle East
1,096 completes 101 completes
34% of global 3% of global
Eastern Europe
North America 137 completes
4% of global
943 completes
29% of global
Asia Pacific
595 completes
18% of global
Latin America
272 completes Africa
8% of global
105 completes
3% of global
Global Base Size: 3,249Industry
Technology, Media & Telecommunications 22%
Base: 717
Retail and Consumer 20%
Base: 644
Financial Services 19%
Base: 625
Industrial Manufacturing 19%
Base: 617
Healthcare 8%
Base: 264
Energy, Utilities and Resources 8%
Base: 253
Government/ Public Services 4%
Base: 129Study methodology at a glance
Business executives and IT executives What’s next in cyber was the focus of this survey of
3,249 (clients and non-clients) business executives and IT/security executives addressing
the following key questions:
Online panel interviews conducted in local • Will cybersecurity and privacy be strategically woven into
language. Clients also signed up to participate
via an online registration site every consequential or bold move that corporate chiefs
are contemplating?
44 countries globally across 7 markets:
• How is your organisation modernising and architecting a
● Africa
● Asia-Pacific stronger cyber future?
● Eastern Europe
● Latin America • What outcomes and benefits are you expecting to achieve
● Middle East
with a better cybersecurity posture?
● North America
● Western Europe
Fielding conducted July – mid-August 2020Report Guidance
Due to routing within the questionnaire, the base size will fluctuate between questions.
Results of ‘ranking questions’ are reported by ‘index analysis’ calculations. Index analysis takes into
consideration both how many times an option has been ranked and the rank position.
This report is based on Energy, Utilities and Resources.
The data shown in this report includes;
• Global
• Energy, Utilities and Resources
• Energy, incl. Oil & Gas
• Power & UtilitiesDemographics
Job Title and Tenure
Global Energy, Utilities and Resources Tenure
Global
Energy, Utilities and Resources
S1 Choose the title that best describes your role. Base: All respondents (Global, 3249; Energy, Utilities and Resources, 253)
S7 How long have you held the position of [JOB ROLE] in this organisation? Base: All respondents (Global, 3249; Energy, Utilities and Resources, 253)Employee Size and Gender
NET: Less than 1,000
Global: 32% Female
Energy, Utilities and Resources: 30%
Global: 28%
Energy, Utilities and Resources: 23%
NET: 1,000 - less than 50,000
Global: 54%
Energy, Utilities and Resources: 57%
Male
NET: 50,000 - less than 100,000
Global: 71%
Global: 9% Energy, Utilities and Resources: 77%
Energy, Utilities and Resources: 9%
Global
Energy, Utilities and Resources
Other (Global, 0%; Energy, Utilities and Resources, 0%)
Prefer not to say (Global, 0%; Energy, Utilities and Resources, 0%)
S5 How many employees does your organisation have globally? Base: All respondents (Global, 3249; Energy, Utilities and Resources, 253)
S6 What is your gender? Base: All respondents (Global, 3249; Energy, Utilities and Resources, 253)Revenue
NET: Less than
US$1 billion
Global: 44%
Energy, Utilities and
Resources: 49%
NET: More than
US$1 billion
Global: 55%
Energy, Utilities and
Resources: 50%
Global
Global
Energy, Utilities and Resources
Energy, Utilities and Resources
S4 Please confirm your company’s global revenue in the last fiscal year (in US dollars). Base: All respondents (Global, 3249; Energy, Utilities and Resources, 253)Impact to company revenue due to COVID-19
This year In 2021
NET: Decrease NET: Decrease
Global: 79% Global: 64%
Energy, Utilities and Energy, Utilities and
Resources: 77% Resources: 62%
Global Global
Energy, Utilities and Resources Energy, Utilities and Resources
S8 What impact do you expect on your company’s revenue this year, as a result of COVID-19? Base: All respondents (Global, 3249; Energy, Utilities and Resources, 253)
S9 What impact do you expect on your company’s revenue in 2021, as a result of COVID-19? Base: All respondents (Global, 3249; Energy, Utilities and Resources, 253)Sector Summary
The 5 key takeaways your industry should know
from the 2021 Global Digital Trust Insights
Energy, Utility and Resources
About the findings
PwC conducted its Global Digital Trust Insights Survey of over 3,200 technology and business executives in late July. Our findings from the Global Digital Trust Insights 2021 (Global DTI 2021) survey of
3,249 business and technology executives around the world tell us what’s changing and what’s next in cybersecurity. Below are five key takeaways your industry stands out from the rest.
5 key takeaways for Energy, Utility and Resources
1. Consequences of COVID-19: The COVID 19 pandemic forced accelerated digitization with more full-time remote working than before the pandemic for EU&R business executives. As a result, the
organization was modernized and new processes for budgeting cyber spending or investment were introduced. Furthermore more frequent interactions between CISO and the CEO were identified.
2. Whats’s next in threats and risks: Cyber attacks on cloud services and disruptionware attacks on critical business services of nation states or competitors are considered as relevant, major
possible threats. Therefore, the EU&R industry is trying to better quantify cyber risks and improve the security function’s skills set, for example by switching to real-time processes such as threat
intelligence, fraud detection or critical asset inventory and to reduce the cost of cyber operations through automation or rationalisation.
3. What’s next in strategy and spending: In 2021 the EU&R industry will invest with a higher cyber budget in the application of artificial intelligence in cyber defense, quantification of cyber risks,
virtualization and in strategies such as the Enterprise Information Governance Model or the transition from business continuity planning to cyber resilience. The quantification of cyber-risks has
already begun, and future plans include security orchestration and automation as well as opt-in to opt-out privacy.
4. What’s next in leadership and teams: EU&R industry executives expect the headcount for the cyber security team to slightly increase or remain the same. New employees must primarily be
creative and adaptable, and need to be highly skilled in project management and cloud solutions. The CISO leader is the operational leader and master tactician.
