Organizations are struggling to predict the impact of threats and vulnerabilities associated with emerging tech

Published: Wednesday, 30 October 2019 09:03

More than half of risk professionals worldwide say that their organization’s risk levels have increased in the past 12 months, according to new research from ISACA, CMMI Institute and Infosecurity Group.

The organizations’ ‘State of Enterprise Risk Management 2020’ report reveals that only 29 percent of respondents have a high degree of confidence that their enterprise can accurately predict the impact of threats and vulnerabilities associated with emerging technologies. Additionally, fewer than a third (31 percent) of security pros say their enterprises can respond quickly when new threats are identified, a problematic dynamic given today’s fast pace of business and technology-driven change.

State of Enterprise Risk Management 2020 found that the most critical categories of risk facing enterprises today are:

The top five cybersecurity risk management challenges are changes/advances in technology; changes in types of threats; too few security personnel; missing skills in existing cybersecurity personnel; and increased number and frequency of threats.

The study found that nearly two-thirds of respondents have defined processes for risk identification, but only 38 percent believe that those processes are at either the managed or optimized level of the maturity spectrum. This high adoption, low optimization trend shows there is significant need for action and improvement.

The State of Enterprise Risk Management 2020 study also reports diversity in the types of attacks seen across geographic locations and industry sectors. For example, respondents from Asia and India report more nation-state attacks than those in North America, Oceania and Europe.

When it comes to managing the fallout of an issue, only 43 percent of respondents’ enterprises employ insurance as a mitigation control. Organizations in North America and Africa are the highest adopters of insurance, with Latin America being the lowest.

Management and governance gap revealed

The study reveals a potential disconnect between management and governance of enterprises when it comes to risk. Respondents note that, on average, boards of directors are only updated on cyber security risk on a quarterly basis – sometimes even less. Chief information security officers (CISOs) are updated much more frequently, with 70 percent saying they receive updates at least once a month. This knowledge gap is a key opportunity for CISOs to expand their visibility at the governance level.

More details.