《组织网络风险报告 -12正式版.pdf》由会员分享,可在线阅读,更多相关《组织网络风险报告 -12正式版.pdf(12页珍藏版)》请在taowenge.com淘文阁网|工程机械CAD图纸|机械工程制图|CAD装配图下载|SolidWorks_CaTia_CAD_UG_PROE_设计图分享下载上搜索。
1、Sponsored byP U L S E S U R V E YOrganizations Struggle to Measure and Monitor Cyber RiskS P O N S O R P E R S P E C T I V EChris HallenbeckCISO, AmericasTanium Cybersecurity efficacy has always been of chief importance but perhaps has never been as complicated as it is today. This is especially tru
2、e for risk posture. Ad hoc or infrequent scanning for vulnerabilities cannot keep up with a rapidly changing, complex IT environment. Remediation or mitigation efforts are hindered by reliance on tools that are disconnected from risk analysis and overall security performance. Nonetheless, odds are h
3、igh that boards of directors will have even more questions for security leaders regarding sensitive data, risk levels, risk reduction, and security investments. Theres a significant communication gap between the two groups. In reality, most executives dont have strong technology backgrounds, and the
4、y struggle to understand the metrics being presented by their security counterparts. Chief information security officers (CISOs) struggle to explain the value and performance of security investments, which puts them in jeopardy of falling out of sync with business priorities or gives executives a fa
5、lse sense of confidence about security readiness. Lack of consistency and creating patchwork reports from a variety of security point tools also hamper the ability of security leaders to offer executives a comprehensive, real-time view of risk across their organization. In addition to the type of da
6、ta, the way that data is conveyed also matters. Security leaders may also be too focused on presenting metrics that arent actionable or are centered on security tools rather than security effectiveness. Risk data must align with business objectives if its going to make sense to boards. Bridging this
7、 communication gap requires security leaders to identify and communicate the metrics that matter to both sides. This move starts by taking a proactive, data-driven, and continuous approach to managing risk exposure with a real-time view of risk posture. With access to real-time risk scoring, securit
8、y leaders have the ability to see and communicate key trends, improvements, and industry benchmarks that produce insights that boards and security teams can act on together while taking into account people, processes, and technology. We sponsored this Harvard Business Review Analytic Services report
9、 to showcase the disconnect between security and executive management about cybersecurity efficacy and performance. Through a quantitative survey and interviews with experts, it illuminates how security teams should explain cyber risk and security performance to the C-suite and the boardand the exte
10、nt to which this communication is adequate and effectiveand explores ways to improve it. 1Pulse Survey | Organizations Struggle to Measure and Monitor Cyber RiskH I G H L I G H T SDue to rounding, some figures in this report may not add up to 100%.70% of survey respondents somewhat or strongly agree
11、 that senior business executives at their organization should be more concerned about their organizations cybersecurity.68% somewhat or strongly agree that information technology could do more to make sure senior executives are better informed about their organizations cyber risk/cybersecurity.51% r
12、eport that the CEO or equivalent is responsible for final cybersecurity investment decisions in their organization.Organizations Struggle to Measure and Monitor Cyber RiskWHEN IT COMES TO CYBER RISK, most organizations have a communication problem. The consequences of inadequate executive governance
13、 of that risk have never been greater. Yet translating the technical intricacies of cybersecurity into how a business should reduce its cyber risk has proved to be a challenge. “You cant govern what you dont understand,” says Bob Zukis, founder and CEO of the Digital Directors Network (DDN), an orga
14、nization with a mission of helping boards understand and govern cyber riskand helping security technologists ability to present risk in business terms.A survey of 180 respondents by Harvard Business Review Analytic Services sheds light on this gap and its consequences. Despite showing broad agreemen
15、t about the importance of cybersecurity, the survey reveals that the executives making decisions on cyber-risk investment may not be getting the information they need.Effective cyber-risk oversight is hampered by a mutual shortage of knowledge; executives dont know enough about what the technology m
16、eans, and cybersecurity experts dont know how to put cyber risk in a relevant context. That shortage of knowledge is compounded by other factors, including inconsistent or indirect lines of reporting, various methods of measuring cyber risk, and a lack of context showing how and why such measures ma