5. Outcomes and goal related to what’s next: EU&R industry executives would say that their organization has made significant progress over the past three years, improving employee experience,
reducing the burden on employees' risk and compliance experience, and improving net promoter score. Over the next three years, the focus will be on increased prevention of successful attacks,
improved confidence among executives in our ability to deal with current and future threats, and faster response times to incidents and disruptions.
© 2020 PwC. All rights reserved. PwC refers to the US member firm or one of its subsidiaries or affiliates and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see
www.pwc.com/structure for further details. This content is for general information purposes only and should not be used as a substitute for consultation with professional advisors.Consequences of COVID-19
Q1 - Please select the statement that best represents the current
situation of your organisation in the country where you are
based, considering the ongoing COVID-19 pandemic.
Base size shown in brackets Global Energy, Utilities and Energy, incl. Oil & Gas Power & Utilities
(3249) Resources (127) (126)
(253)
Essential workers only at worksites 34% 30% 26% 34%
Less than 100% capacity in workplaces 30% 32% 36% 28%
At 100% capacity in workplaces 15% 19% 21% 16%
Experiencing intermittent closures due to local virus outbreaks 11% 13% 12% 15%
100% working from home 9% 5% 5% 6%
Don’t know 0% 1% 0% 2%Q2 - Which of the following changes are most likely to be
impacts of the COVID-19 experience in your industry?
Base size shown in brackets Global Energy, Utilities and Energy, incl. Oil & Gas Power & Utilities
(3249) Resources (127) (126)
(253)
Accelerated digitalisation (e.g. e-commerce, direct-to-consumer, new
40% 38% 31% 45%
business models) for growth
Permanent, full-time remote work mode for greater portion of the workforce
39% 39% 31% 46%
compared to pre-COVID-19
Larger weight on the quality of IT and telecommunications (ICT)
37% 32% 28% 35%
infrastructure in choice of countries where we do business
Accelerated automation for cost-cutting 35% 32% 28% 36%
Continuously updated resilience plans and tests 33% 32% 28% 37%
Greater redundancy in supply chain 29% 30% 28% 32%
Higher inventory levels of critical supplies 29% 30% 25% 34%
Reduced global footprint 25% 27% 28% 26%
Larger weight on political leadership in choice of countries where we do
25% 28% 24% 33%
business
Reduced real estate footprint 24% 19% 17% 20%
Reshoring 10% 11% 10% 11%
No change due to COVID-19 2% 1% 1% 2%
Don’t know/unsure 1% 0% 0% 1%Q3 - Which of the following changes are most likely to be impacts
of the COVID-19 experience on cybersecurity in your industry?
Base size shown in brackets Global Energy, Utilities and Energy, incl. Oil & Gas Power & Utilities
(3249) Resources (127) (126)
(253)
Cybersecurity and privacy implications baked into every business decision
50% 45% 43% 47%
or planning
New process of budgeting for cyber spend or investments 44% 45% 40% 49%
Better and more granular quantification of cyber risk 44% 42% 40% 44%
More frequent interactions between CISO and the CEO or boards 43% 50% 43% 56%
Greater resilience testing to account for more low-likelihood, high-impact
43% 42% 40% 44%
events
No changes due to COVID-19 4% 3% 3% 2%
Don’t know/unsure 1% 0% 0% 1%Q4 - What is the primary aspiration for your enterprise-wide,
technology-driven business transformation or major digital
initiatives?
Base size shown in brackets Global Energy, Utilities and Energy, incl. Oil & Gas Power & Utilities
(3249) Resources (127) (126)
(253)
Modernise our organisation/brand with new capabilities 31% 31% 31% 31%
To do what we have always done, but faster and more efficiently 29% 23% 26% 19%
To change our core business model and redefine our organisation 21% 24% 21% 26%
To break into new markets or industries 18% 22% 20% 23%
Don’t know/unsure 1% 1% 1% 1%What’s next in threats and risks
A1 - In your view, what is:
(a) the likelihood that these threat vectors are going to affect your
industry in the next 12 months, and
(b) the extent of impact, if it were to happen, on your organisation?
Likelihood
Respondents who stated ‘Very likely’ or ‘Somewhat likely’
Base size shown in brackets Global Energy, Utilities and Energy, incl. Oil & Gas Power & Utilities
(3249) Resources (127) (126)
(253)
Internet of Things (IoT) 65% 64% 61% 67%
Cloud service provider 64% 61% 55% 67%
Social engineering 63% 63% 61% 65%
Mobile 62% 60% 55% 65%
Third-party and fourth-party 59% 56% 50% 62%
Impact
Respondents who stated ‘Significantly negative impact’ or ‘Negative impact’
Base size shown in brackets Global Energy, Utilities and Energy, incl. Oil & Gas Power & Utilities
(3249) Resources (127) (126)
(253)
Third-party and fourth-party 51% 52% 56% 48%
Social engineering 49% 55% 53% 58%
Cloud service provider 45% 49% 52% 47%
Mobile 44% 53% 54% 53%
Internet of Things (IoT) 44% 55% 54% 56%A2 - In your view, what is:
(a) the likelihood of these events occurring in your industry in the next
12 months, and
(b) the extent of impact, if it were to happen, on your organisation?
Likelihood
Respondents who stated ‘Very likely’ or ‘Somewhat likely’
Base size shown in brackets Global Energy, Utilities and Energy, incl. Oil & Gas Power & Utilities
(3249) Resources (127) (126)
(253)
Cyber attack on cloud services 58% 58% 55% 61%
Ransomware breach 57% 57% 58% 56%
Disruptionware attack on critical business services 55% 58% 54% 63%
Major disinformation / misinformation (deep fakes) incident 54% 56% 46% 66%
State-sponsored attacks on critical infrastructure 50% 53% 51% 56%
Impact
Respondents who stated ‘Significantly negative impact’ or ‘Negative impact’
Base size shown in brackets Global Energy, Utilities and Energy, incl. Oil & Gas Power & Utilities
(3249) Resources (127) (126)
(253)
Cyber attack on cloud services 59% 64% 64% 65%
Disruptionware attack on critical business services 58% 62% 68% 56%
Ransomware breach 58% 62% 65% 58%
Major disinformation / misinformation (deep fakes) incident 54% 53% 56% 50%
State-sponsored attacks on critical infrastructure 53% 52% 50% 54%A3 - In your view, what is:
(a) the likelihood of a major and successful attack from these threat actors
in your industry in the next 12 months, and
(b) the extent of impact, if there was a successful attack, on your
organisation?
