Cybersecurity is a critical field that evolves rapidly as technology advances and cyber threats become more sophisticated. One of the most significant trends in cybersecurity is the adoption of a Zero Trust Architecture, which operates on the principle of “never trust, always verify.”

This approach assumes that threats can exist outside and inside the network and verifies every request as if it originates from an open network.

Another trend is the increasing focus on Cyber Resilience, which is the ability of an organization to prepare for, respond to, and recover from cyber-attacks.

Cyber resilience involves defending against attacks and ensuring that the organization can continue to operate during and after an attack.

The importance of robust cyber risk management cannot be overstated. Effective risk management in cybersecurity helps organizations identify, prioritize, evaluate, and manage potential cyber threats.

A robust risk management plan is vital for identifying and assessing potential vulnerabilities and risks that could be exploited by cyber attacks.

It also involves establishing network access controls, creating a patch management strategy, and conducting regular cybersecurity risk assessments to stay ahead of emerging threats.

In the context of the digital age, where data breaches and cyber attacks can have devastating consequences, robust cyber risk management is essential for protecting sensitive information and maintaining trust with customers and stakeholders. It also supports compliance with regulatory requirements and can reduce the financial impact of cyber incidents.

Recent research from ISACA reveals a concerning trend: over half (52%) of cybersecurity professionals report an increase in cyber-attacks compared to the previous year.

Despite this uptick in threats, many companies are not conducting regular cyber risk assessments. In fact, less than 10% (8%) of organizations carry out these assessments monthly, and only 40% do so annually.

In today’s landscape, where businesses grapple with complex challenges like evolving regulations, hybrid work environments, and rapid technological changes, understanding and managing cyber risks is more crucial than ever. A strong risk management program is essential to safeguard organizations from cyber threats.

NIST
14 Key NIST Framework Cybersecurity Risk Indicators

Key Statistics Highlighting the Criticality of Risk Management

To emphasize the importance of risk management, we’ve gathered a series of statistics that shed light on the current risk landscape, including executive perspectives on top risks, the escalating costs of insider risks, and the growing exposure to third-party risks.

Understanding the Evolving Risk Landscape

  1. Forrester reports that 41% of organizations experienced three or more critical risk events in the past year.
  2. Hiscox found that 41% of previously attacked organizations saw an increase in risk exposure in 2022.
  3. According to AICPA and NC State University, 65% of senior finance leaders acknowledge a significant change in the volume and complexity of corporate risks over the past five years.
  4. PwC highlights that 35% of risk executives view compliance and regulatory risk as the biggest threat to growth, with an equal percentage concerned about cyber or information risks.
  5. Data protection and privacy regulations are top priorities for 61% of risk executives in 2022, as per PwC.
  6. McKinsey notes that cybercrime is among the top five risks for most risk executives, with 58% expecting this trend to continue over the next three years.
  7. The primary concerns for CROs, as identified by McKinsey, are direct financial impact, harm to customers, and reputational damage.
  8. McKinsey also reports that 58% of risk executives are most worried about poor data quality.

Evaluating Risk Management Programs

  1. AICPA and NC State University reveal that 63% of executives believe their risk management processes offer minimal or no competitive advantage.
  2. PwC states that 57% of risk professionals see significant quality outcomes, like improved decision-making, from tech applications.
  3. However, only 30% report efficiency outcomes such as lower compliance costs, according to PwC.
  4. PwC also finds that 54% of risk professionals seek stronger relationships with senior executives for greater influence.
  5. To improve relevance and influence, risk professionals suggest upskilling on emerging technologies (47%), leadership support for collaboration (45%), organized data infrastructure (38%), and increased budget (37%), as per PwC.
cybersecurity risk management
Security engineer is pushing CYBERSECURITY on an interactive virtual control screen. Computer security concept and information technology metaphor for risk management and safeguarding of cyber space.

Responding to Risks

  1. IBM reports that nearly three-quarters of organizations have an incident response plan, with 63% regularly testing it.
  2. Organizations with tested IR plans save an average of $2.66 million in breach costs, according to IBM.
  3. AICPA and NC State University found that 75% of executives expect significant changes in business continuity planning and crisis management.

