[MUSIC PLAYING] Hello, everybody. Welcome to One Identity's Cybersecurity Threat and Insights video series. My name's Darren Thomson. I'm the vice president of product marketing, and I'm interviewing the industry's thought leaders so that you can directly hear from them about the challenges they're facing and the solutions that they found.
Today's interview is with Andrés Diego, who is a partner at PWC and responsible for business security solutions. Andrés, thanks for joining us today. We really appreciate your time. Perhaps we could bring the conversation today immediately to your role at PWC in Spain. Talk us through your role and your involvement and relationship with cybersecurity.
OK, thank you very much for having me here. Well, partner responsible for identity and data governance services at PWC Spain. I belong to the business security solutions unit, which is in the consulting division, and we are concerned about all the cybersecurity landscape.
We have three main line of services, which are related to cybersecurity itself with a more technical approach. We have also services around IT risk and compliance. And finally, we have the third line of service, which is the one that I lead, which is identity and data. And here, as you can imagine, we are working with different approaches from a strategic point of view and also from the operational one in identity and access management programs, identity governance, and also taking account of all the data governance aspects that our clients require.
So I've been working for more than 14 years in PWC, mainly related to cybersecurity, so I have a good overview of the situation in this specific field.
We have lots to talk about.
[LAUGHS] Yeah, sure.
So Andrés, I know you've recently published a PWC report, the global trust survey. Tell us a little bit about the focus of that report. I noticed that, unusually and, I think, very positively, it focused heavily on the CISO's role and the role of the board of directors in cybersecurity. First of all, why did you focus in that way?
Well, we, as a firm, would like to be concerned about the perception of the cybersecurity at the c-suite level. So we think that there has been a huge change in the last few years. Cybersecurity has become not only a technical aspect. It's been a business concern.
So we would like to understand how the c-suite is taking care of it from different perspectives, as you can imagine, from the operational side, legal, financial. So this is why these surveys focus on understanding these business priorities and, for sure, transpose those-- how companies are transposing those priorities into the CISO so feel of competence. So it's been really interesting to understand how they are doing things around cybersecurity from the business to the technical side.
So really interesting topic, what are the key findings of the report, then?
Well, the main finding that we have come across is that, well, the CEO is really concerned about cybersecurity right now. What we've seen is that the probability of occurrence of cyber incident is now really imminent for many companies, so the CEOs are really concerned around how resilient will be the companies in case that they have to face one.
So this is the top finding that I would try to highlight here. And related to that, we have also seen that, in the c-suite level, also the CFO is related how the business operations may be impacted by a cyber incident, what would be the financial cost. And they would like to have-- the real finding about the surveys that they would like to have proper KPIs, proper KRIs to understand how this is managed by the company from the different levels, as I said, operational, legal, financial, and strategic. And we have seen a huge change from the past few years until now, and the level of maturity in that sense has been really improved.
So that's really positive, in one way, for security. For years and years, myself and others have been trying to get the board of directors to take this topic a lot more seriously, but I guess it also puts new kinds of pressure on the CISO and the CISO's team as well.
Yeah, I think that CISOs are taking care for at the operational level very well. They have pulled a lot of measures, a lot of controls, and the level of maturity in general, I would say, it's quite high. But they have a lot of room for improvement in some other aspects related to how they report these risks to the board level.
So they have to build the proper KPIs, the proper KRIs, as I said, to make sure that they let the board understand how they are going to give response to a specific incident and how this incident may impact them.
That makes sense.
And that's the main challenge that most CISOs are now facing.
Got it. So one of the findings of the report that I gravitated to was that, in general, when CEOs were asked about the performance of their CISOs, the CISOs came out quite well this time around. They were very often scoring kind of exceptional, so are we are we done with cybersecurity, we finished?
Not at all. Not at all, I would say. As I say it, I think that the level of maturity in terms of how the companies are prepared has been increasing in the past few years, but you have to understand that cybercriminals are always one step forward. So we have to be prepared.
And the main challenge also for the CISOs is not only to give response to a specific incident, because most companies know and understand that they are going to face one, is try to be resilient to the incident. And that's a bit of change when, in the past, when we were planning our-- how to give response to a specific incident, we have the contingency plans. We have some kind of business continuity plans.
And now, a cyber incident may vary the ways of attack, the way they are going to jump to one system to another. So the companies have to face those type of incidents with a different approach and try to be resilient.
