Cyber Risk Management: 2019 Insights from Microsoft, Marsh, & Deloitte

A look into the perceptions and attitudes of businesses concerning cyber
security risks

Cyber risk management, or what’s sometimes called cyber
security risk management, has been identified as a growing priority for
businesses, governments, and organizations alike in recent years. More and more
businesses are embracing digital transformation to spark new growth, increase
revenue and efficiency, and to stay relevant in the face of the fourth
industrial revolution. They do this by embracing new technologies that fall
within the realms of artificial intelligence (AI), machine learning (ML), and
the Internet of Things (IoT).

But as these new and exciting technologies evolve, they
become increasingly complex. So, too, do the risks that evolve with them.

DevOps Connect:DevSecOps @ RSAC 2022

What’s particularly troubling about these growing cyber
risks is that there’s often a disconnect between acknowledging that there’s an
issue and actually taking the steps required to mitigate them. In this article,
we’ll review the findings of two surveys and reports published in 2019 — one by
Marsh and Microsoft, and the other by Deloitte — and discuss what these findings
mean for businesses and the industry as a whole.

Let’s hash it out.

2 Recent Cyber Risk Management Surveys of Note

There are many reports out there in recent years relating to
cyber risk management and the topic of cyber risk as a whole. The first report we’ll
discuss, the “Global Cyber Risk Perception Survey Report 2019,” is based on the
findings of a recent
conducted by Marsh and Microsoft. Although the survey does have a
focus on cyber insurance, it provides a wealth of useful information relating
to organizations’ perceptions of cyber risks and their cyber security efforts

The global cross-sector survey, conducted between February
and March 2019, shares insights from more than 1,500 business leaders who
perform a variety of roles, including risk management, infotech and infosec,
compliance, etc.

  • 22% of the survey respondents are based in North
    America (U.S. and Canada).
  • 35% of the survey respondents are based in
  • 35% of the survey respondents are based in Latin
    America and the Caribbean.
  • Twenty-five percent of the survey respondents
    work at organizations with USD $1 billion or more in annual revenue.
  • Another 31% report that their organizations
    achieve between $100 million and $1 billion in annual revenue.

The second report we’ll cover is Deloitte’s “The
Future of Cyber Survey 2019
.” Although this survey isn’t focused only on
cyber risk alone, the topic does play an important role in the study. The
findings are based on an online cross-sector survey of 500 C-level executives
at cyber security companies that have at least $500 million in annual revenue.
These surveyed leaders include:

  • 100 chief information security officers (CISOs),
  • 100 chief security officers (CSOs),
  • 100 chief technology officers (CTOs),
  • 100 chief information officers (CIOs), and
  • 100 chief revenue officers (CROs).

Top Cyber Risk Management Findings from These Two Surveys

Now that we’ve discussed who was involved in the two
studies, let’s dive into some of the top findings from each of the reports.

1. Organizations May Be Proactive in Their Cyber Security and Cyber Risk
Management Efforts

The findings of the Deloitte report indicate that:

“… organizations are no longer taking a wait-and-see philosophy to preparing for and responding to cyber incidents. Questions related to budgets, resource allocation, and prioritization of cyber defense efforts indicate that they are proactively addressing cyber risk from various aspects of security—data, application, identity, infrastructure, and incident response.”

This is great news for sure. However, the report also notes
that organizations still have a long road ahead to align these cyber
initiatives with the digital transformation priorities of their leadership. This
is, in part, because many executives — even within the same organization — don’t
agree on what should be the top digital transformation initiative. Even when
just considering what should be the focus for the next 12 months, their
attention appears to be split between multiple initiatives, including cloud
(17%), AI/cognitive computing (15%), and several other areas.

The results from the Marsh/Microsoft survey paint a
different picture. Their data indicates that organizations tend to be more reactive
to cyber risks. Sixty-four percent of respondents answered that their
organizations would be more likely to increase their planned budget allocation
for cyber risk management if a cyber incident or attack was to occur.
(Forty-six percent said the same if news of an incident or attack affected
another organization.) Sadly, only 38% indicated that those allocations would
occur due to changing or new regulations such as the European Union’s General
Data Protection Regulation (GDPR). 

In all reality, the importance of the relationship between
cyber risk and risk management can’t be emphasized enough. Both cyber risk and
cyber security should be considered key factors in every enterprise risk
management (ERM) plan. However, many organizations are not sure how to
incorporate cyber risk within their ERM frameworks — as a result, it can leave
organizations open to new or unexpected concerns. 

