Cyber risk management continues to grow more difficult

Cyber risk management is significantly more difficult today than it was two years ago.

That’s according to new ESG research involving 340 enterprise cybersecurity, GRC, and IT professionals who were asked to compare cyber risk management today to two years ago. (Note: I am an employee of ESG.) The data indicates that 39 percent of survey respondents believe that cyber risk management is significantly more difficult today than it was two years ago, while another 34 percent say that cyber risk management is somewhat more difficult today than it was two years ago.

4 reasons why cyber risk management is more difficult

Why do 73 percent of cybersecurity, GRC, and IT professionals believe cyber risk management is more problematic? Several issues stand out:

• The ever-growing attack surface. Forty-three percent of respondents say cyber risk management is more difficult today because their organization has moved more workloads to the public cloud. Furthermore, 41 percent say their organization has more sensitive data, while 39 percent claim they have more devices on the network. All these IT additions point to a common problem: Enterprises have a lot more stuff to protect than they did just two years ago. By the way, this trend never ceases.
• More vulnerabilities. Forty-two percent of those surveyed say cyber risk management is more difficult today because the number of software vulnerabilities has increased. There are also plenty of other vulnerability issues, such as misconfigured devices, systems, administrator accounts, and untrained users.
• The dangerous threat landscape. Forty-two percent of those surveyed say cyber risk management is more difficult today because the technical sophistication of cyber-adversaries has increased. This is also a perpetual trend.
• Business requirements. Thirty percent of those surveyed say cyber risk management is more difficult today because business managers are asking for more risk management analysis and reporting. So, I guess cybersecurity really is a boardroom issue.

Think about this data from a CISO perspective. Your bosses are pushing you for more frequent updates on cyber risk management, and they want it presented in a business context. Meanwhile, your staff — which is likely incrementally bigger than it was two years ago, if at all — must collect, process, analyze, and report on risk management across from an increasing and vulnerable attack surface, being targeted by more sophisticated cyber-adversaries.

Let’s face it, CISOs are being forced to bring knives to a cyber risk management gun fight — this model is completely broken. Fortunately, there is hope. Stay tuned for future blog posts.