Likelihood
Respondents who stated ‘Very likely’ or ‘Somewhat likely’
Base size shown in brackets Global Energy, Utilities and Energy, incl. Oil & Gas Power & Utilities
(3249) Resources (127) (126)
(253)
Cyber criminal 56% 52% 45% 60%
Hacktivist / hacker 54% 53% 46% 60%
Competitor 53% 55% 51% 59%
Third party or contractor 49% 52% 42% 62%
Nation-state 48% 54% 51% 56%
Current employee 48% 50% 44% 56%
Former employee 46% 47% 36% 58%
Impact
Respondents who stated ‘Significantly negative impact’ or ‘Negative impact’
Base size shown in brackets Global Energy, Utilities and Energy, incl. Oil & Gas Power & Utilities
(3249) Resources (127) (126)
(253)
Cyber criminal 62% 60% 65% 54%
Hacktivist / hacker 61% 62% 61% 63%
Competitor 56% 53% 56% 51%
Current employee 52% 57% 54% 59%
Third party or contractor 52% 54% 55% 52%
Former employee 51% 54% 52% 56%
Nation-state 51% 58% 61% 55%A4 - To what extent is your organisation investing in the
following ways to improve the management of cybersecurity
risks in your organisation over the next 2 years?
Respondents who stated ‘Realising benefits from implementation’
Base size shown in brackets Global Energy, Utilities and Energy, incl. Oil & Gas Power & Utilities
(3249) Resources (127) (126)
(253)
Improve the security function’s skills set 19% 19% 13% 25%
Cybersecurity team to collaborate more with the business side in
18% 17% 13% 21%
delivering business outcomes
The CISO’s greater alignment with and influence on strategy through
17% 19% 15% 22%
interactions with business leaders, CEO, corporate directors
Better quantify cyber risks 17% 20% 15% 25%
Invest in advanced technologies to improve the effectiveness of my
17% 13% 11% 16%
organisation’s cyber defense and security detection capabilities
Tie cybersecurity investments and spending to tangible business
17% 19% 13% 25%
metrics or outcomes
Unify the reporting across the organisation on cyber risks 17% 18% 9% 27%
Move to real-time processes such as threat intelligence, fraud
16% 16% 11% 21%
detection, critical asset inventory, etc.
Reduce the cost of cyber operations via automation, rationalisation
15% 15% 12% 18%
and/or other solutionsA4 - To what extent is your organisation investing in the
following ways to improve the management of cybersecurity
risks in your organisation over the next 2 years?
Respondents who stated ‘Implemented at scale’
Base size shown in brackets Global Energy, Utilities and Energy, incl. Oil & Gas Power & Utilities
(3249) Resources (127) (126)
(253)
Improve the security function’s skills set 29% 26% 25% 28%
Move to real-time processes such as threat intelligence, fraud
28% 32% 27% 37%
detection, critical asset inventory, etc.
Better quantify cyber risks 28% 26% 24% 29%
Unify the reporting across the organisation on cyber risks 27% 31% 30% 32%
Invest in advanced technologies to improve the effectiveness of my
27% 27% 27% 27%
organisation’s cyber defense and security detection capabilities
Cybersecurity team to collaborate more with the business side in
27% 31% 27% 36%
delivering business outcomes
The CISO’s greater alignment with and influence on strategy through
26% 24% 23% 25%
interactions with business leaders, CEO, corporate directors
Tie cybersecurity investments and spending to tangible business
26% 27% 24% 31%
metrics or outcomes
Reduce the cost of cyber operations via automation, rationalisation
25% 30% 27% 33%
and/or other solutionsA4 - To what extent is your organisation investing in the
following ways to improve the management of cybersecurity
risks in your organisation over the next 2 years?
Respondents who stated ‘Started implementing’
Base size shown in brackets Global Energy, Utilities and Energy, incl. Oil & Gas Power & Utilities
(3249) Resources (127) (126)
(253)
Improve the security function’s skills set 29% 30% 34% 26%
Cybersecurity team to collaborate more with the business side in
29% 27% 29% 25%
delivering business outcomes
Unify the reporting across the organisation on cyber risks 29% 26% 29% 24%
Better quantify cyber risks 29% 29% 29% 29%
The CISO’s greater alignment with and influence on strategy through
29% 31% 29% 33%
interactions with business leaders, CEO, corporate directors
Reduce the cost of cyber operations via automation, rationalisation
28% 25% 22% 29%
and/or other solutions
Move to real-time processes such as threat intelligence, fraud
28% 25% 24% 25%
detection, critical asset inventory, etc.
Tie cybersecurity investments and spending to tangible business
28% 26% 27% 25%
metrics or outcomes
Invest in advanced technologies to improve the effectiveness of my
27% 31% 27% 36%
organisation’s cyber defense and security detection capabilitiesA4 - To what extent is your organisation investing in the
following ways to improve the management of cybersecurity
risks in your organisation over the next 2 years?
Respondents who stated ‘Planning to do in the next 2 years’
Base size shown in brackets Global Energy, Utilities and Energy, incl. Oil & Gas Power & Utilities
(3249) Resources (127) (126)
(253)
Invest in advanced technologies to improve the effectiveness of my
21% 19% 22% 16%
organisation’s cyber defense and security detection capabilities
Reduce the cost of cyber operations via automation, rationalisation
20% 21% 30% 13%
and/or other solutions
Tie cybersecurity investments and spending to tangible business
20% 17% 20% 13%
metrics or outcomes
Move to real-time processes such as threat intelligence, fraud
20% 19% 23% 14%
detection, critical asset inventory, etc.