17、tter.Digital Innovation, Cyber RiskThe pandemic accelerated digital transformation. The World Economic Forum expected that 60% of global gross domestic product would be digitized by 20221 and that 70% of new value created in the economy over the next decade will be based on digitally enabled platfor
18、m business models.2 Digital innovation creates value and competitive advantagebut it also creates risks that can threaten that value, says Zukis, who founded the DDN in 2017 after a 30-year career at PwC. So far, most organizations have focused on the former but not the latter. “Weve done a much bet
19、ter job of innovating Harvard Business Review Analytic Services2Pulse Survey | Organizations Struggle to Measure and Monitor Cyber Riskand creating digital value,” says Zukis. “Weve done a much less effective job of protecting that digital value.” Criminals are taking advantage. In the Harvard Busin
20、ess Review Analytic Services survey, 57% of respondents report an increase in cyber attacks since the pandemic began, with 38% saying attacks have increased some, and 19% saying attacks have increased significantly. Organizations dramatically expanded attack surfaces as they rushed to send employees
21、 home to work, and many organizations didnt secure all their new connections and endpoints immediately, says Emily Mossburg, global cyber leader at Deloitte. Financial losses mounted with the increasing cybercrime that resulted. The FBIs Internet Crime Complaint Center reports that losses totaled $4
22、.2 billion in 2020, up from $3.5 billion in 2019.3 The amount paid in ransomware attacks rose in 2020 by more than 300%, to $350 million, according to the Ransomware Task Force Report.4Most organizations recognize the rising level of risk and increasing importance of cybersecurity, but executives ma
23、y not have the information they need to manage that risk. Some 66% of respondents to the Harvard Business Review Analytic Services survey say it is extremely important that their organization has strong cybersecurity; 27% say it is very important. A great majority (93%) of respondents somewhat agree
24、 (18%) or strongly agree (75%) that “its important that senior business executives are well-informed about their organizations cybersecurity and cyber risk.” Yet far fewer, 69%, somewhat agree (35%) or strongly agree (34%) that “senior business executives at my organization are well-informed about t
25、he organizations cybersecurity and cyber risk.”A similar proportion (70%) also somewhat or strongly agree that senior business executives at their organization should be more concerned about their organizations cyber risk/cybersecurity. In addition, 68% somewhat agree (30%) or strongly agree (38%) t
26、hat “IT could do more to make sure our senior business executives are better informed about the organizations cyber risk/cybersecurity.”Lost in TranslationThese results indicate a disconnect between the business and technology sides of the house. Several factors contribute to this gap: lack of trans
27、lation between business and technical language, opaque organizational and reporting structure, infrequency of updates, lack of appropriate context, and inconsistent use of metrics.Technology and business executives or corporate directors often speak different languages. Chief information security of
28、ficers (CISOs) tend to talk about technical metrics that other executives and directors may not understand. When business executives sit politely and listen to a litany of technical metrics, they may get a false sense of security, says Zukis. What executives do understand, and focus on, is business
29、value. “Thats why you have to talk about cyber risk in economic terms,” he notes. Reporting between those implementing cybersecurity and those deciding how much to invest in cybersecurity can be muddy. In the survey, over half (51%) of respondents report that the CEO or equivalent is responsible for
30、 making final cybersecurity investment decisions in their organization. FIGURE 1 Thirty-seven percent say that responsibility rests with the CISO/chief information officer (CIO)/chief technical officer (CTO) or equivalent, and 31% say it rests with the board of directors. CISOs are rising in organiz
31、ational charts, says Deloittes Mossburg. A Deloitte survey of executives found that 33% of 51%3731262422641CEO or equivalentCISO/CIO/CTO or equivalentBoard of directorsIT/tech VPs and/or directorsCFO or equivalentEntire C-suiteDont knowNon-IT/tech VPs and/or directorsOtherFIGURE 1Holders of the Purs
32、e StringsCybersecurity spend is controlled primarily by the head of the organization, technology leaders, and the board.Which groups are responsible for making final cybersecurity investment decisions at your organization? SELECT ALL THAT APPLYSource: Harvard Business Review Analytic Services survey
33、, September 2021Harvard Business Review Analytic Services3Pulse Survey | Organizations Struggle to Measure and Monitor Cyber RiskCISOs globally and 42% in the U.S. now report directly to the CEO. Thats up from 32% in the U.S. in 2019.5Zukis believes CISOs should report directly to the CEO, or even t
