Governance, Risk and Compliance

Cyber Risk Management Grows More Difficult

As part of a recent ESG research project, 340 enterprise cybersecurity, GRC, and IT professionals were asked to compare cyber risk management today with how it was two years ago. The data indicates that 39% of survey respondents believe that cyber risk management is significantly more difficult today than it was two years ago, while another 34% say that cyber risk management is somewhat more difficult today than it was two years ago.

ESG’s Jon Oltsik
ESG's Jon Oltsik

Why do 73% of cybersecurity, GRC, and IT professionals believe cyber risk management is more problematic? Several issues stand out:

  • The ever-growing attack surface. Forty-three percent of respondents say that cyber risk management is more difficult today because their organization has moved more workloads to the public cloud. Furthermore, 41% say their organization has more sensitive data while 39% claim they have more devices on the network. All these IT additions point to a common problem: Enterprises have a lot more stuff to protect than they did just two years ago. By the way, this trend never ceases.
  • More vulnerabilities. Forty-two percent of those surveyed say that cyber risk management is more difficult today because the number of software vulnerabilities has increased. There are also plenty of other vulnerability issues like misconfigured devices, systems, administrator accounts, untrained users, etc.
  • The dangerous threat landscape. Forty-two percent of those surveyed say that cyber risk management is more difficult today because the technical sophistication of cyber-adversaries has increased. This is also a perpetual trend.
  • Business requirements. Thirty percent of those surveyed say that cyber risk management is more difficult today because business managers are asking for more risk management analysis and reporting. So, I guess cybersecurity really is a boardroom issue.

Think about this data from a CISO perspective. Your bosses are pushing you for more frequent updates on cyber risk management and they want it presented in a business context. Meanwhile, your staff, which is likely incrementally bigger than it was two years ago if at all, must collect, process, analyze, and report on risk management across an increasing and vulnerable attack surface, which is being targeted by more sophisticated cyber-adversaries.

Let’s face it, CISOs are being forced to bring knives to a cyber risk management gun fight. This model is completely broken. Fortunately, there is hope. Stay tuned for future blogs.


Jon Oltsik is an ESG senior principal analyst and the founder of the firm’s cybersecurity service. Read more ESG blogs here.

You can skip this ad in 5 seconds