The new report is headed “State of Enterprise Risk Management 2020” and it details that over than half of risk professionals worldwide say their organization’s risk levels have increased in the past 12 months. This trend is likely to continue into 2020.
To gather the data, ISACA polled a global population of over 4,500 professionals involved in risk decisions for large and small enterprises, across six continents and all industries, from manufacturing to government and financial services, and every industry in between.
Threat level rises to high
As well as the increasing threat levels, the study also finds that 29 percent of respondents have found that cybersecurity is the most critical risk category facing enterprises today and 33 percent of respondents believe that information and cybersecurity risk will be the most critical category of risk facing their organization in the next 18-24 months.
In this context, the finding from the report that boards of directors are only updated on cybersecurity risk on a quarterly basis—sometimes event less – is of concern and an impediment to developing an effective cybersecurity strategy.
What should the CISO do?
However, some better news on the C-suite front is that where chief information security officers (CISOs) are in place, then these directors are updated much more frequently, with 70 percent saying they receive updates at least once a month. The CISO is responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected.
Boards are generally aware of cyber-risks. One interesting finding is that risk awareness correlates to seniority. As the respondent seniority level increases, the more aware they are of the risk that their enterprise faces.
There’s no ‘golden ticket guidance’
Awareness does not necessarily translate into meaningful action. While most survey respondents indicate that their enterprises have implemented the most fundamental risk management steps, including assessment (85 percent) and risk identification (81 percent), ongoing measurement and tracking of risk is less developed, and the ability to forecast new risk presents an area of challenge.
The report concludes that whilst there is no ‘golden ticket guidance’ that will work in every enterprise when it comes to risk optimization, there are measures that enterprises can adopt in order to make better decisions about risk and to improve the measures they have in place.