Introduction
Since the pandemic, cyber threats against organizations have intensified. Blame it on a “perfect storm” of factors—millions of employees working remotely; new digital technologies being rolled out faster than ever; IT and security teams grappling with increasing pressures and attack surfaces; plus, of course, mounting psychological stress which makes workforces more vulnerable to phishing attacks and the like. Cyber criminals are actively exploiting this crisis. Trend Micro detected more than 16 million COVID-19-related threats in 2020, including malicious URLs, spam, and malware. Meanwhile, 61% of IT managers reported an increase in cyberattacks on their organization, according to a Sophos report.
How are organizations coping with this escalation in threats? To find out, we surveyed key IT and cybersecurity executives across geographies and industries. The findings, contained in MetricStream’s State of IT and Cyber Risk Management Survey Report 2021, reveal that since the pandemic, 45% of respondents have changed their plans and approaches to cyber risk and compliance management. Another 42% have increased the scope of their IT/ cyber risk and compliance programs. Meanwhile, 33% have deployed new tools and systems to enhance efficiency. Based on these and other findings, here are five best practices that we believe will become increasingly important for organizations to strengthen cyber risk and compliance management.
Implement Mature Cyber Risk and Compliance Technologies
Over half of all respondents (55%) reported that their top priority in 2021 is to create real-time visibility into IT/ cyber risks and compliance. Yet 83% use cybersecurity tools that aren’t necessarily aligned with this objective. For instance, 36% leverage basic office productivity software such as spreadsheets which can make data aggregation and consolidation a cumbersome, time-consuming affair. Similarly, 21% use point solutions that aren’t integrated with risk and compliance systems, and therefore, fail to provide a holistic risk view.
So, it’s no surprise that the top two cyber risk and compliance challenges confronting respondents are a lack of visibility into cyber risks across their organization, as well as a lack of automation in cyber risk and compliance management.
Today’s decision-makers need faster and better risk intelligence—which calls for a mature cyber risk and compliance management solution—one that can integrate with multiple IT security management tools, security intelligence feeds, and other data sources to provide a unified view of IT and cyber risks. An ideal solution would also automate IT risk and compliance assessments, enable continuous risk monitoring, and deliver actionable risk insights for decision-making.
The good news is that organizations are planning to upgrade their cybersecurity architecture in the coming year. Thirty-eight percent of respondents are looking to adopt tools for IT and security data aggregation and analytics, while 30% are interested in implementing a centralized cyber risk and compliance solution. Better tools translate into better cybersecurity governance.
Assess Risks Frequently
As cyber attacks grow more frequent and sophisticated, cyber risk and control assessments can no longer afford to be a sporadic activity. The smallest lapse in security controls can be exploited by cyber criminals, resulting in potentially high financial losses, reputational damage, and regulatory fines.
A continuous cyber risk and control assessment can help guard against these losses by providing an up-to-date snapshot of the threats and security risks confronting an organization. It enables teams to identify mission-critical assets, diagnose the data processed by these assets, and quantify the associated risks. The resulting insights help IT security managers make more informed decisions about resource allocation, tooling, and controls for threat and vulnerability prevention.
In our survey, more than a third of respondents (36%) conduct risk and control assessments on a continuous basis. Among these respondents, the majority (52%) are large organizations with more than 10,000 employees, followed by mid-sized organizations (36%).
Appoint a Chief Information Security Officer (CISO)
While technology is key to an effective cyber risk management program, so also are people. A CISO, in particular, brings to the table specialized knowledge and skills to understand the IT security threat landscape, devise policies and controls to mitigate risks, lead audit and compliance initiatives, and report back to the board on the organization’s overall cyber risk and compliance posture. In today’s digital age, appointing a CISO is no longer an option, but a business imperative.
Organizations are fast realizing this. In our previous IT Risk and Compliance Survey Report, only 29% of respondents reported that their IT risk program rolled up to their CISO. Today, these numbers have improved slightly with 39% of respondents reporting that their organizations have a CISO. Still, 43% continue to depend on Chief Information Officers (CIOs), Chief Technology Officers (CTOs), or Chief Risk Officers (CROs) to do the job.
