5 risk management mistakes CISOs still make

Cybersecurity is now a board-level issue, but many organizations still struggle to get security risk management right.

A man looks displeased/stressed/frustrated and pinches his brow while using a computer at work.
PeopleImages / Getty Images

Corporate leaders now rank cybersecurity as a top-level priority, seeing it as a strategic risk that must be managed.

Yet surveys of executives and board members suggest that they’re still falling short on that task.

The 2019 Global Cyber Risk Perception Survey from Marsh and Microsoft found that 79% of respondents put cyber risk as a top five concern for their organization, with 22% saying it is their top concern. Yet only 11% report a high degree of confidence in their organization’s cyber resiliency.

Meanwhile, 66% of respondents in the 2019-2020 Public Company Governance Survey from the National Association of Corporate Directors said their companies addressed cyber risk at least once on their board agendas in the prior year. Despite that board-level attention, however, 61% of respondents said their organizations would prioritize business operations and initiatives over cybersecurity.

Security leaders say they’re not surprised by such findings, as security risk management is still maturing and many executives struggle with effectively managing security risk. Given that, they say they see many organizations make mistakes in this area. Here are five common mistakes they see enterprise officials make:

To continue reading this article register now

Make your voice heard. Share your experience in CSO's Security Priorities Study.