Organizations struggle with continuous monitoring, tracking the threat landscape, identifying sensitive data flows, and communication between cybersecurity and business executives. Credit: Thinkstock There was quite a bit of banter about boardroom cybersecurity actions at this year’s RSA Security Conference. No surprise here; business executives understand what’s at stake and are asking CISOs to provide more cyber risk data and metrics, so they can work with them on intelligent risk mitigation strategies.This is a positive development for the long term, but it also exposes an underappreciated issue – many organizations aren’t very good at monitoring, measuring, or mitigating cyber risk in a timely manner.As part of a recent ESG research project, 340 cybersecurity, GRC, and IT professionals were asked to identify their organizations’ top cyber risk management challenges. (Note: I am an employee of ESG.) The research reveals that:46% of survey respondents indicate they are challenged by continually measuring all cyber-risk across the IT infrastructure. Cyber risk management is dynamic – threats and vulnerabilities change all the time, requiring constant monitoring and risk mitigation adjustments. Unfortunately, most organizations monitor risk on a periodic basis with network scans, penetration testing, threat intelligence bulletins, etc. Oltsik’s law: You can’t measure a dynamic environment with static data, but that’s exactly how many organizations approach cyber risk management.43% of survey respondents indicate they are challenged by monitoring the threat landscape for cyber-adversaries and attacks that may target my organization. Many firms don’t have threat intelligence skills and simply default to blocking mode. OK, but I’m reminded of a Sun Tzu quote: “If you know your enemy and know yourself, you need not fear the results of a hundred battles.” When it comes to cyber risk management, firms don’t know their enemy and the lack of continuous monitoring means they don’t know themselves well either. Yikes!36% of survey respondents indicate they are challenged by tracking sensitive data flows. At the end of the day, protecting sensitive data is what cybersecurity professionals are paid to do, yet many don’t know where that sensitive data resides, where it flows, or who has access to it. Again, we are missing on basic requirements.35% of survey respondents indicate they are challenged by communicating cyber risk to business executives. Hmm, if we don’t have the right data, don’t understand our cyber-adversaries, and don’t know where our sensitive data flows, I would imagine this would be a problem.The ESG data represents a critical weakness – many organizations don’t really understand the true cyber risks they face, so they throw money around willy-nilly at basic security controls and monitoring tools. To me, this is like going out in the morning without checking the weather forecast. You can look out the window and guess how to prepare, but there’s a high likelihood you’ll make the wrong decision and end up wet, cold, or both Given the high priority here, I believe this cyber risk management gap represents a tremendous opportunity for innovation. Tools and services that can help CISOs develop an intelligent cybersecurity program, capture metrics, and produce business-centric reports will be in high demand. I’m also bullish on tools that apply machine learning algorithms to help CISOs identify changing risks and prioritize remediation actions based upon real-time dynamic data. If I were a VC, I’d be looking for investments in these areas. Related content analysis 5 things security pros want from XDR platforms New research shows that while extended detection and response (XDR) remains a nebulous topic, security pros know what they want from an XDR platform. By Jon Oltsik Jul 07, 2022 3 mins Intrusion Detection Software Incident Response opinion Bye-bye best-of-breed? ESG research finds that organizations are increasingly integrating security technologies and purchasing multi-product security platforms, changing the industry in the process. By Jon Oltsik Jun 14, 2022 4 mins Security Software opinion SOC modernization: 8 key considerations Organizations need SOC transformation for security efficacy and operational efficiency. Technology vendors should come to this year’s RSA Conference with clear messages and plans, not industry hyperbole. By Jon Oltsik Apr 27, 2022 6 mins RSA Conference Security Operations Center opinion 5 ways to improve security hygiene and posture management Security professionals suggest continuous controls validation, process automation, and integrating security and IT technologies. By Jon Oltsik Apr 05, 2022 4 mins Security Practices Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe