12 Key Findings from “The Global State of Information Security”

March 8, 2017

PwC Global recently released their annual infosec research "The Global State of Information Security Survey 2017." The survey is global in scope, covers a broad range of industry verticals, and has strong participation with more than 10,000 respondents, with 48 percent from organizations with revenue of $500 million+. Last week, I had the opportunity to attend the Technology Association of Georgia (TAG) event hosted by PwC to review the findings of the 19th annual information security survey. 

One key trend that organizations are seeing is the dramatic increase in complexity – from an increasing attack surface due to Mobile and IoT adoption to new regulations that require more controls. What is becoming clear is that security programs must focus on fundamentals such as employee training, cutting-edge policies and controls, and an organizational commitment to readiness and resilience.

Here are 12 key findings from PwC's The Global State of Information Security Survey 2017.

General Takeaways

1. Year-over-year spending on Cybersecurity was flat, although some industries increased spending and others decreased spending.

2. Healthcare and Financial services invested significantly more in security. The probable driver here is increased regulatory pressure.

  • Point to Consider: ACA legislation pushed for adoption of digital records in hospitals, which may be another factor driving healthcare sector security budgets.
  • While Healthcare spending on Cybersecurity increased, it decreased as a percentage of the total IT spend.

3. Retail and Telecommunications saw sharp decreases in security budgets; Telecom in particular

    • Changes in the retail business model away from brick and mortar to online sales may be a contributing factor to the decreased investments in Cybersecurity, since Point of Sale (POS) investments are diminished
    • Interestingly, Telecommunications also saw a dramatic increase (70%) in the number of incidents

4. Top 3 Drivers of InfoSec spending:

    • Internet of Things (IoT) security
    • New security requirements as business models evolve
    • Need for improved collaboration between business, digital, and IT

5. Top Attack Vectors

  • Phishing
  • Mobile devices
  • Consumer technology
  • Operating Technology (Industrial Control Systems)

6. Insider incidents are still the #1 source of security incidents; however, the gap is closing between the two. The forecast is that external threats will surpass insider incidents in the next 2-3 years.

7. Cybersecurity Governance is evolving. This topic came up at MIT EF's "2017 Trends in Cybersecurity" as well, where CISOs are reporting to the CEO directly instead of the CIO. Boards are getting smarter on security and engaging more in providing governance oversight to the enterprise.

Cloud Security

8. “Cloud First Strategy” for small to mid-sized firms. [My two cents: Just as mobile adoption has leap-frogged land line adoption in developing countries, we are seeing younger companies that are building out their infrastructure using the Cloud, bypassing on-prem data center.]

9. For larger organizations, as their infrastructure ages, they have the opportunity to move to the cloud vs. upgrading their systems in-house.  [My two cents: Implications for larger organizations is that they risk becoming a dinosaur that is easily out-maneuvered by new entrants that are more nimble and efficient.]

10. The biggest challenge with the move to the Cloud is Governance and Control of applications, data, and security.


11. The EU’s new General Data Protection Regulation (GDPR) is the game changer in privacy for companies doing business in the European Union. Key factors in the law are it's:

  • Broad Scope – defines baseline data privacy for the entire EU and is a LAW, not a directive
  • Large Impact – If you do business in the EU, you must comply. The cost to implement the proper controls will be very high.
  • Risk of Non-Compliance – Penalties for non-compliance are very high (up to 4% of annual revenue) and the law makes it easier to bring class-action lawsuits

12. The most significant risk is to big data companies, such as Google, Facebook, and other social media companies.


As Thomas Aquinas so elegantly stated:  “A small error at the beginning of something is a great one at the end.” Running a disciplined program across people, process, and technology is key to staving off cyber threats with any degree of success. While investments may wax and wane as regulations and the threat landscape alters, the weakest part of security is the end user. Investments in training, policy, and end user education are still your best bet in managing these risks.


If you enjoyed this post, subscribe to our blog and follow @Idenhaus on Twitter.

By going to work quickly to solve the most challenging cybersecurity and identity management problems, Idenhaus takes the pain out of securing corporate information and assets for companies that aspire to maximize their potential in this digital age. Contact us today!

More News