Despite heightened awareness, most companies still lack a cyber risk management strategy

Survey finds breaches causing long-term brand and reputational damage are biggest concern

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Despite aware­ness that hack­ers are relent­less­ly launch­ing cyber attacks, most com­pa­nies say they don’t have a clear­ly defined risk strat­e­gy or one that applies to the entire com­pa­ny, a new sur­vey finds.

The sur­vey, con­duct­ed by the Ponemon Insti­tute and spon­sored by RiskVi­sion, polled 641 indi­vid­u­als involved in risk man­age­ment activ­i­ties with­in their orga­ni­za­tions. More than half held exec­u­tive and man­age­ment positions.

Joe Fantuzzi, RiskVision CEO
Joe Fan­tuzzi, RiskVi­sion CEO

There is a big dis­par­i­ty between aware­ness and imple­men­ta­tion of risk man­age­ment prac­tices,” says Joe Fan­tuzzi, CEO of RiskVi­sion, a Sun­ny­vale, Cal­i­for­nia, enter­prise risk intel­li­gence com­pa­ny for­mer­ly known as Agiliance.

 Relat­ed sto­ry: What to look for in a cyber insur­ance policy

Eighty-three per­cent of those sur­veyed say man­ag­ing risk is a “sig­nif­i­cant’ or “very sig­nif­i­cant” com­mit­ment for them, but 76 per­cent say their orga­ni­za­tions lack a clear­ly defined risk man­age­ment strat­e­gy or one applic­a­ble to the entire enter­prise. Only 14 per­cent of sur­vey respon­dents think their organization’s risk man­age­ment process­es were tru­ly “effec­tive.”

Oth­er sur­vey findings:

  • More than half of orga­ni­za­tions lack a for­mal bud­get for enter­prise risk man­age­ment. Orga­ni­za­tions with a for­mal bud­get have allo­cat­ed an aver­age of $2.3 mil­lion for invest­ment in risk man­age­ment automa­tion in the next fis­cal year.
  • Four of every 10 respon­dents say “com­plex­i­ty of tech­nolo­gies” that sup­port risk man­age­ment objec­tives are a “top bar­ri­er.” Rough­ly the same num­ber says oth­er chal­lenges are “inabil­i­ty to get start­ed” and dif­fi­cul­ty hir­ing skilled workers.
  • Six­ty-three per­cent of respon­dents fear a poor­ly exe­cut­ed risk man­age­ment pro­gram will dam­age their com­pa­nies’ rep­u­ta­tions. Oth­er top con­cerns are secu­ri­ty breach­es and busi­ness disruption.
  • More than half of respon­dents say there is lit­tle col­lab­o­ra­tion in man­ag­ing risk among their finance, oper­a­tions, com­pli­ance, legal and IT depart­ments. They describe the lack of col­lab­o­ra­tion “oper­at­ing in silos.”
  • Six­ty-nine per­cent of respon­dents say their orga­ni­za­tions don’t rate assets based on how crit­i­cal they are. The same per­cent­age says their enter­pris­es either don’t have—or they are unsure if they do have—metrics for deter­min­ing risk intel­li­gence effectiveness.

More respon­dents (19 per­cent) work in finan­cial ser­vices than any oth­er indus­try. Respon­dents in the pub­lic sec­tor were next (11 per­cent), fol­lowed by health care (10 per­cent) and industrial/manufacturing (10 percent).

Rep­u­ta­tions at stake

The survey’s most sur­pris­ing find­ing, Fan­tuzzi says, is com­pa­nies’ con­cern about their reputations.

We often get caught up with head­lines about breach­es, but what stood out the most was the over­whelm­ing major­i­ty of orga­ni­za­tions that fear long-term brand dam­age above all else,” he says.

Fan­tuzzi says data breach­es or dis­rup­tions to busi­ness are still major con­cerns for orga­ni­za­tions. “But if you asked these same orga­ni­za­tions just a cou­ple years ago when major brands were mak­ing head­lines for record-break­ing breach­es, I would argue that was the top fear of exec­u­tives and board mem­bers across every industry.”

There are “dozens of rea­sons,” Fan­tuzzi says, about why three-quar­ters of orga­ni­za­tions lack a com­pre­hen­sive risk man­age­ment strategy.

Crit­i­cal road­blocks,” he says, include “the com­plex­i­ty of tech­nolo­gies or not know­ing how to iden­ti­fy the appro­pri­ate solu­tion for your envi­ron­ment, the lack of resources from a finan­cial or per­son­nel per­spec­tive, or the basics of not know­ing where to start when putting togeth­er a strategy.”

Automa­tion, aware­ness improve

The study con­cludes, how­ev­er, that orga­ni­za­tions “are slow­ly improv­ing the matu­ri­ty lev­el of their risk man­age­ment program.”

Eigh­teen months ago, only 21 per­cent of orga­ni­za­tions rep­re­sent­ed in the study mea­sured their risk appetites in real time, using auto­mat­ed busi­ness unit deci­sion-mak­ing, board-lev­el risk ana­lyt­ics and met­rics trend­ing. Today, 32 per­cent say these activ­i­ties are part of their risk man­age­ment program.

The study also con­cludes that an increas­ing num­ber of com­pa­nies are automat­ing risk man­age­ment programs.

Eigh­teen months ago, 53 per­cent of orga­ni­za­tions rep­re­sent­ed in the study used “top-down, assess­ment dri­ven, reac­tive, man­u­al process­es, spread­sheets and siloed information.”

Now, 33 per­cent have advanced to a bot­tom-up, process automa­tion, “effec­tive with lim­it­ed effi­cien­cy, cen­tral­iza­tion and ana­lyt­ics.” Thir­ty-five per­cent have advanced to top-down, bot­tom-up opti­miza­tion “with real-time enter­prise risk intel­li­gence ana­lyt­ics for action­able busi­ness decisions.”

More risk-man­age­ment relat­ed stories:
Under­writ­ers, InfoS­ec offi­cers must close gap on risk management
Com­pa­nies should assess their risk pro­file and align it to a secu­ri­ty solution

As threats mul­ti­ply, cyber insur­ance and tech secu­ri­ty indus­tries start to merge


Posted in Data Breach, Data Security, Featured Story