Corporate boards pressure CISOs to step up risk mitigation efforts

While those working in InfoSec and GRC have high levels of confidence in their cyber/IT risk management systems, persistent problems may be making them less effective than perceived, according to RiskOptics.

The top challenges when implementing an effective cyber/IT risk management program include an increase in the quantity (49%) and severity (49%) of cyber threats, a lack of funding (37%) and a lack of staffing/cyber risk talent (36%).

Common cyber risk terminology

The report also found that general misunderstandings in common cyber risk terminology could be a deterrent in developing effective strategies and communicating risk to company leadership.

Cyberattacks have been increasing for several years now and resulting data breaches cost businesses an average of $4.35 million in 2022, according to an IBM report. Given the financial and reputational consequences of cyberattacks, corporate board rooms are putting pressure on CISOs to identify and mitigate cyber/IT risk.

Yet, despite the new emphasis on risk management, business leaders still don’t have a firm grasp on how cyber risk can impact different business initiatives—or that it could be used as a strategic asset and core business differentiator.

To better understand the current cybersecurity and IT risk challenges companies are facing, as well as steps executives are taking to combat risk, RiskOptics fielded a survey of 261 U.S. InfoSec and GRC leaders. Respondents varied in job level from manager to the C-Suite and worked across various industries.

Cyber/risk management programs challenges

Directors (59%) and managers (51%) say that the increase in the quantity of cyberattacks was their biggest challenge. Alternatively, SVPs say their biggest challenge is a lack of understanding of cyber/IT risks from leadership (52%), while C-Suite respondents indicate the top challenges are a lack of funding (42%) and leadership turnover (40%).

Over half of respondents find that completing a cyber/IT risk assessment is as hard or harder than signing up for health insurance (54%) or getting your license renewed at the RMV/DMV (55%)—both of which are notorious for being tedious and time-intensive.

The communication gap in cybersecurity

Despite all of the respondents working in InfoSec or GRC, many of them define risk, threats and vulnerabilities differently, indicating major communication discrepancies between what to look for and how to develop effective strategies to protect systems. If the experts don’t understand these issues, how effective are they in communicating to company leadership?

23% of respondents do not evaluate third-party vendors for risk. Failure to assess third-party risk exposes an organization to supply chain attacks, data breaches and reputational damage. What’s more concerning is this is happening more in highly regulated industries that have large ecosystems of suppliers and partners; 30% of respondents who work in manufacturing and 25% of those who work in healthcare say their companies do not evaluate third-party vendor risk.

Organizations must re-assess their current processes and systems

30% of CIO and CISO respondents say they do not communicate risk around specific business initiatives to other company leaders, indicating they may not know how to share that information in a constructive way.

The healthcare and manufacturing industries need to step up their game. Out of every industry, manufacturing respondents were the highest percentage to say they do not communicate risk around specific business initiatives (36%). Meanwhile, 20% of healthcare respondents rate their risk management software as being somewhat effective or less effective in mitigating risk (which is more than any other industry).

Healthcare respondents were also more likely to express lower levels of confidence that leaders in their organization tie cyber/IT risk to strategic planning, with almost a third (29%) saying they felt somewhat or less confident.

“When it comes to strategic decision-making around business initiatives, cyber and IT risk can be an invaluable tool that not only better protects an organization but propels growth. However, to be able to use cyber risk to their advantage, company boards have to first understand it,” said Michael Maggio, CEO an CPO of RiskOptics.

“Our report indicates that there are still major hurdles teams need to overcome when communicating risk and more efficiently managing workloads. Organizations must re-assess their current processes and systems, embrace automation and put risk in the context of the business. Only then will executives be able to see the opportunity that risk can provide when proactively managed: a strategic advantage,” concluded Maggio.