2. Security is Viewed as a Top Concern, But…

The Marsh/Microsoft study indicates that 79% of survey
respondents ranked cyber risk as one of their top five business concerns. This
shouldn’t come as much of a surprise in light of the data breaches, hacks,
ransomware, and other threats that have been making headlines over the past few

This statistic jives with the data from other reports,
including one from the World Economic Forum (WEF), which ranks cyber attacks
and data fraud/theft among the five most likely risks to businesses in its 2019
Global Risks Report

However, the findings from Marsh and Microsoft’s report also
show something different as well. Respondents’ answers to many of the survey
questions demonstrate “a striking dissonance between the high concern about
cyber risk and the overall approach to managing it.” Their research indicates
that, across the board, enterprises around the world could benefit by
incorporating strategic risk management principles into their approach to cyber

These best practices range from creating a strong cyber
security-focused organizational culture to viewing supply chain risk as a
collective issue that requires trust and shared security standards with

3. Organizations’ Confidence in Their Cyber Resilience is Dwindling

Although cyber risk ranks among the top five business
concerns for the majority of organizations surveyed in the Marsh/Microsoft
study, their confidence in their ability to assess, prevent, and responding to
or recovering from those is decreasing.

The study noted a substantial decrease in confidence
concerning three main areas of cyber resilience:

  • 22% report having “no confidence” in their
    ability to manage, respond to, or recover from cyber events.
  • 19% doubt their abilities and have “no
    confidence” that they can prevent cyber incidents and attacks.
  • 18% have “no confidence” in their ability to
    understand and evaluate cyber risks. 

The industry has been pouring hundreds of billions of
dollars into the cyber security market with the hope of increasing their
defenses and increasing their resilience. Fortune
Business Insights reports
that the market currently stands at $131.1
billion and is expected to reach $289.8 billion by 2026. Yet, despite their
efforts, the cybercrime
industry — yes, it’s an entire industry — is worth $1.5 trillion.

It’s understanding why there can be feelings of frustration
or decreased confidence. With everything companies are investing into
increasing their cyber defenses and cyber resilience, they may feel like it’s
not making enough of a difference.

It’s no wonder why these surveyed guys and gals sound like
they all need hugs.  

4. The Perceptions of Cyber Risks Within the Supply Chain Differ by
Organization Size

When considering their own organizations and third parties,
the perception of which organizations pose the greatest threats varies greatly
depending on the size of the organization. The Marsh/Microsoft survey results
indicate that larger organizations are more likely to believe their excrement
smells like roses as compared to their smaller business counterparts. What I
mean by that is 61% of companies with $5 billion or more in annual revenue indicate
that they face greater risks from the supply chain than the risks they pose to
it. Only 19% report the opposite.

The gap is noticeably smaller when considering smaller
organizations — they’re less confident of their own security and the risks they
pose as part of the supply chain. Of those with $25 million or less in annual
revenue, 28% believe that the supply chain poses high risks to their
organizations, whereas only half believe that they pose risks to it

When you dig into the data, you’ll also notice that
organizations expect more of themselves than they do their vendors or other
third parties. For example, 71% implement cyber
awareness training
for their employees, yet only 56% expect their supply
chain partners to do the same.

5. Shadow IT and Cyber Transformation Rank as Greatest Cyber Risk
Management Challenges

Part of the decrease in confidence could due to how cyber
risk management is perceived. The Deloitte study shows that there are gaps when
it comes to meeting the challenges of cyber management. Fifteen percent of
survey respondents view prioritizing cyber risk across their organizations as
an ongoing challenge.  

The findings also indicate that CSOs and CIOs, in particular,
view shadow IT
(34%) and cyber transformation (32%) as top two most challenging aspect of
cyber risk management. It’s doesn’t come as a surprise that shadow IT would rank
among the top three challenges. Unknown, unsanctioned, and potentially outdated
technologies or expired
digital certificates
pose significant risks to every business. If you’re
someone who’s charged with IT security and IT management within your
organization, how can you effectively manage or assess the risks of
technologies that you may not know exist on your network or servers?

These statistics underscore the importance of actively
engaging in access management, performing threat assessments and certificate
discovery, and maintaining a current list of technologies and software.    

6. There’s a Disconnect Between the Perceptions & Reality of Cyber Risk
Management Functions

According to the Marsh/Microsoft study, a discrepancy exists
between whom respondents think are responsible for “owning” cyber risk
management and who the individuals who are actually spending their time focusing
on these functions. When asked to choose the three groups who are the main
owners or drivers of cyber risk management within their organization, they
identified the following groups:

  • Information technology/information security
  • Executive leadership/board members (65%), and
  • Risk management (49%). 

Although executive leaders/board members rank second for
heading up cyber risk management initiatives, only 17% of executives reported
spending more than a few days focusing on cyber risk over the span of the previous

Considering that these leaders and board members are,
ultimately, responsible for the success of their organizations, it’s imperative
that they have an active role in cyber security and cyber risk management. This
is where it’s important for organizations to change their perspectives
concerning cyber risk — the reality is that it’s no longer an IT concern, it’s
an enterprise-wide issue. So regardless of positions, titles, and where it
falls within the breakdown of roles, what matters is that cyber risk management
is regarded as being important enough to influence strategy and operations.

