PAIN AND PROGRESS THE RSA CYBERSECURITY AND BUSINESS RISK STUDY

Similar documents
SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

THE CYBERSECURITY LITERACY CONFIDENCE GAP

FOR FINANCIAL SERVICES ORGANIZATIONS

INTELLIGENCE DRIVEN GRC FOR SECURITY

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Building a Threat Intelligence Program

The State of Cybersecurity and Digital Trust 2016

with Advanced Protection

KNOWLEDGE GAPS: AI AND MACHINE LEARNING IN CYBERSECURITY. Perspectives from U.S. and Japanese IT Professionals

Closing the Hybrid Cloud Security Gap with Cavirin

THE POWER OF TECH-SAVVY BOARDS:

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Why you should adopt the NIST Cybersecurity Framework

Hearing Voices: The Cybersecurity Pro s View of the Profession

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

State of Cloud Survey GERMANY FINDINGS

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

CYBER RESILIENCE & INCIDENT RESPONSE

a publication of the health care compliance association MARCH 2018

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

The new cybersecurity operating model

The data quality trends report

State of the Cyber Training Market January 2018

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

Survey Report Industry Survey. Data Governance, Technology & Analytics Trends Q1 2014

ACHIEVING FIFTH GENERATION CYBER SECURITY

Cyber Resilience. Think18. Felicity March IBM Corporation

Implementing ITIL v3 Service Lifecycle

Moving Beyond the Heat Map: Making Better Decisions with Cyber Risk Quantification

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Gaps in Resources, Risk and Visibility Weaken Cybersecurity Posture

CYBERSECURITY RESILIENCE

As Enterprise Mobility Usage Escalates, So Does Security Risk

Research Insights Paper

SOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE

Fact Or Fiction: The State Of GDPR Compliance

SOLUTION BRIEF RSA ARCHER BUSINESS RESILIENCY

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

ForeScout Extended Module for Splunk

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

CLEARING THE PATH: PREVENTING THE BLOCKS TO CYBERSECURITY IN BUSINESS

INSIDE. 2 Introduction 15 Conclusion 4 Cyber: A Top-of-Mind Concern A Message From Morrison & Foerster s Global Privacy & Data Security Chair

RSA Cybersecurity Poverty Index

Business resilience in the face of cyber risk. By Roger Ostvold and Brian Walker

MITIGATE CYBER ATTACK RISK

SIEM: Five Requirements that Solve the Bigger Business Issues

2 The IBM Data Governance Unified Process

Security in India: Enabling a New Connected Era

Improving Data Governance in Your Organization. Faire Co Regional Manger, Information Management Software, ASEAN

RSA INCIDENT RESPONSE SERVICES

Cybersecurity-Related Information Sharing Guidelines Draft Document Request For Comment

RSA Cybersecurity Poverty Index : APJ

IT Risk & Compliance Federal

The Deloitte-NASCIO Cybersecurity Study Insights from

Security in a Converging IT/OT World

whitepaper How to Measure, Report On, and Actually Reduce Vulnerability Risk

Uncovering the Risk of SAP Cyber Breaches

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

What It Takes to be a CISO in 2017

Cybersecurity for the SMB. CrowdStrike s Murphy on Steps to Improve Defenses on a Smaller Scale

Sales Presentation Case 2018 Dell EMC

How Your Organization Can Drive Success in the Age of Digital Disruption

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

The Third Annual Study on the Cyber Resilient Organization

Tripwire State of Container Security Report

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

OVERVIEW BROCHURE GRC. When you have to be right

Fundamental Shift: A LOOK INSIDE THE RISING ROLE OF IT IN PHYSICAL ACCESS CONTROL

Securing Your Digital Transformation

DIGITAL TRANSFORMATION IN FINANCIAL SERVICES

Convergence of BCM and Information Security at Direct Energy

WHITE PAPER WHITE PAPER BRIDGING THE GAP OF GRIEF WITH BUSINESS-DRIVEN SECURITY BRIDGING THE GAP OF GRIEF

Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

Vulnerability Management Trends In APAC

MOVING MISSION IT SERVICES TO THE CLOUD

Avanade s Approach to Client Data Protection

AUSTRALIA Building Digital Trust with Australian Healthcare Consumers

Why Enterprises Need to Optimize Their Data Centers

FROM TACTIC TO STRATEGY:

Imperva Incapsula Survey: What DDoS Attacks Really Cost Businesses

INTRODUCTION. We would like to thank HelpSystems for supporting this unique research. We hope you will enjoy the report.