Unify the reporting across the organisation on cyber risks 19% 18% 21% 15%
Better quantify cyber risks 18% 16% 23% 10%
Cybersecurity team to collaborate more with the business side in
18% 16% 19% 13%
delivering business outcomes
The CISO’s greater alignment with and influence on strategy through
18% 17% 18% 17%
interactions with business leaders, CEO, corporate directors
Improve the security function’s skills set 17% 18% 22% 14%A4 - To what extent is your organisation investing in the
following ways to improve the management of cybersecurity
risks in your organisation over the next 2 years?
Respondents who stated ‘Not planning to do in the next 2 years’
Base size shown in brackets Global Energy, Utilities and Energy, incl. Oil & Gas Power & Utilities
(3249) Resources (127) (126)
(253)
Reduce the cost of cyber operations via automation, rationalisation
7% 6% 6% 6%
and/or other solutions
The CISO’s greater alignment with and influence on strategy through
7% 8% 12% 3%
interactions with business leaders, CEO, corporate directors
Tie cybersecurity investments and spending to tangible business
6% 9% 13% 5%
metrics or outcomes
Unify the reporting across the organisation on cyber risks 6% 4% 6% 2%
Cybersecurity team to collaborate more with the business side in
5% 6% 9% 2%
delivering business outcomes
Move to real-time processes such as threat intelligence, fraud
5% 7% 11% 3%
detection, critical asset inventory, etc.
Invest in advanced technologies to improve the effectiveness of my
5% 7% 9% 6%
organisation’s cyber defense and security detection capabilities
Better quantify cyber risks 5% 5% 6% 4%
Improve the security function’s skills set 5% 5% 5% 5%What’s next in strategies and spending
B1 - To what extent is your organisation moving to the
following new cybersecurity approaches or thinking?
Respondents who stated ‘Realising benefits from implementation’
Base size shown in brackets Global Energy, Utilities and Energy, incl. Oil & Gas Power & Utilities
(3249) Resources (127) (126)
(253)
Real-time monitoring of effectiveness of security controls 19% 19% 10% 27%
Modern identity and access management 19% 18% 13% 22%
Virtualisation 18% 18% 17% 20%
Integrated cloud security+network security 18% 17% 13% 21%
Embedding security and privacy in key business initiatives 18% 19% 13% 25%
Managed services (e.g. managed security services, managed detection and
18% 19% 19% 18%
response services)
Modern data discovery, management, and governance 18% 17% 10% 25%
Security orchestration and automation 18% 16% 16% 17%
Enterprise-wide information governance model 17% 21% 14% 27%
Application of artificial intelligence in cyberdefense 17% 21% 21% 21%
Quantification of cyber risks 17% 21% 17% 26%
Accelerated cloud adoption 17% 17% 13% 22%
Move beyond business continuity planning to cyber resilience 16% 19% 17% 21%
Opt-in to opt-out privacy 16% 18% 13% 23%
Zero trust 15% 17% 17% 18%
Borderless, de-perimeterised architectures 15% 16% 12% 20%B1 - To what extent is your organisation moving to the
following new cybersecurity approaches or thinking?
Respondents who stated ‘Implemented at scale’
Base size shown in brackets Global Energy, Utilities and Energy, incl. Oil & Gas Power & Utilities
(3249) Resources (127) (126)
(253)
Embedding security and privacy in key business initiatives 30% 31% 32% 29%
Enterprise-wide information governance model 29% 29% 27% 32%
Modern identity and access management 29% 31% 30% 32%
Accelerated cloud adoption 29% 33% 28% 38%
Quantification of cyber risks 29% 26% 28% 25%
Integrated cloud security+network security 29% 27% 28% 27%
Move beyond business continuity planning to cyber resilience 29% 33% 30% 36%
Real-time monitoring of effectiveness of security controls 28% 30% 26% 35%
Modern data discovery, management, and governance 28% 31% 29% 33%
Managed services (e.g. managed security services, managed detection and
28% 24% 20% 27%
response services)
Virtualisation 28% 34% 29% 39%
Borderless, de-perimeterised architectures 27% 31% 25% 37%
Security orchestration and automation 27% 27% 25% 29%
Opt-in to opt-out privacy 27% 31% 29% 33%
Application of artificial intelligence in cyberdefense 25% 26% 22% 29%
Zero trust 25% 29% 22% 37%B1 - To what extent is your organisation moving to the
following new cybersecurity approaches or thinking?
Respondents who stated ‘Started Implementing’
Base size shown in brackets Global Energy, Utilities and Energy, incl. Oil & Gas Power & Utilities
(3249) Resources (127) (126)
(253)
Modern data discovery, management, and governance 30% 35% 38% 33%
Quantification of cyber risks 30% 33% 35% 31%
Managed services (e.g. managed security services, managed detection and
29% 31% 28% 34%
response services)
Real-time monitoring of effectiveness of security controls 29% 31% 37% 25%
Security orchestration and automation 29% 30% 31% 30%
Accelerated cloud adoption 29% 26% 30% 23%
Embedding security and privacy in key business initiatives 29% 31% 35% 27%
Integrated cloud security+network security 29% 38% 38% 37%
Modern identity and access management 29% 33% 31% 36%
Opt-in to opt-out privacy 28% 25% 24% 27%
Enterprise-wide information governance model 28% 28% 31% 25%
Move beyond business continuity planning to cyber resilience 28% 27% 25% 29%
Application of artificial intelligence in cyberdefense 28% 28% 25% 32%
Borderless, de-perimeterised architectures 27% 28% 29% 26%
Virtualisation 27% 28% 27% 29%
Zero trust 26% 25% 25% 25%B1 - To what extent is your organisation moving to the
following new cybersecurity approaches or thinking?
