Risk vs. Reality: Understanding Cyber Risk Confidence among Cyber Leaders  

With ever-evolving cybersecurity threats and obstacles, many cybersecurity leaders find themselves in a constant struggle to align cyber protection measures with their risk appetite. As a CISO responsible for safeguarding our organization, I understand the immense challenges many face mitigating cyber threats while juggling limited resources and financial constraints. 
 
Critical Start recently surveyed 501 U.S.-based IT security decision makers at organizations ranging from 2,500-25,000 employees to better understand how confident organizations are in managing their cyber risk. The 2023 Critical Start Cyber Risk Confidence Index is now available here, where you can see how your peers responded to questions about their cybersecurity investments, assessments, team resources, and more. 

I wanted to address the report from a CISO point of view, focusing on what resonated most with me, and where the industry is headed. Recently, The Securities and Exchange Commission adopted rules that require registrants to disclose material cybersecurity incidents, and to communicate material information regarding their cybersecurity risk management, strategy, and governance on an annual basis. No matter the industry, the topic of cyber risk management, and how we can control it, is top of mind. 
 
A few key findings from the study include: 

• 66% of U.S.-based cybersecurity decision-makers are not highly confident that their current strategies for evaluating and mitigating major cyber risks are effective. 
• 61% of respondents claim their organization’s cybersecurity investment and quantifiable risk reduction priorities are not highly aligned. 
• 63% of organizations cannot fully quantify the return on investment (ROI) for their cybersecurity initiatives or the risk reduction impact they make. 

With approximately ~2/3 of cyber decision makers unsure of the efficacy of their current approach, identifying and dealing with cyber threats are key areas of focus to ensure that the strategies in place are accurately assessing and managing attack surfaces. 

There is a disconnect between where the cyber security budget is being allocated and the risks that are being effectively addressed.  Wise investments in today’s uncertainty are critical to ensuring that risk reduction is maximized for every dollar invested. Measuring ROI while assessing the true effectiveness of cyber programs is not only incredibly challenging but critical to show boards and executive teams the true posture of an organization. 

These points collectively highlight that a significant portion of cyber security organizations and decision makers are concerned about the efficacy of their current strategies, the alignment of investments with risk reduction priorities, and the ability to quantify results.   

The Cyber Threat Landscape: A Growing Concern 

The cyber threat landscape continues to evolve, with cybercriminals employing increasingly sophisticated tactics, techniques, and procedures (TTPs). Reports project that the cost of cybercrime will reach a staggering $8 trillion in 2023, with predictions soaring to $10.5 trillion by 2025 (cybersecurityventures.com). These alarming figures underscore the financial impact and urgency for security professionals like us to remain vigilant and proactive in our defenses. 

Understanding Cyber Risk Confidence 

To gauge the effectiveness of our risk evaluation and mitigation strategies, we return again to the Cyber Risk Confidence Index. Unfortunately, the results aren’t as reassuring as we’d like them to be. According to the survey, a significant 66% of cybersecurity decision-makers in the United States lack high confidence in their current strategies for evaluating and reducing major cyber risks. For larger organizations, with 20,000 to 25,000 employees, this lack of confidence soars to 78%. 

Bridging the Gap: Investment and Risk Appetite 

As a cyber leader, walking the delicate balance between investment in cybersecurity and risk appetite is an everyday task. The survey indicates that 83% of respondents prioritize the cost of security over the risk of a breach.  

In an era of economic uncertainty, this is understandable, but raises concerns about an organization’s ability to allocate resources appropriately and protect themselves effectively. 

Managing Risk with Limited Resources 

Many of my peers struggle with limited resources and a shortage of skilled cybersecurity professionals. Some even work as a one-person-show, wearing every cybersecurity hat they can. Furthermore, “CISO burnout” is becoming an even more pressing issue, with 66% of security professionals reporting that they feel significant stress while at work. (tines.com) 

How to Increase Cyber Risk Confidence 

As cybersecurity leaders, we face an essential task – protecting our organizations from a sophisticated landscape of cyber threats, while managing limited resources, financial constraints, and a lack of data that shows how well our cybersecurity infrastructure is performing. To succeed, we must prioritize an approach that aligns our investment decisions with the organization’s risk appetite. 

An ideal first step would be bridging the gaps between cybersecurity teams, business leaders, and board members/stakeholders to encourage open communication and an understanding of how cybersecurity goals align to overall business goals. By conducting regular risk assessments, leveraging external expertise, and encouraging a culture of proactive and holistic cybersecurity awareness inside our organizations and out, we can confidently begin to better manage cyber risk. 

How Critical Start Can Help 

Here at Critical Start, we work every day to innovate and move the industry forward, while supporting our customers with 24x7x365 coverage through human-led risk mitigation. Managed Detection and Response (MDR) is itself a cybersecurity evolution, and helps organizations increase their cyber risk confidence while taking control of their risk appetite. Check out our latest report and contact an expert today to learn more.