Third-Party Risk Management Insights

  1. PwC notes that 31% of risk executives see third-party risk as a major growth threat.
  2. ProcessUnity and CyberGRX report that 64% of organizations view third-party risk management as a strategic imperative.
  3. Over 81% can quantify and communicate the value of their third-party risk management program, as per ProcessUnity and CyberGRX.
  4. Cyentia Institute and SecurityScorecard state that 98% of organizations work with third parties that have experienced breaches in the last two years.
  5. The IT sector averages 25 third-party relationships, while finance averages 6.5, according to Cyentia Institute and SecurityScorecard.
  6. First parties are twice as likely to achieve high-security ratings, while third parties are five times more likely to have poor security, as found by Cyentia Institute and SecurityScorecard.

Managing Insider Risks

  1. The annual cost of insider risk has risen to $16.2M, a 40% increase over four years, according to DTEX Systems.
  2. Containing insider incidents now takes an average of 86 days, as per DTEX Systems.
  3. DTEX Systems also reports that 46% of organizations plan to increase investment in insider risk programs in 2024.
  4. 77% have started or are planning insider risk programs, with 88% spending less than 10% of their IT security budget on this, as found by DTEX Systems.
  5. Despite more than half of organizations attributing social engineering as a leading cause of external attacks, 91.8% of the IT security budget is spent on external threats, DTEX Systems notes.
  6. Only 10% of the insider risk management budget is spent on pre-incident activities, with the rest on post-incident activities, including containment and remediation, according to DTEX Systems.

Crafting a Risk Management Plan

Creating a risk management plan involves defining its purpose, assigning roles, identifying risks, assessing and analyzing risks, planning responses, monitoring risks, and regularly updating the plan.

This process ensures that risks are effectively managed and mitigated.

NIST
Exploring Key Risk Indicators in NIST Cybersecurity: A Comprehensive Guide

FAQs on Risk Management

Citations

  1. Business Wire, 2023. The State of Cybersecurity: Cyber Skills Gap Leaves Business Vulnerable to Attacks, New Research Reveals. [online] Available at: https://www.businesswire.com/news/home/20231003697748/en/The-State-of-Cybersecurity-Cyber-Skills-Gap-Leaves-Business-Vulnerable-to-Attacks-New-Research-Reveals [24/1/2024].
  2. Forrester, 2022. The State Of Enterprise Risk Management, 2022. [online] Available at: https://www.forrester.com/report/the-state-of-enterprise-risk-management-2022/RES177427 [24/1/2024].
  3. Hiscox, 2022. Hiscox Cyber Readiness Report 2022. [pdf] Available at: https://www.hiscox.com/documents/Hiscox-Cyber-Readiness-Report-2022.pdf?utm_source=newsletter&utm_medium=email&utm_campaign=newsletter_axioscodebook&stream=top#_ga=2.156205755.1202863120.1684509073-133015902.1684509073 [24/1/2024].
  4. ERM and NC State, 2022. 2022 Risk Oversight Report. [pdf] Available at: chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/https://erm.ncsu.edu/az/erm/i/chan/library/2022-risk-oversight-report-erm-ncstate.pdf?_gl=1*1v29ng8*_ga*NjgxNjI5MTQ5LjE2OTIzODI1NDQ.*_ga_52ZBXKJW18*MTY5NDUzNDgxNC4zLjAuMTY5NDUzNDgxNC42MC4wLjA.*_gcl_au*MTg0ODU0ODU1MS4xNjkyMzgyNTQ0 [24/1/2024].
  5. Fitzgerald, A. and Gutierrez, R., 2023. What Is Compliance Risk and How To Manage It [+ Free Templates]. [online] Secureframe. Available at: https://secureframe.com/blog/compliance-risk [24/1/2024].
  6. PwC, 2022. Risk management insights from the PwC Pulse Survey. [online] Available at: https://www.pwc.com/us/en/library/pulse-survey/executive-views-2022/risk-management-leaders.html [24/1/2024].
  7. PwC, 2022. Risk management insights from the PwC Pulse Survey. [online] PwC. Available at: https://www.pwc.com/us/en/library/pulse-survey/executive-views-2022/risk-management-leaders.html [24/1/2024].
  8. McKinsey & Company, 2022. Risk and resilience priorities, as told by chief risk officers. [online] Available at: https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/risk-and-resilience-priorities-as-told-by-chief-risk-officers [24/1/2024].
  9. McKinsey & Company, 2022. Risk and resilience priorities, as told by chief risk officers. [online] Available at: https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/risk-and-resilience-priorities-as-told-by-chief-risk-officers [24/1/2024].
  10. IBM, 2022. Cost of a Data Breach Report 2022. [online] Available at: https://www.ibm.com/downloads/cas/3R8N1DZJ [24/1/2024].