Most Firms Still Lack a Cyber Strategy

Despite heightened awareness, most companies say they don’t have a clearly defined cyber risk strategy.

Despite awareness that hackers are relentlessly launching cyber attacks, according to a new survey, most companies say they don’t have a clearly defined risk strategy or one that applies to the entire company. The survey, conducted by the Ponemon Institute and sponsored by RiskVision, polled 641 individuals involved in risk management within their organizations. More than half held executive and management positions. “There is a big disparity between awareness and implementation of risk management practices,” says Joe Fantuzzi, CEO of RiskVision, a Sunnyvale, CA, enterprise risk intelligence company formerly known as Agiliance. Eighty-three percent of those surveyed say managing risk is a “significant’ or “very significant” commitment for them, but 76% say their organizations lack a clearly defined risk management strategy or one applicable to the entire enterprise. Only 14% of survey respondents thought their organization’s risk management processes were truly effective. Other survey findings:
  • More than half of organizations lack a formal budget for enterprise risk management. Organizations with a formal budget have allocated an average of $2.3 million for investment in risk management automation in the next fiscal year.
  • Four of every 10 respondents say “complexity of technologies” that support risk management objectives are a “top barrier.” Roughly the same number says other challenges are an “inability to get started” and difficulty hiring skilled workers.
  • Sixty-three percent of respondents fear a poorly executed risk management program will damage their company's reputation. Other top concerns are security breaches and business disruption.
  • More than half of respondents say there is little collaboration in managing risk among their finance, operations, compliance, legal and IT departments. They complain of “operating in silos.”
  • Sixty-nine percent of respondents say their organizations don’t rate assets based on how critical they are. The same percentage says their enterprises either don’t have — or the respondents are unsure if they do have — metrics for determining risk intelligence effectiveness.
More respondents (19%) work in financial services than any other industry. Respondents in the public sector were next (11%), followed by healthcare (10%) and industrial/manufacturing (10%). See also: Urgent Need on ‘Silent’ Cyber Risks   Reputations at stake The survey’s most surprising finding, Fantuzzi says, is companies’ concern about their reputations. “We often get caught up with headlines about breaches, but what stood out the most was the overwhelming majority of organizations that fear long-term brand damage above all else,” he says. Fantuzzi says data breaches or disruptions to business are still major concerns for organizations. “But if you asked these same organizations just a couple years ago when major brands were making headlines for record-breaking breaches, I would argue that was the top fear of executives and board members across every industry.” There are “dozens of reasons,” Fantuzzi says, about why three-quarters of organizations lack a comprehensive risk management strategy. “Critical roadblocks,” he says, include “the complexity of technologies or not knowing how to identify the appropriate solution for your environment, the lack of resources from a financial or personnel perspective or the basics of not knowing where to start when putting together a strategy.” Automation and awareness improve The study concludes, however, that organizations “are slowly improving the maturity level of their risk management program.” Eighteen months ago, only 21% of organizations represented in the study measured their risk appetites in real time using automated business unit decision-making, board-level risk analytics and metrics trending. Today, 32% say these activities are part of their risk management program. See also: First Line of Defense on Cyber Risk   The study also concludes that an increasing number of companies are automating risk management programs. Eighteen months ago, 53% of organizations represented in the study used “top-down, assessment driven, reactive, manual processes, spreadsheets and siloed information.” Now, 33% have advanced to a bottom-up, process automation, “effective with limited efficiency, centralization and analytics.” Thirty-five percent have advanced to top-down, bottom-up optimization “with real-time enterprise risk intelligence analytics for actionable business decisions.” This article originally appeared on ThirdCertainty. It was written by Gary Stoller.

Byron Acohido

Profile picture for user byronacohido

Byron Acohido

Byron Acohido is a business journalist who has been writing about cybersecurity and privacy since 2004, and currently blogs at


Read More