Respondents who stated ‘Planning to do in the future’
Base size shown in brackets Global Energy, Utilities and Energy, incl. Oil & Gas Power & Utilities
(3249) Resources (127) (126)
(253)
Application of artificial intelligence in cyberdefense 20% 19% 24% 14%
Move beyond business continuity planning to cyber resilience 20% 17% 21% 13%
Borderless, de-perimeterised architectures 19% 17% 23% 11%
Security orchestration and automation 19% 18% 20% 16%
Zero trust 18% 18% 24% 12%
Opt-in to opt-out privacy 18% 15% 19% 12%
Managed services (e.g. managed security services, managed detection and
18% 18% 24% 13%
response services)
Enterprise-wide information governance model 18% 15% 15% 15%
Virtualisation 18% 13% 17% 9%
Accelerated cloud adoption 18% 17% 24% 10%
Modern data discovery, management, and governance 17% 10% 12% 8%
Quantification of cyber risks 17% 14% 15% 13%
Integrated cloud security+network security 17% 13% 15% 12%
Embedding security and privacy in key business initiatives 17% 14% 13% 15%
Real-time monitoring of effectiveness of security controls 17% 14% 18% 10%
Modern identity and access management 17% 15% 21% 9%B1 - To what extent is your organisation moving to the
following new cybersecurity approaches or thinking?
Respondents who stated ‘Not planning to do’
Base size shown in brackets Global Energy, Utilities and Energy, incl. Oil & Gas Power & Utilities
(3249) Resources (127) (126)
(253)
Zero trust 10% 6% 9% 4%
Borderless, de-perimeterised architectures 8% 6% 8% 3%
Opt-in to opt-out privacy 7% 7% 10% 3%
Application of artificial intelligence in cyberdefense 6% 4% 6% 2%
Virtualisation 6% 5% 8% 2%
Accelerated cloud adoption 5% 5% 6% 4%
Enterprise-wide information governance model 5% 4% 8% 1%
Move beyond business continuity planning to cyber resilience 5% 4% 6% 2%
Managed services (e.g. managed security services, managed detection and
5% 6% 6% 6%
response services)
Modern identity and access management 5% 3% 4% 2%
Quantification of cyber risks 5% 4% 5% 4%
Integrated cloud security+network security 5% 4% 5% 2%
Security orchestration and automation 5% 6% 8% 4%
Modern data discovery, management, and governance 4% 4% 7% 2%
Embedding security and privacy in key business initiatives 4% 4% 4% 4%
Real-time monitoring of effectiveness of security controls 4% 4% 6% 2%B2c - How is your cyber budget changing in 2021?
Base size shown in brackets Global Energy, Utilities and Energy, incl. Oil & Gas Power & Utilities
(1414) Resources (42*) (76)
(118)
Decrease by more than 20% 2% 2% 2% 1%
Decrease by 11-20% 4% 6% 5% 7%
Decrease by 6-10% 10% 11% 12% 11%
Decrease by 5% or less 11% 8% 12% 7%
NET: Decrease 26% 27% 31% 25%
Unchanged 13% 12% 10% 13%
Increase by 5% or less 25% 31% 19% 38%
Increase by 6-10% 22% 23% 33% 17%
Increase by more than 10% 8% 4% 7% 3%
NET: Increase 55% 58% 60% 58%
Cannot determine at this time (due to economic and business uncertainty) 4% 3% 0% 4%
Don’t know/unsure 1% 0% 0% 0%
Asked to Chief Information Officer (CIO), Chief Technology Officer (CTO), Chief Security Officer (CSO), Chief Information Security Officer *Caution, low base size
(CISO), VP of Cybersecurity, Director of Cybersecurity, Information Security Director, Information Technology Director, Head of ITB3 - Regarding your organisation’s current cyber budget and
processes, how confident are you with regard to the following?
Respondents who stated ‘Very confident’ or ‘Somewhat confident’
Base size shown in brackets Global Energy, Utilities and Energy, incl. Oil & Gas Power & Utilities
(3249) Resources (127) (126)
(253)
Our cyber budget is focused on remediation, risk mitigation, and/or
83% 84% 81% 87%
response techniques that will provide the best return on cyber spending
Our cyber budgets are linked to overall enterprise or business unit
82% 82% 77% 87%
budgets in a strategic, risk-aligned, and data-driven way
Our cyber budget is allocated towards the most significant risks to the
81% 81% 76% 86%
organisation
Our cyber budget process includes monitoring the effectiveness of our
81% 83% 78% 87%
cyber program against the spending on cyber
Our cyber budget is integrated with decisions on capital requirements
81% 82% 77% 87%
needed in the event of a severe cyber event
Our cyber budget has adequate digital trust controls over emerging
technologies (like AI, IoT, blockchain, robotic process automation, 79% 78% 72% 84%
virtual/augmented reality) for security, privacy, and data ethicsB4 - To what extent do you agree or disagree with the following
statements about opportunities in cybersecurity in the next 12
months?
