Despite heightened awareness, most companies still lack a cyber risk management strategy
Survey finds breaches causing long-term brand and reputational damage are biggest concern
By Gary Stoller, ThirdCertainty
Despite awareness that hackers are relentlessly launching cyber attacks, most companies say they don’t have a clearly defined risk strategy or one that applies to the entire company, a new survey finds.
The survey, conducted by the Ponemon Institute and sponsored by RiskVision, polled 641 individuals involved in risk management activities within their organizations. More than half held executive and management positions.
“There is a big disparity between awareness and implementation of risk management practices,” says Joe Fantuzzi, CEO of RiskVision, a Sunnyvale, California, enterprise risk intelligence company formerly known as Agiliance.
Related story: What to look for in a cyber insurance policy
Eighty-three percent of those surveyed say managing risk is a “significant’ or “very significant” commitment for them, but 76 percent say their organizations lack a clearly defined risk management strategy or one applicable to the entire enterprise. Only 14 percent of survey respondents think their organization’s risk management processes were truly “effective.”
Other survey findings:
- More than half of organizations lack a formal budget for enterprise risk management. Organizations with a formal budget have allocated an average of $2.3 million for investment in risk management automation in the next fiscal year.
- Four of every 10 respondents say “complexity of technologies” that support risk management objectives are a “top barrier.” Roughly the same number says other challenges are “inability to get started” and difficulty hiring skilled workers.
- Sixty-three percent of respondents fear a poorly executed risk management program will damage their companies’ reputations. Other top concerns are security breaches and business disruption.
- More than half of respondents say there is little collaboration in managing risk among their finance, operations, compliance, legal and IT departments. They describe the lack of collaboration “operating in silos.”
- Sixty-nine percent of respondents say their organizations don’t rate assets based on how critical they are. The same percentage says their enterprises either don’t have—or they are unsure if they do have—metrics for determining risk intelligence effectiveness.
More respondents (19 percent) work in financial services than any other industry. Respondents in the public sector were next (11 percent), followed by health care (10 percent) and industrial/manufacturing (10 percent).
Reputations at stake
The survey’s most surprising finding, Fantuzzi says, is companies’ concern about their reputations.
“We often get caught up with headlines about breaches, but what stood out the most was the overwhelming majority of organizations that fear long-term brand damage above all else,” he says.
Fantuzzi says data breaches or disruptions to business are still major concerns for organizations. “But if you asked these same organizations just a couple years ago when major brands were making headlines for record-breaking breaches, I would argue that was the top fear of executives and board members across every industry.”
There are “dozens of reasons,” Fantuzzi says, about why three-quarters of organizations lack a comprehensive risk management strategy.
“Critical roadblocks,” he says, include “the complexity of technologies or not knowing how to identify the appropriate solution for your environment, the lack of resources from a financial or personnel perspective, or the basics of not knowing where to start when putting together a strategy.”
Automation, awareness improve
The study concludes, however, that organizations “are slowly improving the maturity level of their risk management program.”
Eighteen months ago, only 21 percent of organizations represented in the study measured their risk appetites in real time, using automated business unit decision-making, board-level risk analytics and metrics trending. Today, 32 percent say these activities are part of their risk management program.
The study also concludes that an increasing number of companies are automating risk management programs.
Eighteen months ago, 53 percent of organizations represented in the study used “top-down, assessment driven, reactive, manual processes, spreadsheets and siloed information.”
Now, 33 percent have advanced to a bottom-up, process automation, “effective with limited efficiency, centralization and analytics.” Thirty-five percent have advanced to top-down, bottom-up optimization “with real-time enterprise risk intelligence analytics for actionable business decisions.”
More risk-management related stories:
Underwriters, InfoSec officers must close gap on risk management
Companies should assess their risk profile and align it to a security solution
As threats multiply, cyber insurance and tech security industries start to merge