Five focus areas for the CISO in 2021 and beyond
Be Proactive About Regulatory Compliance
Organizations today have to contend with a wide range of IT compliance requirements, including the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the Homeland Security Act in the US, as well as the General Data Protection Regulation (GDPR) and the European Banking Authority (EBA) guidelines on ICT and security risk management in Europe.
Given the scope and complexity of these requirements, it isn’t surprising that compliance is one of the biggest challenges for 39% of respondents. In fact, 41% plan to invest in specific solutions for regulatory compliance over the next year. This is a good sign as compliance is the first step towards building confidence and credibility with investors, shareholders, customers, and of course, regulators.
There are various ways organizations can strengthen IT compliance. One way is to map all compliance requirements to the corresponding risks, controls, policies, issues, and business units. This unified data model helps IT risk and compliance teams understand how a regulation impacts the business, or which compliance controls help mitigate a particular security risk.
Another way is to keep all employees and third parties updated on IT security regulations and policies through regular, engaging communication. Compliance focus areas should also be continuously re-evaluated and re-prioritized based on the risks that require the most attention.
Finally, it helps to have a robust IT and cyber compliance management solution that can simplify compliance by automating assessment workflows, tracking regulatory changes, mapping them to policies to understand their impact, and providing comprehensive visibility into the IT compliance universe.
Towards Better Cyber Resilience
COVID-19 has transformed the way we work and do business at a fundamental level. To survive and thrive in this new world, cyber resilience will be paramount. That means having the ability to not just anticipate and prevent cybersecurity threats, but also proactively detect and minimize the impact of any risks that do materialize.
At the start of the pandemic, many IT and cybersecurity measures were hastily put in place to deal with the crisis. Today, organizations must take stock of these measures, and strategically adjust cyber risk management controls based on long-term objectives. As we recover from the pandemic, we have the opportunity to rebuild a new normal with cyber resilience as a fundamental goal.
To find out more about how organizations are managing cyber risks and compliance, take a look at MetricStream’s State of IT and Cyber Risk Management Survey Report 2021.
Since the pandemic, cyber threats against organizations have intensified. Blame it on a “perfect storm” of factors—millions of employees working remotely; new digital technologies being rolled out faster than ever; IT and security teams grappling with increasing pressures and attack surfaces; plus, of course, mounting psychological stress which makes workforces more vulnerable to phishing attacks and the like. Cyber criminals are actively exploiting this crisis. Trend Micro detected more than 16 million COVID-19-related threats in 2020, including malicious URLs, spam, and malware. Meanwhile, 61% of IT managers reported an increase in cyberattacks on their organization, according to a Sophos report.
How are organizations coping with this escalation in threats? To find out, we surveyed key IT and cybersecurity executives across geographies and industries. The findings, contained in MetricStream’s State of IT and Cyber Risk Management Survey Report 2021, reveal that since the pandemic, 45% of respondents have changed their plans and approaches to cyber risk and compliance management. Another 42% have increased the scope of their IT/ cyber risk and compliance programs. Meanwhile, 33% have deployed new tools and systems to enhance efficiency. Based on these and other findings, here are five best practices that we believe will become increasingly important for organizations to strengthen cyber risk and compliance management.
Over half of all respondents (55%) reported that their top priority in 2021 is to create real-time visibility into IT/ cyber risks and compliance. Yet 83% use cybersecurity tools that aren’t necessarily aligned with this objective. For instance, 36% leverage basic office productivity software such as spreadsheets which can make data aggregation and consolidation a cumbersome, time-consuming affair. Similarly, 21% use point solutions that aren’t integrated with risk and compliance systems, and therefore, fail to provide a holistic risk view.
So, it’s no surprise that the top two cyber risk and compliance challenges confronting respondents are a lack of visibility into cyber risks across their organization, as well as a lack of automation in cyber risk and compliance management.