Respondents who stated ‘Strongly agree’ or ‘Somewhat agree’
Base size shown in brackets Global Energy, Utilities and Energy, incl. Oil & Gas Power & Utilities
(3249) Resources (127) (126)
(253)
Assessments and testing — done right — will help in targeted investments in cybersecurity 76% 74% 70% 79%
Our organisation can improve our customers’ experience while strengthening compliance with
75% 72% 67% 76%
privacy and data protection regulation
Privacy and data protection regulations are a compulsory part of our due diligence on potential
75% 71% 65% 76%
acquisitions
Securing remote work during the pandemic revealed urgency for our organisation to modernise
capabilities such as identity and access management, endpoint protection, mobile device 74% 75% 69% 81%
management
Our organisation can use combinations of established and new technologies, rather than just new
74% 73% 72% 74%
technologies, to significantly improve security architectures
By quantifying cyber risks, cybersecurity professionals can significantly improve our organisation’s
74% 72% 69% 75%
ability to manage overall risks against spending
New solutions exist to secure cloud infrastructures better than they have ever been in the past 73% 70% 68% 71%
Moving more services and infrastructures to the cloud is foundational for the next generation of
73% 71% 67% 75%
business solutions in our organisation
Automation is the primary way we can contain costs in cybersecurity without compromising our
73% 74% 71% 76%
organisation’s security
Managed security services is an important part of our strategy to bridge the talent shortage and
72% 70% 64% 77%
manage the costs of the security organisation
We can strengthen the cybersecurity posture of our organisation while containing cybersecurity
72% 72% 66% 79%
costsWhat’s next in leadership and teams
C1 – (a) What is the current FTE in your cybersecurity team?
(b) How is headcount for your cybersecurity team changing in
the next 12 months?
Current FTE
Base size shown in brackets Global Energy, Utilities and Energy, incl. Oil & Gas Power & Utilities
(3249) Resources (127) (126)
(253)
NET: 30 or less 31% 23% 16% 30%
NET: 31-60 30% 37% 36% 38%
NET: 61-100 24% 27% 32% 22%
NET: 101 or more 13% 11% 13% 9%
Change in headcount
Base size shown in brackets Global Energy, Utilities and Energy, incl. Oil & Gas Power & Utilities
(3249) Resources (127) (126)
(253)
Increase by 5% or more 22% 15% 17% 13%
Increase by less than 5% 29% 33% 35% 32%
Stay the same 31% 36% 31% 40%
Decrease by less than 5% 12% 11% 12% 10%
Decrease by 5% or more 4% 4% 6% 3%
Don't know 1% 2% 0% 3%C2 – Which of the following skills are you looking for in your
new hires in the next 12 months?
Base size shown in brackets Global Energy, Utilities and Resources Energy, incl. Oil & Gas Power & Utilities
(3249) (253) (127) (126)
Data analysis 37% 31% 31% 32%
Data management 36% 31% 28% 34%
Software development and QA 31% 30% 28% 32%
Computer programming 31% 26% 23% 29%
Digital Financial and risk analysis 31% 28% 35% 21%
Building Security intelligence 40% 35% 36% 34%
Blocks Systems (e.g. engineering) 29% 27% 24% 30%
Networks (e.g. configuration, protocols) 32% 28% 24% 31%
Privacy specialties (e.g. privacy engineering) 29% 30% 25% 34%
Cloud solutions 43% 39% 38% 40%
Specific technology specialties (e.g. AI, IoT, blockchain, etc.) 33% 27% 23% 31%
Business process acumen 33% 33% 28% 37%
Project management 40% 39% 39% 38%
Business
Digital design 35% 38% 35% 40%
Enablers
Communicating data 35% 38% 35% 42%
Analytical skills 47% 43% 38% 48%
Collaboration 41% 32% 27% 37%
Critical thinking 42% 37% 39% 35%
Creativity 42% 40% 43% 38%
Social Communication 43% 42% 45% 40%
Skills
Persuasion 28% 27% 21% 33%
Adaptability 40% 40% 40% 40%
Emotional intelligence 33% 27% 25% 29%C3 – Which of the following tools have proved to be most
effective for your organisation to attract new talent?
Rank up to 5.
Index Analysis
Base size shown in brackets Global Energy, Utilities and Energy, incl. Oil & Gas Power & Utilities
(3249) Resources (127) (126)
(253)
Work flexibility 1 1 1 2
Compensation 2 1 1 2
Cutting edge projects, technology, and work environment 3 4 6 6
Programs for continuous upskilling within and outside, with ability to obtain
3 1 3 1
non-degree credentials
Collaborative and innovative culture 3 4 3 6
Health benefits 6 4 3 11
Brand awareness 6 4 6 6
Corporate responsibility program 8 11 9 6
Diversity and inclusion program 8 4 9 6
Exposure to peers through events and networking 8 11 9 12
Tuition support to pursue college/graduate/post-grad degrees 8 4 6 2
Stress management and other health programs 8 4 9 2
Green highlight denotes if an answer option was ranked 1, 2 or 3C4 – Which skills are the focus of your organisation to upskill
your existing cybersecurity team in the next 12 months?
Rank up to 5.
Index Analysis
Base size shown in brackets Global Energy, Utilities and Resources Energy, incl. Oil & Gas Power & Utilities
(3249) (253) (127) (126)
Data analysis 2 1 1 1
Data management 4 3 6 3
Software development and QA 11 3 15 1
Computer programming 11 3 3 7
Financial and risk analysis 4 13 11 10
Digital
Building Security intelligence 1 2 3 3
Blocks
Systems (e.g. engineering) 11 13 11 10
Networks (e.g. configuration, protocols) 4 13 15 10
Privacy specialties (e.g. privacy engineering) 4 13 11 7
Cloud solutions 2 3 3 10
Specific technology specialties (e.g. AI, IoT, blockchain, etc.) 4 3 6 7
Business process acumen 11 3 6 3
Project management 11 3 15 3
Business
Digital design 11 3 6 10
Enablers
Communicating data 11 13 11 10
Analytical skills 4 3 6 10
Social Social skills (collaboration, critical thinking, creativity, persuasion, communication,
4 3 1 10
Skills adaptability)C5 – Which of the following skills in a CISO/cybersecurity
leader will make the most difference to your organisation’s
success in the next 12 months? Rank up to 3.
