Content, Content

What’s the Value of Cyber Risk Assessments?


Eight in 10 organizations surveyed in a new study on the current cybersecurity landscape see value in conducting cyber risk assessments yet slightly more than 65 percent actually do so and only 39 percent conduct annual audits.

This isn’t a failing of leadership, ISACA, a non-profit focused on IT governance suggested in part two of its State of Cybersecurity 2021, but instead reflects the growing recognition of cyber maturity, or an organization’s ability to mitigate vulnerabilities and threats from hackers, as a business imperative.

Considering that 35 percent of the study’s 3,600 respondents said their outfits this year have experienced more cyber incidents than last year, their cyber readiness can foretell a hacker’s ability to impart serious injury. As one might expect, those that attended to security program measurement and maturity were more than two times more confident in the ability of their organization to detect and respond to cyber attacks. Moreover, organizations in the study that perform cyber maturity assessments are more likely to have appropriately staffed security teams and well funded cybersecurity budgets.

Determining cyber maturity, however, is not without obstacles, the study showed, including:

  • Integrating risk with maturity and keeping up with industry threats (30 percent).
  • Difficulty differentiating concept of maturity versus compliance to management (29 percent). Some 76 percent of respondents cited regulatory compliance as the primary driver for conducting cyber assessments.
  • Having the necessary experience to understand and assess cyber maturity (27 percent).

“In a complex, constantly changing cybersecurity landscape that is subjecting enterprises to increasingly severe attacks, assessing cybersecurity maturity can play a role in determining whether enterprises have effective security programs,” says Renju Varghese, Fellow & Chief Architect at HCL Technologies, an IT services provider that helped conduct the study. “Taking a proactive, risk-based approach to assessments, versus simply meeting compliance requirements, will serve enterprises well in ensuring their cybersecurity goals are met and that they can continue to pivot as needed as the threat landscape shifts,” he said.

While it’s widely acknowledged that cyber attacks come in various forms, the security doors most left ajar as identified in this year’s report are similar to the prior year are:

  • Social engineering: 14%
  • Advanced persistent threat: 10%
  • Ransomware: 9%
  • Unpatched system: 9%

The global pandemic has presented cybersecurity challenges that have amplified the shortfall of existing network approaches and technologies to provide the levels of security and access control digital organizations now require. That has prompted more than one in three enterprises adopting either a Secure Access Service Edge (SASE) model (12 percent) or Zero Trust security strategy (23 percent) as a cybersecurity approach.

When it comes to cybersecurity teams and leadership, the report found no significant differences with a chief information security officer (CISO) or a chief information officer (CIO) at the helm. With either executive in place, there was no qualitative difference on how an organization views increases or decreases in cyber attacks, confidence levels related to detecting and responding to cyber threats or perceptions on cyber crime reporting.

However, the data did show that security function ownership is linked to differences regarding:

  • Executive valuation of cyber risk assessments (84 percent under CISOs versus 78 percent under CIOs).
  • Board of director prioritization of cybersecurity (61% under CISOs versus 47% under CIOs).
  • Cybersecurity strategy with organizational objectives (77% under CISOs versus 68% under CIOs).

Artificial intelligence (AI) is fully operational in a third of the security operations of respondents, representing a four percent increase from the year before.

  • 77% of respondents are confident in the ability of their cybersecurity teams to detect and respond to cyber threats, a three-percentage point increase from last year.
  • 78% of those answering the survey noted that they believe cybersecurity training and awareness programs have a positive impact.

“With the increase in the number and rate of cyber attacks worldwide, cybersecurity professionals are facing a challenging threat landscape that requires constant vigilance,” said David Samuelson, ISACA chief executive. “These survey findings illustrate just how essential it continues to be for the global cybersecurity community to actively keep up to date with best practices and training, and ensure their teams are well staffed to detect and respond to attacks,” he said.

ISACA issued the first part of the research examining the pandemic’s effect on the cybersecurity workforce last May. An eye-opening finding from that body of work was that only 53 percent of the 3,600 cybersecurity professionals participating said they had difficulty retaining talent last year during the pandemic.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.