ERM: Understanding the State of Cybersecurity and Risk
“What’s the role of cybersecurity?”
That might seem like an obvious question. But, in the context of where cybersecurity fits in the enterprise risk equation, the answer is anything but obvious. In some organizations, cybersecurity is fully integrated with the enterprise risk management (ERM) function, alongside traditional risk areas such as fraud detection, financial compliance, legal, insurance and so on. However, in other organizations, cybersecurity only has limited (or no) involvement in ERM. Worse yet, in this age of DevOps, digital transformation and internet of things (IoT), where new and updated technology assets are deployed at blinding speeds, security organizations often are made aware of these business initiatives after the fact. In a world of continuous delivery, this creates a continuous expansion of the enterprise attack surface.
To gain some insight into the state of cybersecurity and ERM, Optiv Security conducted a survey on the topic at the 2019 RSA Conference. This was an ideal location to conduct such a survey, since it is the largest gathering of cybersecurity leaders in the world. Understanding how the crème de la crème integrates security into ERM could provide some insights into the overall state of risk and cybersecurity.
At a high level, the survey results were somewhat distressing. Nearly half of respondents (49.5%) indicated that cybersecurity risk is not fully integrated with the ERM function within their organizations. What this tells us is that despite all the headlines around data breaches and the ramifications, many business leaders still have not elevated cybersecurity into the pantheon of potential risks that could materially damage the health of their enterprises.
However, on the flip side of this coin, at least security organizations have an active communications channel with business leadership: More than 55% of respondents indicated their security leaders inform and educate business leaders in a meaningful way. Another 32.8% indicted they keep business leaders up-to-date on emerging threats and attacks. Only 11.9% responded that business leaders are “out of the loop” with cybersecurity.
One of the recurring risks our consultants see in the field is organizations using regulations such as PCI and HIPAA as security frameworks. Regulations were never meant to be security frameworks, and using them that way can expose organizations to risk (it’s great to be PCI compliant, but if that’s all you’re doing, then you may be leaving all non-PCI-relevant data exposed to attack). The good news is, 60.4% of respondents communicated that they take a holistic approach to security, in which compliance is an outcome, not the objective. The bad news is, nearly one-third of respondents (31.3%) indicated that their cybersecurity programs are only targeted to achieving regulatory compliance, showing that the “regulation as security framework” phenomenon is alive and well.
There was also some good news when people were asked, “Is your business prepared to respond and recover in the likely event of an attack?” Two-thirds—65.7%—of respondents said they are prepared and have a formal incident response plan in place that they practice. This indicates that organizations are embracing the importance of breach detection and response as an ERM function, as how one responds to a breach can actually have a greater long-term impact on business than the breach itself, and this sort of resilient thinking is more advanced within security than just a few short years ago. Only 8.2% indicated they were not prepared to respond to an attack, saying it would be “pure panic mode.”
In total, there was some good news and some bad news coming out of the RSA Conference. On the good side, more than half of CISOs and their security organizations have tight relations with business leadership. Had we done this poll even just five years ago, I would bet the farm that nowhere near this many people would have answered this way. This shows that cybersecurity is being embraced by more business leaders as a critically important function relative to enterprise risk. However, the fact that nearly half of respondents said security is not integrated with ERM tells us that while security is making strides in thinking in business terms, it has a long way to go before it achieves the same involvement in the business as other forms of enterprise risk. And, if enterprises are ever to reach a point where they can effectively manage the business risks associated with cybersecurity, this must happen.