Index Analysis
Base size shown in brackets Global Energy, Utilities and Energy, incl. Oil & Gas Power & Utilities
(3249) Resources (127) (126)
(253)
Strategic insights / ability 1 1 1 5
Ability to make data-driven decisions / take smart risks 1 1 3 1
Leadership skills 1 1 3 3
Ability to recognise and nurture innovation 4 1 2 1
Ability to educate and collaborate across the business 4 6 3 7
Team-building skills 6 6 3 5
Ability to communicate (oral and written) 6 8 8 7
Executive presence 8 1 3 3
Ability to mentor talent 8 9 9 9
Green highlight denotes if an answer option was ranked 1, 2 or 3C6 - What is the primary role your organisation’s CISO needs
to play to help your organisation achieve its growth and
strategic objectives in the next two years?
Base size shown in brackets Global Energy, Utilities and Energy, incl. Oil & Gas Power & Utilities
(3249) Resources (127) (126)
(253)
Operational leader and master tactician 20% 19% 19% 20%
Transformational leader 20% 15% 17% 12%
Experience officer 16% 16% 14% 18%
Enterprise risk authority 15% 15% 13% 17%
Value creator and protector 12% 15% 18% 11%
Resilience czar 10% 11% 9% 13%
Steward of costs 8% 9% 10% 8%
Primary role explanations can be found in the AppendixC7 - To whom does the CISO/cybersecurity leader directly
report?
Base size shown in brackets Global Energy, Utilities and Energy, incl. Oil & Gas Power & Utilities
(3249) Resources (127) (126)
(253)
CEO 20% 15% 14% 17%
CTO (Chief Technology Officer) 16% 14% 13% 14%
Head of IT/Technology or equivalent 14% 11% 13% 8%
CIO 12% 15% 11% 19%
Board of Directors 10% 10% 9% 12%
CRO (Chief Risk Officer) or equivalent 8% 9% 10% 7%
Chief Digital Officer 7% 8% 7% 10%
Chief Compliance Officer 5% 4% 5% 4%
CFO 4% 8% 10% 6%
General Counsel / Chief Legal Officer 4% 5% 7% 3%
Don’t know 1% 0% 0% 0%C8/ C11 - In your view, how up-to-date are your business
counterparts/ you on:
(a) the digital and cyber threat landscape
(b) what your organisation is doing about it?
Respondents who stated ‘Very up-to-date’ or ‘Somewhat up-to-date’
Tech/ Security Respondents
How up-to-date are your business counterparts on...
Base size shown in brackets Global Energy, Utilities and Energy, incl. Oil & Gas Power & Utilities
(1619) Resources (58) (87)
(145)
the digital and cyber threat landscape 87% 87% 81% 91%
what your organisation is doing about it? 87% 83% 71% 91%
Business Respondents
How up-to-date are you on...
Base size shown in brackets Global Energy, Utilities and Energy, incl. Oil & Gas Power & Utilities
(1626) Resources (69) (39*)
(108)
the digital and cyber threat landscape 86% 86% 87% 85%
what your organisation is doing about it? 86% 91% 87% 97%
*Caution, low base sizeC9 - Which of the following ways of keeping up with fast-
evolving developments in your field would you recommend to
your colleagues/teams? Rank up to 3.
Index Analysis
Base size shown in brackets Global Energy, Utilities and Energy, incl. Oil & Gas Power & Utilities
(1619) Resources (58) (87)
(145)
Participate in a network of peers nationally 1 2 1 4
Complete courses online or via an app 2 1 2 1
Learn through courses that help obtain certification 2 5 5 4
Participate in a network of peers locally 4 4 6 2
Rely on analysts reports 4 8 9 4
Rely on technology vendors 6 5 6 4
Attend events 6 2 4 3
Follow thought leaders online 6 9 8 8
Attend local lectures at a nearby university 9 5 2 8
Read specific publications daily 10 10 10 10
Green highlight denotes if an answer option was ranked 1, 2 or 3
Asked to Tech/ Security RespondentsC12 - Which of the following ways of keeping up with fast-
evolving developments in the technology/cybersecurity field
would you recommend to your peers? Rank up to 3.
Index Analysis
Base size shown in brackets Global Energy, Utilities and Energy, incl. Oil & Gas Power & Utilities
(1626) Resources (69) (39*)
(108)
Rely on our in-house cybersecurity team 1 2 2 2
Rely on the Chief Information Security Officer (CISO) 1 1 4 1
Rely on the Chief Information Officer (CIO) 3 3 1 4
Complete courses online or via an app 3 6 7 4
Rely on analysts reports 3 4 4 8
Rely on tech vendors 3 4 4 9
Participate in a network of peers nationally 3 11 8 11
Follow thought leaders online 8 8 10 3
Participate in a network of peers locally 8 6 2 10
Attend events 8 8 10 4
Attend local lectures at a nearby university 8 8 9 7
Read specific publications daily 12 12 12 12
Green highlight denotes if an answer option was ranked 1, 2 or 3 *Caution, low base size
Asked to Business RespondentsC10 - How much time do you personally devote to learning new
things in the technology field that improve the way you do your
job?
Base size shown in brackets Global Energy, Utilities and Energy, incl. Oil & Gas Power & Utilities
(1623) Resources (58) (87)
(145)
More than 10 hours per week 13% 15% 21% 11%
7-10 hours per week 23% 22% 17% 25%
3-6 hours per week 36% 37% 29% 43%
1-2 hours per week 19% 14% 19% 11%
A few hours per month 7% 8% 7% 8%
A few hours per quarter 1% 1% 2% 1%
A few hours per year 1% 2% 5% 0%
Don’t know 1% 0% 0% 0%
Asked to Tech/ Security RespondentsC13 - How much time do you personally devote to learning new
things in the technology field that improve the way you do your
job?
Base size shown in brackets Global Energy, Utilities and Energy, incl. Oil & Gas Power & Utilities
(1626) Resources (69) (39*)
(108)
More than 10 hours per week 16% 10% 9% 13%
7-10 hours per week 24% 31% 30% 33%
3-6 hours per week 31% 38% 38% 38%
1-2 hours per week 17% 13% 16% 8%
A few hours per month 8% 4% 4% 3%
A few hours per quarter 2% 3% 1% 5%
A few hours per year 1% 1% 1% 0%
Don’t know 1% 0% 0% 0%
*Caution, low base size
Asked to Business RespondentsOutcomes and goals related to what’s next
D1 - How much progress has your organisation made in
cybersecurity in the past three years?
