Concern About Cyber Threats Rising, Despite Decline in Confidence

Cyber Confidence Declines

This year’s survey found a notable decline in firms’ confidence in each critical area of cyber resilience:

1. Understanding, assessing, and measuring potential cyber risks.
2. Being able to reduce the probability of cyber-attacks from occurring, or preventing potential damage.
3. Managing, responding to, and recovering from cyber events.
   

Taken together, these areas provide an overall measure of an organization’s cyber resilience — its ability to successfully navigate a cyber event; apply planning, assessment, prevention, mitigation, and response capabilities to manage it; and return to normal operations with minimal downtime or losses.

In 2019, the proportion of firms that reported feeling “high confidence” fell in each of these three areas compared to 2017.

Equally concerning is that significantly more organizations reported being “not at all confident” across all three pillars.

For example, more than 1-in-5 respondents in 2019 said they are not at all confident in their organization’s ability to manage or respond to a cyber-attack.

In 2019, just 11% of firms reported a high degree of confidence in all three aspects of cyber resilience.

Cyber Dissonance: Strategic Risk, Managed Tactically

Despite cyber risk being ranked high among organizational strategic priorities, most organizations continue to manage it tactically.

In general, they still struggle to create a strong cybersecurity culture with appropriate governance, prioritization, management focus, and resources. This places organizations at a disadvantage in building cyber resilience and in confronting the increasingly complex cyber risk landscape.

For example, for most firms, information technology and information security roles continue to be seen as the primary owners of cyber risk management.

In fact, the primacy of IT increased over the past two years, with almost 9-in-10 firms identifying IT/InfoSec as the main owner in 2019 — up from 70% in 2017. In a positive sign, 65% of firms identified executive leadership/board members as among those spearheading cyber risk management efforts, an increase over 2017.

In 2019, 49% of organizations cited risk management as a primary owner of cyber risk.

While this was a sizeable increase since 2017, there remains considerable room to increase the involvement of risk management teams to drive cyber risk agendas. 

The fact that IT is named as a primary owner nearly twice as often as risk management points to a continuing, mistaken view of cyber risk as primarily a technology issue, rather than a critical business risk that merits a strategic enterprise risk management approach.

The question of who leads cyber risk management is just one area in which there is dissonance between an organization’s perceptions and actions.

Despite the high level of strategic concern organizations say they have for cyber risks, not all internal “risk governors” give the issue the attention it deserves.

Only 17% of executive leaders/board members say they spent more than a few days over the past year focusing on cyber risk issues.

Even among IT respondents, 30% said they spent only a few days or less. This low allocation of time is concerning given that these two constituencies are ranked among the top three organizational owners of cyber risk management.

The importance of senior leadership driving the cyber risk agenda is underscored by the confidence gap in overall cyber resilience as reported by those who lack such leadership.

Among organizations who cited lack of senior level mandate as a barrier to effective cyber risk management, only 19% were highly confident in any of the three areas of cyber resilience, compared to 31% of all respondents.
 

Despite wide acknowledgement of cyber risk as a top priority, too few organizations currently take actions to create a strong cybersecurity “culture” with appropriate standards for governance, prioritization, management focus, and ownership.

This places them at a disadvantage both in building cyber resilience and in confronting the increasing cyber challenges of a changing technology and supply chain environment.

Three other data findings point to the dissonance between high cyber risk concerns and tactical approach:

Investment decisions are largely not based on quantitative risk measurement, and are largely reactive:

• Only 30% of organizations employ quantitative methods to measure and express their cyber exposures. While this is nearly double the number in 2017, it still means that 70% of organizations continue to use vague, descriptive methods to assess their cyber exposures – and 26% say they have no assessment method at all.
• 64% of organizations said the main trigger for increases in cyber risk investments would be a cyber-attack against their organization: a reactive approach which neglects the importance of proactive assessment, planning and measurement to optimize cyber capital allocation.

The actions taken by most organizations focus on technology and prevention to the neglect of other resilience building measures.

While 83% and 78% said they have improved hardware security and data protection respectively over the past 12 to 24 months, roughly only 30% have modelled cyber loss scenarios, conducted management table top training, or assessed supply chain risk.  Less than half said they reviewed or updated their cyber response plan.

While the range and type of actions necessary for effective cyber risk management varies by company, the best practice for all organizations, regardless of industry or size, is to apply a rigorous risk management framework to cyber risk as they do for other strategic risks.

A comprehensive approach that incorporates planning, training, risk transfer, and response rehearsal as well as prevention is the best roadmap to building cyber resilience.

Read the full 2019 Cyber Survey Report