There was quite a bit of banter about boardroom cybersecurity actions at RSA Conference 2019. No surprise here, as business executives understand what’s at stake and are asking CISOs to provide more cyber risk data and metrics so they can work with them on intelligent risk mitigation strategies.
This is a positive development for the long term, but it also exposes an underappreciated issue: Many organizations aren’t very good at monitoring, measuring, or mitigating cyber risk in a timely manner.
As part of a recent ESG research project, 340 cybersecurity, GRC, and IT professionals were asked to identify their organizations’ top cyber risk management challenges. The research reveals that:
- 46% of survey respondents indicate they are challenged by continually measuring all cyber risk across the IT infrastructure. Cyber risk management is dynamic. Threats and vulnerabilities change all the time, requiring constant monitoring and risk mitigation adjustments. Unfortunately, most organizations monitor risk on a periodic basis with network scans, penetration testing, threat intelligence bulletins, etc. Oltsik’s law: You can’t measure a dynamic environment with static data. But that’s exactly how many organizations approach cyber risk management.
- 43% of survey respondents indicate they are challenged by monitoring the threat landscape for cyber-adversaries and attacks that may target their organization. Many firms don’t have threat intelligence skills and simply default to blocking mode. Okay, but I’m reminded of a Sun Tzu quote: “If you know your enemy and know yourself, you need not fear the results of a hundred battles.” When it comes to cyber risk management, firms don’t know their enemy and the lack of continuous monitoring means they don’t know themselves well either. Yikes!
- 36% of survey respondents indicate they are challenged by tracking sensitive data flows. At the end of the day, protecting sensitive data is what cybersecurity professionals are paid to do, yet many don’t know where that sensitive data resides, where it flows, or who has access to it. Again, we are missing basic requirements.
- 35% of survey respondents indicate they are challenged by communicating cyber risk to business executives. Hmm, if we don’t have the right data, don’t understand our cyber-adversaries, and don’t know where our sensitive data flows, I imagine this would be a problem.
The ESG data exposes a critical weakness: Many organizations don’t really understand the true cyber risks they face, so they throw money around willy-nilly at basic security controls and monitoring tools. To me, this is like going out in the morning without checking the weather forecast. You can look out the window and guess how to prepare, but there’s a high likelihood you’ll make the wrong decision and end up wet, cold, or both.
Given the high priority here, I believe that this cyber risk management gap represents a tremendous opportunity for innovation. Tools and services that can help CISOs develop an intelligent cybersecurity program, capture metrics, and produce business-centric reports will be in high demand. I’m also bullish on tools that apply machine learning algorithms to help CISOs identify changing risks and prioritize remediation actions based upon real-time dynamic data. If I were a VC, I’d be looking for investments in these areas.