Respondents who stated ‘Significant progress’ or ‘Moderate progress’
Base size shown in brackets Global Energy, Utilities and Energy, incl. Oil & Gas Power & Utilities
(3249) Resources (127) (126)
(253)
Greater compliance with regulations 79% 75% 75% 75%
Improved customer experience 79% 75% 71% 79%
Faster response times to incidents and disruptions 79% 76% 74% 78%
Increased prevention of successful attacks 78% 71% 69% 73%
Improved employee experience 78% 78% 72% 84%
More successful outcomes for our organisation’s transformations 77% 75% 72% 79%
Improved confidence of leaders in our ability to manage present and future threats 77% 74% 71% 76%
Higher customer loyalty 76% 68% 65% 72%
Expedited launch of new products 76% 72% 62% 83%
Accelerated entry of our organisation into new markets 76% 74% 71% 76%
Lower downtime and associated costs 75% 72% 69% 76%
Less burdensome employee experience in managing risk and compliance 75% 76% 72% 80%
Lower costs of managing risks 74% 74% 74% 75%
Improved net promoter score 73% 75% 69% 80%
Lower costs of compliance 72% 75% 70% 81%D2 - In the next three years, what will you be focused on, with
the changes you will be making in cyber strategy, people, and
investments? Rank up to 5.
Index Analysis
Base size shown in brackets Global Energy, Utilities and Energy, incl. Oil & Gas Power & Utilities
(3249) Resources (127) (126)
(253)
Increased prevention of successful attacks 1 1 3 2
Improved confidence of leaders in our ability to manage present and future threats 1 1 1 2
Faster response times to incidents and disruptions 1 1 4 1
Improved customer experience 1 4 1 9
More successful outcomes for our organisation’s transformations 5 4 4 6
Lower costs of managing risks 5 9 10 9
Higher customer loyalty 5 9 4 9
Improved employee experience 5 4 4 2
Less burdensome employee experience in managing risk and compliance 9 15 12 9
Greater compliance with regulations 9 4 12 2
Lower downtime and associated costs 9 9 12 9
Expedited launch of new products 9 4 4 6
Accelerated entry of our organisation into new markets 9 9 12 6
Lower costs of compliance 9 9 10 9
Improved net promoter score 15 9 4 15
Green highlight denotes if an answer option was ranked 1, 2 or 3Appendix
Job Title
Global Energy, Utilities and Resources
S1 Choose the title that best describes your role. Base: All respondents (Global, 3249; Energy, Utilities and Resources, 253)Job Title - Glossary
Job Title Tech/ Security or Business C-suite or Non C-suite
Chief Executive Officer (CEO )/ President/ Managing Director Business C-suite
Chief Financial Officer (CFO) Business C-suite
Chief Audit Executive (CAE) Business C-suite
Chief Information Officer (CIO) Tech/ Security C-suite
Chief Information Risk Officer (CIRO) Tech/ Security C-suite
Chief Technology Officer (CTO) Tech/ Security C-suite
Chief Security Officer (CSO) Tech/ Security C-suite
Chief Risk Officer (CRO) Business C-suite
Chief Information Security Officer (CISO) Tech/ Security C-suite
Chief Compliance Officer / Head of Compliance / Chief Ethics and Compliance Officer Business C-suite
Chief Operating Officer (COO) Business C-suite
Chief Privacy Officer Tech/ Security C-suite
Chief Data Officer Tech/ Security C-suite
Chief Digital Officer Business C-suite
Chief Innovation Officer Business C-suite
Board Member Business Non C-suite
Chief Counsel / General Counsel / Chief Legal Officer / Senior Counsel Business C-suite
Internal Audit Director Business Non C-suite
VP of Cybersecurity Tech/ Security Non C-suite
Director of Cybersecurity Tech/ Security Non C-suite
Finance Director (FD) Business Non C-suite
Compliance Director / Director of Ethics Business Non C-suite
Director of Risk Business Non C-suite
Information Security Director Tech/ Security Non C-suite
Information Technology Director Tech/ Security Non C-suite
Privacy Director Tech/ Security Non C-suite
Head of Risk Management Business Non C-suite
Line-of-Business Leader / Head of business unit Business Non C-suite
Head of security Tech/ Security Non C-suite
Head of IT Tech/ Security Non C-suite
Other (Please specify) Business Non C-suiteC6 - What is the primary role your organisation’s CISO needs
to play to help your organisation achieve its growth and
strategic objectives in the next two years?
Primary Role Explanation
a tech-savvy and business-savvy CISO who can deliver consistent system performance, with security and privacy throughout our organisation and
Operational leader and master tactician
ecosystem, amid constant and changing threats
a CISO who can drive cross-functional teams to match the speed and boldness of our digital transformations with agile, forward-thinking security and
Transformational leader
privacy strategies, investments, and plans
a CISO who is focused on delivering a better experience to our customers and employees, and can communicate our values and ways of upholding
Experience officer
security, privacy, and data protection to our stakeholders (customers, communities, investors, regulators, employees)
a CISO who is a master communicator on the impact of cybersecurity on overall enterprise risk management and is the Board’s go-to executive on
Enterprise risk authority
cyber matters
a CISO who is focused on increasing our organisation’s ability to monetise information assets and protect that value through improved security,
Value creator and protector
privacy, and data protection measures
a CISO who can rally cross-functional teams to help our organisation withstand and recover from disruptions and continually improve capabilities (e.g.
Resilience czar
stress testing, real-time threat intel, fraud detection) to prevent losses from disruptions
Steward of costs a CISO who drives judicious use of cyber resources, spending, and investments and provides data-driven, risk-based rationale for cyber expendituresYou can also read
