New industry report finds InfoSec and GRC teams face major challenges in defining cyber risks

April 21, 2023
RiskOptics survey finds increasing cyberattacks, staffing problems, decreased funding and a lack of understanding by company leadership as other key industry obstacles

SAN FRANCISCO—April 18, 2023RiskOptics (formerly Reciprocity), a leader in information security risk and compliance, has announced the results of its first Cyber Risk Viewpoints Survey. The report reveals that while those working in information security (InfoSec) and governance, risk and compliance (GRC) have high levels of confidence in their cyber/IT risk management systems, persistent problems may be making them less effective than perceived. The top challenges when implementing an effective cyber/IT risk management program include an increase in the quantity (49%) and severity (49%) of cyber threats, a lack of funding (37%) and a lack of staffing/cyber risk talent (36%). The report also found that general misunderstandings in common cyber risk terminology could be a deterrent in developing effective strategies and communicating risk to company leadership.

Cyberattacks have been increasing for several years now and resulting data breaches cost businesses an average of $4.35 million in 2022, according to an IBM report. Given the financial and reputational consequences of cyberattacks, corporate boardrooms are putting pressure on Chief Information Security Officers (CISOs) to identify and mitigate cyber/IT risk. Yet, despite the new emphasis on risk management, business leaders still don’t have a firm grasp on how cyber risk can impact different business initiativesor that it could be used as a strategic asset and core business differentiator

To better understand the current cybersecurity and IT risk challenges companies are facing, as well as steps executives are taking to combat risk, RiskOptics fielded a survey of 261 U.S. InfoSec and GRC leaders. Respondents varied in job level from manager to the C-Suite and worked across various industries.

Key findings from the report include:

  • Perceived challenges in cyber/risk management programs vary by title and level. Directors (59%) and managers (51%) say that the increase in the number of cyberattacks was their biggest challenge. Alternatively, SVPs say their biggest challenge is a lack of understanding of cyber/IT risks from leadership (52%), while C-Suite respondents indicate the top challenges are a lack of funding (42%) and leadership turnover (40%).
  • Cyber/IT risk management tasks are taking up a lot of time. Over half of the respondents find that completing a cyber/IT risk assessment is as hard or harder than signing up for health insurance (54%) or getting your license renewed at the RMV/DMV (55%)both of which are notorious for being tedious and time-intensive.
  • There are general misunderstandings around common terms. Despite all of the respondents working in InfoSec or GRC, many of them define risk, threats and vulnerabilities differently, indicating major communication discrepancies between what to look for and how to develop effective strategies to protect systems. If the experts don’t understand these issues, how effective are they in communicating to company leadership?
  • Almost a quarter (23%) of respondents do not evaluate third-party vendors for risk. Failure to assess third-party risk exposes an organization to supply chain attacks, data breaches and reputational damage. What’s more concerning is this is happening more in highly regulated industries that have large ecosystems of suppliers and partners; 30% of respondents who work in manufacturing and 25% of those who work in healthcare say their companies do not evaluate third-party vendor risk.
  • Communication on cyber risk among the C-Suite is lacking. Thirty percent of CIO and CISO respondents say they do not communicate risk around specific business initiatives to other company leaders, indicating they may not know how to share that information in a constructive way.
  • The healthcare and manufacturing industries need to step up their game. Out of every industry, manufacturing respondents were the highest percentage to say they do not communicate risk around specific business initiatives (36%). Meanwhile, 20% of healthcare respondents rate their risk management software as being somewhat effective or less effective in mitigating risk (which is more than any other industry). Healthcare respondents were also more likely to express lower levels of confidence that leaders in their organization tie cyber/IT risk to strategic planning, with almost a third (29%) saying they felt somewhat or less confident.

“When it comes to strategic decision-making around business initiatives, cyber and IT risk can be an invaluable tool that not only better protects an organization but propels growth. However, to be able to use cyber risk to their advantage, company boards have to first understand it,” said Michael Maggio, CEO and Chief Product Officer of RiskOptics. “Our report indicates that there are still major hurdles teams need to overcome when communicating risk and more efficiently managing workloads. Organizations must re-assess their current processes and systems, embrace automation and put risk in the context of the business. Only then will executives be able to see the opportunity that risk can provide when proactively managed: a strategic advantage.”

To view the full findings of the report, download the complete 2023 RiskOptics Cyber Risk Viewpoints Report here.

RiskOptics will be holding a webinar on April 19th at 10:30 AM PT to discuss how their ROAR platform can help to tackle some of the challenges outlined in the survey. To register, follow this link.

To learn more about RiskOptics, visit the website or stop by booth #1951 in the South Expo at the RSA Conference, taking place April 24 – 27 in San Francisco.

Methodology 

In partnership with Researchscape, RiskOptics conducted this research via an online survey that was fielded in March 2023. There were 261 respondents to the survey. The survey results were not weighted.

About RiskOptics

RiskOptics is the leader in IT risk management solutions, empowering organizations to convert risk into a strategic business advantage. The fully integrated and automated RiskOptics ROAR Platform provides a unified, real-time view of risk and compliance framed around business priorities, enabling CISOs and InfoSec teams to take a proactive approach to risk management. RiskOptics customers are able to quantify the impact of risk on their business, communicate that impact to key stakeholders and mitigate expensive data breaches, system failures, lost opportunities and vulnerabilities across their own and third-party data while adhering to compliance requirements.

 To learn more about how to make smarter, risk-based business decisions, visit www.riskoptics.com or follow us on Twitter and LinkedIn.