Today’s decision-makers need faster and better risk intelligence—which calls for a mature cyber risk and compliance management solution—one that can integrate with multiple IT security management tools, security intelligence feeds, and other data sources to provide a unified view of IT and cyber risks. An ideal solution would also automate IT risk and compliance assessments, enable continuous risk monitoring, and deliver actionable risk insights for decision-making.
The good news is that organizations are planning to upgrade their cybersecurity architecture in the coming year. Thirty-eight percent of respondents are looking to adopt tools for IT and security data aggregation and analytics, while 30% are interested in implementing a centralized cyber risk and compliance solution. Better tools translate into better cybersecurity governance.
As cyber attacks grow more frequent and sophisticated, cyber risk and control assessments can no longer afford to be a sporadic activity. The smallest lapse in security controls can be exploited by cyber criminals, resulting in potentially high financial losses, reputational damage, and regulatory fines.
A continuous cyber risk and control assessment can help guard against these losses by providing an up-to-date snapshot of the threats and security risks confronting an organization. It enables teams to identify mission-critical assets, diagnose the data processed by these assets, and quantify the associated risks. The resulting insights help IT security managers make more informed decisions about resource allocation, tooling, and controls for threat and vulnerability prevention.
In our survey, more than a third of respondents (36%) conduct risk and control assessments on a continuous basis. Among these respondents, the majority (52%) are large organizations with more than 10,000 employees, followed by mid-sized organizations (36%).
While technology is key to an effective cyber risk management program, so also are people. A CISO, in particular, brings to the table specialized knowledge and skills to understand the IT security threat landscape, devise policies and controls to mitigate risks, lead audit and compliance initiatives, and report back to the board on the organization’s overall cyber risk and compliance posture. In today’s digital age, appointing a CISO is no longer an option, but a business imperative.
Organizations are fast realizing this. In our previous IT Risk and Compliance Survey Report, only 29% of respondents reported that their IT risk program rolled up to their CISO. Today, these numbers have improved slightly with 39% of respondents reporting that their organizations have a CISO. Still, 43% continue to depend on Chief Information Officers (CIOs), Chief Technology Officers (CTOs), or Chief Risk Officers (CROs) to do the job.
Five focus areas for the CISO in 2021 and beyond
Organizations today have to contend with a wide range of IT compliance requirements, including the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the Homeland Security Act in the US, as well as the General Data Protection Regulation (GDPR) and the European Banking Authority (EBA) guidelines on ICT and security risk management in Europe.
Given the scope and complexity of these requirements, it isn’t surprising that compliance is one of the biggest challenges for 39% of respondents. In fact, 41% plan to invest in specific solutions for regulatory compliance over the next year. This is a good sign as compliance is the first step towards building confidence and credibility with investors, shareholders, customers, and of course, regulators.
There are various ways organizations can strengthen IT compliance. One way is to map all compliance requirements to the corresponding risks, controls, policies, issues, and business units. This unified data model helps IT risk and compliance teams understand how a regulation impacts the business, or which compliance controls help mitigate a particular security risk.
Another way is to keep all employees and third parties updated on IT security regulations and policies through regular, engaging communication. Compliance focus areas should also be continuously re-evaluated and re-prioritized based on the risks that require the most attention.
Finally, it helps to have a robust IT and cyber compliance management solution that can simplify compliance by automating assessment workflows, tracking regulatory changes, mapping them to policies to understand their impact, and providing comprehensive visibility into the IT compliance universe.
COVID-19 has transformed the way we work and do business at a fundamental level. To survive and thrive in this new world, cyber resilience will be paramount. That means having the ability to not just anticipate and prevent cybersecurity threats, but also proactively detect and minimize the impact of any risks that do materialize.
At the start of the pandemic, many IT and cybersecurity measures were hastily put in place to deal with the crisis. Today, organizations must take stock of these measures, and strategically adjust cyber risk management controls based on long-term objectives. As we recover from the pandemic, we have the opportunity to rebuild a new normal with cyber resilience as a fundamental goal.
To find out more about how organizations are managing cyber risks and compliance, take a look at MetricStream’s State of IT and Cyber Risk Management Survey Report 2021.