34、he board of directors. Yet far too many CISOs still report to the CIO, he says. “Thats not ideal, because there are inherent conflicts,” he says. The CIO is typically responsible for creating value through technology; having the CISO under the CIO could subordinate the protection of that value.Some
35、boards are creating committees focused on cybersecurity, which could draw a direct line to the CISO. Fewer than 10% of boards today have a dedicated cybersecurity committee overseen by a qualified board member, according to Gartner, which predicts that percentage will increase to 40% by 2025.6At Mas
36、tercard, the chief security officer (CSO) is a member of the CEOs management committee, says Alissa Abdullah, deputy chief security officer and senior vice president of emerging corporate security solutions. The CSO can bring technical detail and expertise to the committee but should primarily serve
37、 as a filter at the CEO and board levels, talking in terms of high-level trends to enable management to think strategically about cybersecurity and cyber risk, she says.The CSO regularly reports to Mastercards board. The frequency of such updates varies from one organization to another. Asked how re
38、gularly those responsible for implementing and monitoring cybersecurity provide updates to their organizations senior business executives, 24% of respondents to the Harvard Business Review Analytic Services survey say they do so quarterly. FIGURE 2 The largest proportion of respondents (33%) report
39、on an “ad hoc” basis. Such a lack of regularly scheduled business-level oversight could mean executives hear about risk levels only when there is a problem. More encouraging is the second-largest proportion of responses29% say senior business executives are updated monthly. Some 7% say “annually,” a
40、nd 7% say “rarely or never.” As important as regular updates, if not more so, is the information the updates provide. That communication presents one of the trickiest challenges: how to present important technical information on cyber risk that grabs executives attention. Mixed MeasurementsSome orga
41、nizations use metrics to assess cyber risk, and others dont. The survey asked those respondents who say their senior business executives are regularly updated on cyber risk to choose from a list of update descriptions. FIGURE 3 Fifty-two percent indicate they use some measurement to gauge risk level
42、s over time, selecting “overall status/level of risk including some metrics/benchmarks.” The second-largest proportion of respondents (44%) describe updates as “general, overarching status/current level of risk, little or no metrics/benchmarks,” which could mean these executives are not monitoring c
43、yber risk in much depth. But some executives are going deeper; 13% of respondents chose “a comprehensive review including many metrics/benchmarks.” These results arent surprising, given that there is no single standard framework for measuring cybersecurity and cyber risk. Each organization chooses i
44、ts preferred model. “There is resistance to a single approach,” Mossburg notes. “I think it may be because there is such a contextual element to cyber. Anytime you try to create a framework, its hard to make sure every context can be incorporated.” That reality contrasts starkly with the black-and-w
45、hite measurement of finance, where clear accounting standards lay out exactly how to quantify and report financial information.FIGURE 2The “Squeaky Wheel” ScheduleThe largest proportion of respondents indicate that senior executives receive only ad hoc updates, which may mean only when there is a pr
46、oblem.How regularly do those responsible for implementing and monitoring cybersecurity update senior business executives on the status of cyber risk in your organization?Source: Harvard Business Review Analytic Services survey, September 2021 33% Ad hoc 29% Monthly 24% Quarterly 7% Annually 7% Rarel
47、y or never“ Weve done a much better job of innovating and creating digital value. Weve done a much less effective job of protecting that digital value,” says Bob Zukis, founder and CEO of the Digital Directors Network.“ There is resistance to a single approach to measuring cyber risk. I think it may
48、 be because there is such a contextual element to cyber. Anytime you try to create a framework, its hard to make sure every context can be incorporated.” Emily Mossburg, global cyber leader, DeloitteHarvard Business Review Analytic Services5Pulse Survey | Organizations Struggle to Measure and Monito
49、r Cyber RiskOrganizations usually follow one of three approaches to cyber risk, says Mossburg. The first is maturity assessments, which are often based on the National Institute of Standards and Technologys cybersecurity framework, a guide on managing cyber risk. The second is risk quantification, i
50、n which organizations identify their top risk scenarios, examine how a cyber attack could hurt value, and make sure their cybersecurity program mitigates those specific risks. The third approach relies on the experience of cyber leaders, who are likely using specific technical metrics, “which makes