7. Organizations Are Increasingly Depending on SOCs for Risk Management

Organizations are recognizing that they need to change their
approach to cyber risk management and mitigation. Results from the Deloitte
study indicate that traditional secure operations center (SOC) models are
evolving to increase their data and analytics functionalities. They’re
increasingly adopting artificial intelligence and machine learning technologies
to enhance their visibility and automate their detection and threat response
capabilities for their enterprises as a whole.

These tools, such as cWatch Web,
provide incredible value in that they can analyze vast amounts of data,
identity and respond to threats far more quickly than any team of humans.
However, they don’t
eliminate the need for having a human element in an organization’s security

— rather, they enhance it. After all, technology isn’t perfect. And while
computers are faster than people when it comes to data analysis and threat
identification, people have unique abilities to assess and evaluate data and
threats in ways that machines cannot (at least for now).

8. More Organizations are Turning to Cyber Insurance to Reduce the Impact
of Cyber Events

Organizations are gaining more confidence in cyber insurance.
Research from the Marsh and Microsoft study indicates that uncertainty about
cyber insurance coverage has decreased from 44% in 2017 to 31% in 2019. Of
those surveyed who have cyber insurance, 89% report being fairly or highly
confident that their existing policies would cover the costs associated with a
cyber event.

Let’s hope they’re right, considering that the average cost
of a data breach globally is $3.92 million or $8.19 million for U.S.
organizations alone, according to research from IBM and the Ponemon Institute. The
publication’s data breach cost calculator shows that the U.S. is followed by
the Middle East ($6 million) and Germany ($4.8 million) for the highest average
cost of a data breach.

If the policies are insufficient, then these surveyed
companies are in for a world of hurt — financially and reputationally speaking.
Cybersecurity Ventures estimates that cybercrime damages will cost businesses
and organizations upwards of $6
trillion annually by 2021
. And considering the $1.5 trillion cybercrime
industry stat we mentioned earlier, it’s easy to see why the criminal life is
so appealing to black hats.

Cybercrime truly is a booming industry, and it serves as a
strong reminder of why cyber risk management is necessary for every business.

9. Cyber Risks Aren’t Necessarily Barriers to New Tech

New technologies and innovations are attractive tools that
organizations can use to improve their operational performance and efficiency. But
not all organizations view the risks vs benefits of new technology equally. The
Marsh/Microsoft report indicates that while half of the survey respondents view
cyber risks as non-barriers to tech adoption, more than 25% do view the risks
as outweighing the potential benefits.

Luckily, most organizations err on the side of caution when
it comes to adopting and implementing new technologies — though not as much as
we’d like to see. Survey respondents reported that:

  • 74% are more likely to evaluate the risks of
    such actions prior to adoption,
  • 54% evaluate those risks post adoption,
  • 36% evaluate risks before and after adoption,
  • 5% evaluate risks at all stages of the
    lifecycle, and
  • 11% don’t evaluate risks at any point.

It’s rather disconcerting to see that only one-twentieth of
all the surveyed organizations report evaluating cyber risks at all stages of
the technology lifecycle. This is because many seem to view cyber risk
as one-time events rather than continuous or ongoing evaluations. In
reality, however, cyber risk assessments help inform decision-makers and support proper
risk responses. As such, they should occur at all stages of the technology

So, why aren’t more organizations more concerned with this crucial
aspect of cyber risk management?

It could be because one-third of these surveyed
organizations trust that their technology vendors have done their due diligence
and considered any pertinent cyber risks — meaning that they don’t have to do
it themselves. Thankfully, not everyone shares this assumption — though not
many more. Only 40% report saying that they always perform their own
verification of security claims and security measures concerning new

10. Organizations Place More Faith in Industry Standards Than Government

The findings from Marsh and Microsoft indicate that organizations
and their employees have less faith in government laws and regulations and
approach cyber security in less prescriptive ways. The respondents also
indicated that they believe that industry guidance and standards are more
effective at increasing cyber security than government laws and regulations.
One-quarter of the surveyed organizations said they think the government’s
regulation of cyber risk is very effective, although these numbers were higher
in highly regulated industries. 

The frameworks and standards created by industry
organizations such as NIST (the National Institute of Standards and Technology)
and ISO (International Organization for Standardization) hold greater sway with
larger enterprises. Forty-eight percent of respondent organizations with $5
billion and 56% of financial institutions indicate that such standards are
“very effective in helping is improve our cybersecurity posture,” whereas only
29% of organizations with $100 million or less in revenue said the same.

Essentially, businesses are indicating that they prefer to
manage their cyber risks through their own methods — with one clear exception:
nation-state cyber attacks. The biggest support for government influence and protection
— as indicated by the majority of respondents from all surveyed geographic
areas and industries — relates to these dangerous threats. Overall, 54% voiced
significant concern about the impact of nation-state attacks, and 55% indicated
governments need to do more to help protect private enterprises from such

*** This is a Security Bloggers Network syndicated blog from Hashed Out by The SSL Store™ authored by Casey Crane. Read the original post at: