Security Staff Acquisition & Development

Cyber Risk Management: A Disconnect Between Business and Security


A few years ago, cybersecurity professionals often lamented that executives didn’t want good security, they wanted “good enough” security. This axiom reflected that many CEOs equated cybersecurity with regulatory compliance. If the CISO could check all the right PCI, HIPAA, or SOX boxes, cybersecurity concerns were taken care of.

ESG’s Jon Oltsik
ESG's Jon Oltsik

The “good enough” security attitude was an aversion for the cybersecurity crowd. CISOs who wanted to adequately protect corporate assets longed for a time when business executives would truly appreciate cyber risk and would be willing to participate and fund cyber risk management efforts adequately.

As the saying goes, “be careful what you wish for.“ In 2019, business executives are all in and that’s created a big problem for cybersecurity teams.

Cyber Risk Management Research

ESG recently completed a survey of 340 cybersecurity, IT, and risk professionals about cyber risk management. Survey respondents were asked to identify the most important cyber risk metrics for business executives and corporate directors. The top four priorities illustrate the gulf between business needs and technical capabilities:

  • 39% say they want security status reports related to major business and IT initiatives. In other words, they want to understand cyber risk as it relates to end-to-end business processes, not details about Windows PCs, DNS servers, or software vulnerabilities. Cybersecurity teams need to do a better job of translating geeky data into business metrics.
  • 36% say they want to know about the status and response associated with IT audits. This isn’t a new requirement, but business people want more than intermittent reviews, they want frequent updates that help guide timely risk mitigation decisions. To satisfy this need, CISOs must strive for continuous risk management analysis.
  • 36% say they want reports related to vulnerabilities in their environment correlated with other data. Yes, business people care about vulnerable assets, but they don’t want to see reports detailing software vulnerabilities across thousands of systems. Rather, they want to understand if mission-critical assets are vulnerable to known exploits in the wild, so they can prioritize mitigation actions like patching systems, segmenting traffic, restricting access, etc. In other words, cybersecurity teams must make vulnerability reporting about quality, not quantity.
  • 35% say they want more detail about ROI on security spending. According to other ESG research, 58% of organizations plan to increase cybersecurity spending in 2019. Clearly, executives are willing to fund cybersecurity initiatives, but they also want a better understanding of what they are getting for their money. This is a tough one, but somehow CISOs must figure out a way to measure cybersecurity spending in business, human, and technical terms so organizations can fine-tune budgets and spend money in the right places at the right time.

Business executives are deathly afraid of becoming the next data breach poster boy, so they are willing to spend more than ever before to ensure that this doesn’t happen. What do they want in return? Actuarial tables and timely metrics so they can adjust risk management strategies in real time. Unfortunately, most CISOs (and chief risk officers) don’t have the processes or metrics to remotely satisfy this need.

Cyber Risk Management Gap

This cyber risk management gap represents a high-priority problem that needs immediate attention. CISOs must embrace new tools and cyber risk management methodologies like the Factor Analysis of Information Risk (FAIR). Since many cybersecurity managers don’t have the right skills or resources, they may also want to explore cyber risk management services like Unisys TrustCheck.

In any event, CISOs must think outside the box as soon as possible. Business executives won’t continue to pour money into cybersecurity if they have no idea whether they are spending effectively or simply burning dollar bills. CISOs need a business mindset here by working with executive teams to protect the right assets at the right time in a cost-effective way.

Jon Oltsik is an ESG senior principal analyst and the founder of the firm’s cybersecurity service. Read more ESG blogs here.