Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
Back in February 2013 I spent some time (armed with coffee) going through every annual report of each Financial Times Stock Exchange 100 (FTSE100) company to determine which of them were giving a mention to cybersecurity / information security, typically in their principal risks and uncertainties section as a risk, but also elsewhere in the report.
The objective for this was two-fold. Firstly, to understand whether cybersecurity was actively being discussed at a board level. Secondly, to identify and understand any trends that may be apparent based on the results – for example, are specific industries really good at acknowledging all things cyber while others not so much, and to try and ask (and answer) the question as to why this might be.
The results were interesting, and probably not that surprising to anyone who worked in the field of information security at the time. The highlights were:
A year is a long time in information security, so with that, a year later in February 2014 I spent some more time with the updated annual reports of the 51 FTSE100 companies which previously didn’t refer to cyber in any shape or form, with the one burning question – had there been any progress made in getting cyber onto the corporate menu? The high notes were:
Fast forward now on seven years to 2021 and the world is a very different place than it was back then (in almost every way!). But cyber now gets mainstream media coverage on an hourly basis. Hacks, breaches, ransomware attacks and phishing are very much on an ‘upward’ trend and that’s putting it politely. That burning question… how are all of these FTSE100 companies and their boardrooms coping with these cyber challenges now?
I filled the coffee up to the brim once again and took a walk down memory lane, Annual Report Avenue to be exact. DRUM ROLL PLEASE
You’ll be pleased to know that all FTSE100 companies (yes, all 100 of them!) now make reference to the newer (some may say cooler) “cyber” term or the more matured and old school (but just as equal) “information security” term in their latest annual report. CUE LIGHTING OF FIREWORKS
I could leave it there, but I won’t don’t worry. I’m going to dig a little deeper.
As I was going through the reports, probably from about 20 reports in, it was clear that companies (and with that, boards) were starting to pay attention to cybersecurity. It was becoming clear at 20 reports in that it may be a good assumption to make that we’d have 100% ‘compliance’ with cyber, but I would of course verify this. I instead changed tact, I wanted to get some quantifiable data out of this one, to be able to tell the middle part of the story – and hopefully uncover some trends, and you got it, ask (and answer) the question as to why these exist. The approach I took was this:
This time I’ve gone a little deeper with the analysis than in the previous years – I’m using the “subsector” Industry Classification Benchmark definitions which, to be fair, didn’t exist last time around, however, it provides us the ability to really drill down into the specific industry further.
Surprise surprise (well not really!) with banks coming in at the top of the list for an average of 47.6 (we’ll call it 48) instances of “cyber” or “information security” in their annual reports. The financial industry in the UK is probably the second most regulated industry, after health. The threat of fines and other such punishments for breaches has historically and continues to be a real thing in this industry. I think that this fact alone helps focus minds at a board level on investment in cybersecurity. This industry is very mature when it comes to cybersecurity, really leading the way with intelligence-led red teaming through the creation of CREST CBEST/STAR-FS engagements which have board level stakeholder buy in.
One massive thing which has arrived onto the scene since I last carried out this research is, CUE TRUMPET SOUND, the EU’s General Data Protection Regulation (or “GDPR” to you and me) in 2018, related to the processing of UK and EU residents’ personal data. This has been implemented into UK law so even Brexit can’t touch this one. Maximum fines of about £18 million or 4% of annual global turnover (whichever is greater) for infringements. I think this has focused the minds of every remaining FTSE100 company who previously wanted to stay out of the cyber party. This is probably why we have compliance across the board now.
At the opposite end of the scales there are what I would class as the more traditional or industrial companies. The instances of all things cyber don’t even make it out of single figures! I think these industries have been a bit slower to react (based on the external perspective of this from the annual report anyway) and perhaps have other more pressing priorities based on their principal risks and uncertainties, of which the board has decided needs more investment and attention.
On a positive note, overall, the direction of travel is the correct way. I honestly didn’t know what I would find revisiting this research 7 years on. It is good to see we’ve made some progress with getting cyber discussed in the boardroom.
The 2020 Trustwave Data Security Index report depicts how technology trends, compromise risks and regulations are shaping how organizations’ data is stored and protected. The report is based on a recent survey of 966 full-time IT professionals who are cybersecurity decision makers or security influencers within their organizations. Over 75% of respondents work in organizations with over 500 employees in key geographic regions including the United States, United Kingdom, Australia and Singapore.
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.