RiskOptics has published the results of its first Cyber Risk Viewpoints Survey. These reveal that both information security and GRC teams may be over-confident in their cyber and IT risk management systems.
The top challenges when implementing an effective cyber/IT risk management program include an increase in the quantity (49 percent) and severity (49 percent) of cyber threats, a lack of funding (37 percent), and a lack of staffing/cyber risk talent (36 percent). The report also found that general misunderstandings in common cyber risk terminology could be a deterrent in developing effective strategies and communicating risk to company leadership.
Cyber attacks have been increasing for several years now and, given the financial and reputational consequences, corporate board rooms are putting pressure on chief information security officers (CISOs) to identify and mitigate cyber/IT risk. Yet, despite the new emphasis on risk management, business leaders still don’t have a firm grasp on how cyber risk can impact different business initiatives - or that it could be used as a strategic asset and core business differentiator.
Key findings from the report include:
- There are general misunderstandings around common terms. Despite all of the respondents working in infoSec or GRC, many of them define risk, threats and vulnerabilities differently, indicating major communication discrepancies between what to look for and how to develop effective strategies to protect systems. If the experts don’t understand these issues, how effective are they in communicating to company leadership?
- Perceived challenges in cyber/risk management programs vary by title and level. Directors (59 percent) and managers (51 percent) say that the increase in the quantity of cyber attacks was their biggest challenge. Alternatively, SVPs say their biggest challenge is a lack of understanding of cyber/IT risks from leadership (52 percent), while c-suite respondents indicate the top challenges are a lack of funding (42 percent) and leadership turnover (40 percent).
- Communication on cyber risk among the c-suite is lacking. 30 percent of CIO and CISO respondents say they do not communicate risk around specific business initiatives to other company leaders, indicating they may not know how to share that information in a constructive way.
- Almost a quarter (23 percent) of respondents do not evaluate third-party vendors for risk. Failure to assess third-party risk exposes an organization to supply chain attacks, data breaches and reputational damage. What’s more concerning is this is happening more in highly regulated industries that have large ecosystems of suppliers and partners; 30 percent of respondents who work in manufacturing and 25 percent of those who work in healthcare say their companies do not evaluate third-party vendor risk.
- The healthcare and manufacturing industries need to step up their game. Out of every industry, manufacturing respondents were the highest percentage to say they do not communicate risk around specific business initiatives (36 percent). Meanwhile, 20 percent of healthcare respondents rate their risk management software as being somewhat effective or less effective in mitigating risk (which is more than any other industry). Healthcare respondents were also more likely to express lower levels of confidence that leaders in their organization tie cyber/IT risk to strategic planning, with almost a third (29 percent) saying they felt somewhat or less confident.
Methodology
RiskOptics fielded a survey of 261 US infoSec and GRC leaders. Respondents varied in job level from manager to the c-suite and worked across various industries.