Interesting. So let's talk a little bit about the dynamic, then, between some of those business roles versus what, I guess, used to be technical roles, still technical roles but with a business responsibility. So in particular, the dynamic between the CEO, the CIO, and the CISO, how do you see that changing at the moment?
I think that they have a much more direct relationship between all of them. For sure, it depends from one company to another. But now, what we have seen in most companies, at least here in Spain, is that the CEO has a direct relationship with the CIO in terms of they are really concerned on how the digital programs are being run.
We do know that most of our companies, our clients, are facing cloud transformation programs. They do have to report with a very often way to the CEO, and the CISO is now working together with the CIO as they are facing, in these programs, new challenges and new threats in this cloud landscape. So they have to be working very close with each other and making sure that they give the right information to the CEO to make the decisions that they have to. So what we have seen is that it's working really smooth in most companies.
Yeah, what's really nice to see is that the CISO used to struggle to talk to the business, even if they had relevant information. Sometimes that was conveyed in more of a technical way, so the business leaders were unable to understand. But we seem to be seeing improvement in that area.
Yeah, because I also think that the CISO role has changed dramatically from a technical role to a more business-oriented role, and many companies have also changed the type of profile that they have appointed as a CISO. So they have to be very much connected to the business. They need to understand much more the business needs, the business priorities to make sure that they put the right measures and right controls align with the business needs. So that's a huge change in my opinion.
Interesting. So let's change gear. The other thing that came up as a topic in the report was the importance of managed services and, in our case, I guess, managed security services. So talk us through the report findings and how you guys at PWC are thinking about that.
Well, what we have seen is the managed security services are, well, a good leverage in order to-- for a specific field of competence, like cybersecurity in which it's a market very demanding and there is a lack of resources. It's a good way to improve the operation from the cybersecurity perspective. But we have also seen that there is a lack of control in that sense, and the conclusions of the report are aligned with that.
But what companies need to do is to define appropriate third-party risk-management framework. They have been controlling the internal risks very well, and they have focused on that. But as they rely on outsourcers and partners to operate some critical parts of a business, they have to make sure that they define the appropriate controls, even for them.
From different points of view, from the legal perspective, you have to include specific clauses in the contracts that you sign with then, from the technical perspective, including some controls or measures that they need to enable on their side, and also from the strategic point of view, when you have to define proper SLAs to ensure the way they are going to operate is aligned with your expectations. So this is something that we've been working in with some clients, and for me, it's a critical point that many companies have room for improvement.
Yeah, it feels like a logical evolution to me. Managed security services is still relatively young in the industry. I think a lot of people kind of rushed into that idea. They don't have their own security teams. That would make a lot of sense, and now seems the right time to adjust and harden that capability so that it serves people correctly. That makes a lot of sense.
Mhm, mhm, yeah, yeah, we totally see it. And this is-- I think that is not a trend, and this is going to be even more, much more common in the future. So we are putting in some specific pieces of market, which are tremendously regulated, I would say. Most of the supervisors and regulators are focused on that, especially, for example, on financial sector. The supervisor and the regulator is focused on how entities are dealing with the third parties, so it's something that that's critical.
Makes sense. So finally, Andrés, talking about identity, so specifically the identity focus, I was dismayed actually to see a very high proportion of the respondents to the survey consider themselves somewhat immature with regards to implementation of identity solutions, things like privileged access management, for example. So talk us a little bit about that situation. What is the fix here?
What we've seen is that most companies have tried-- have been focused on, well, the provision side. I would say they would like to implement more automated processes in order to manage identities and be much more efficient in that sense. But they have not been so much focus on the governance side, and this is something that now the companies have to face, defining much more robust governance models in terms of identity, making sure that they enable not only the provision but also the certification processes, make sure that you give the right access to the right people at the right moment and in a continuous improvement ways.
And also as part of these governance models, they are trying to implement the zero-trust approach in which, well, there are multiple factor of authentication. Also the privilege account management are other components that are related to the typical identity and access management solutions that are going to give these features to the company. They have room for improvement, again, but I think that most companies have a strong strategy in that sense, and they are both in a good way.
So on the path but certainly some maturing to happen.
You never end with this.
Continuous improvement program--
Andrés, we're out of time, unfortunately, but I really appreciate you spending some time with us today and just giving us your insights, always very, very valuable. And thank you everybody for joining us for this video series, and I look forward to seeing you in the next one.