Skip to main content

Businesses suffering from 'chasm' between cyber strategy and actual practice

security
(Image credit: Shutterstock / Rabbit_Photo)

A cybersecurity strategy should serve as every organization’s steering wheel, but in reality there’s a world of difference between plan and practice.

A new report from governance, risk, and compliance (GRC) firm MetricStream states that senior management and leadership jointly establish the strategic direction of their IT risk management program in most businesses. In the majority of cases (71 percent), the CISO does not participate in the creation of IT risk program.

Polling enterprise security and risk professionals from all around the world for the report, MetricStream found most organizations aren’t quantitatively managing their IT risk program, and less than a third (31 percent) review IT risk assessment every quarter. Approximately 15 percent perform this process monthly.

“Most security and risk professionals know that IT security is like a chain; you are only as strong as the weakest link,” said Gaurav Kapoor, COO at MetricStream.

In this case, the weakest link seems to be the humble spreadsheet. More than 45 percent of the respondents said they use spreadsheets for IT risk management, making it the number one tool. What’s more, they use them even when they have an IT governance, risk and compliance (GRC) solution in place.

In future, almost four in ten plan to increase their IT risk management budgets. They will look to invest in IT security solutions, compliance with federal and government regulation, as well as IT security data aggregation and reporting.

Denial of service, compliance violations and regulatory actions, as well as spoofing of company social media, were listed as the risks organizations most fear today.