Over half of all organisations are failing to measure the business costs of cyber risk, resulting in a lack of actionable insight for business leaders, according to new research.
The survey of 2,410 IT decision makers found that 54% of organisations are not measuring, and therefore don't understand, the business costs of cyber risk. Lack of understanding results in businesses being unable to take risk-based business decisions backed by accurate and quantifiable metrics, resulting in a lack of actionable insight for the C-suite and board of directors.
The lack of insight is in spite of the fact that 60% of organisations surveyed have suffered two or more business-disrupting cyber events (cyber attacks causing data breaches or significant disruption and downtime) in the last 24 months, and 91% of respondents suffered at least one such attack.
The survey conducted by Ponemon Institute for Tenable Inc, found that complex IT environments incorporating cloud, mobile, IoT, and DevOps make it increasingly difficult for organisations to understand their attack surface. This has created a massive gap in an organisation's ability to truly understand its Cyber Exposure at any given time. The research -- which surveyed 2,410 IT and infosec decision-makers in six countries -- found less than one third (29%) of respondents reported having sufficient visibility into their attack surface (i.e. traditional IT, cloud, containers, IoT and operational technology) to effectively reduce their exposure to risk. To further complicate this lack of visibility, more than half of respondents (58%) said their security function lacks adequate staffing to scan for vulnerabilities in a timely manner, with only 35% scanning when it's deemed necessary by an assessment of risks to sensitive data.
Together, these data points reveal that the tools and approaches organisations are using fail to provide the visibility and focus required to manage, measure and reduce cyber risk in the digital era.
Of those organisations that measure the business costs of cyber risk, 62% are not confident their metrics are actually accurate. Thus, decisions about the allocation of resources, investments in technologies and the prioritization of threats are being made without critical information - such as the costs of IP theft, loss of revenue or loss of productivity. Organisations admit to not using the key performance indicators (KPIs) they consider important to assessing and understanding cyber risks, and only 30% of respondents believe their organisations can translate cyber risk KPIs into actionable steps
This lack of rigor leaves boards of directors in the dark about the true cost of cyber risks to their organisations. Without confidence in the accuracy of their measures, CISOs and other security executives are reluctant to share critical information about the business costs of cyber risks with their boards.
"In today's digital economy, cyber risk equates to business risk. It's shocking to learn that organisations are suffering business-impacting cyber events yet are struggling to accurately measure the resulting financial cost," said Bob Huber, CSO, Tenable. "This study powerfully highlights that most organisations have not implemented security metrics that reflect cybersecurity's role as a core business function. CISOs need reliable metrics to help them make educated decisions on the allocation of resources, investments in technology and the prioritization of threats."