THE EVOLUTION OF SIEM

Today s cyber threat landscape is evolving at a rate that is extremely aggressive,

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

SD-WAN. Enabling the Enterprise to Overcome Barriers to Digital Transformation. An IDC InfoBrief Sponsored by Comcast

Operationalizing Cybersecurity in Healthcare IT Security & Risk Management Study Quantitative and Qualitative Research Program Results

Reducing Cybersecurity Costs & Risk through Automation Technologies

Helping the C-Suite Define Cyber Risk Appetite. The executive Imperative

Cyber Risk Market Survey 2019 Sneak Preview

Turning Risk into Advantage

Optimisation drives digital transformation

270 Total Nodes. 15 Nodes Down 2018 CONTAINER ADOPTION SURVEY. Clusters Running. AWS: us-east-1a 23 nodes. AWS: us-west-1a 62 nodes

RSA NetWitness Suite Respond in Minutes, Not Months

Bundling Arrows: Making a Business Case for Adopting an Incident Command System (ICS) 2012 The Flynt Group, Inc.; All Rights Reserved. FlyntGroup.

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

RSA INCIDENT RESPONSE SERVICES

The power management skills gap

Transcription:

WHITEPAPER PAIN AND PROGRESS THE RSA CYBERSECURITY AND BUSINESS RISK STUDY

CONTENTS Executive Summary........................................ 3 The Cybersecurity and Business Risk Survey.......................... 4 Introduction............................................ 5 The Shared Pain in Security and Risk.............................. 7 A Convergence of Security and Risk............................... 10 Conclusion............................................. 12

EXECUTIVE SUMMARY Despite their best efforts and investments, some organizations still experience difficulty as a result of organizational, operational and even cultural differences between their IT security and business risk functions. These gaps can be seen in the ways security and risk teams describe their environments, their challenges and even their relationships with one another. In early 2018, RSA commissioned the Cybersecurity and Business Risk Survey, executed by Enterprise Strategy Group (ESG), to learn more about the challenges and priorities of IT security and business risk professionals. This report, which reflects select findings from the survey, is intended as a glimpse into the minds of security and risk leaders. It describes the pain these teams feel in pursuit of protecting their organizations digital assets and data, in the face of challenges from the forces of modernization, malice and mandates. Encouragingly, at the same time, it reveals another trend, suggesting that these teams are breaking out of their silos and starting to work more closely together toward their common goal of helping their organizations manage digital risk. The survey responses indicate that these teams are embracing the convergence of IT security and business risk by prioritizing the interconnectivity of security and business functions, and by seeking to overcome the limitations of siloed strategies with a more inclusive approach. This kind of approach, driven by business priorities and context, is best positioned to protect what the organization values most. If one thing is clear in the survey s responses, it is that working to establish common metrics, integrated tools and agreed-upon priorities can help these teams more effectively and efficiently manage the organization s digital risk. 3 Pain and Progress: The RSA Cybersecurity and Business Risk Study

THE CYBERSECURITY AND BUSINESS RISK SURVEY In early 2018, RSA commissioned an online survey, executed by Enterprise Strategy Group (ESG), to learn more about the challenges and priorities of IT security and business risk professionals. The 175 respondents include a mix of of IT/IT security professionals and business risk/governance, risk and compliance (GRC) professionals (see FIGURE 1) employed at organizations in North America, with at least 1,000 employees (see FIGURE 2), and in industries including, but not limited to, financial services, public sector, professional services, healthcare and manufacturing (see FIGURE 3). 26% 18% 14% 43% 15% 30% 30% 23% Information Technology (IT) (i.e., CIO, IT management/staff positions) Governance, Risk Compliance or Legal (i.e., Chief Risk Officer or other GRC-focused management/staff positions) IT Security (i.e., CISO or other security-focused management/staff positions) 1,000 to 2,499 2,500 to 4,999 5,000 to 9,999 10,000 to 19,999 20,000 or more FIGURE 2: RESPONDENT ORGANIZATION EMPLOYEE COUNT Source: ESG Research, Cybersecurity and Business Risk Survey, March 2018; n=175 FIGURE 1: RESPONDENT JOB FUNCTION Source: ESG Research, Cybersecurity and Business Risk Survey, March 2018; n= 175 18% 24% 6% 7% 14% 9% 11% 11% Financial (banking, securities, incurance) Manufacturing Business Services (accounting, consulting, legal, etc.) Communications & Media Government (Federal/National/State/Local) Retail/Wholesale Health Care Other FIGURE 3: RESPONDENT ORGANIZATION INDUSTRY 4 Pain and Progress: The RSA Cybersecurity and Business Risk Study

5% 25% 70% Yes No Don t know INTRODUCTION Defending the network isn t getting any easier, according to our respondents. The Cybersecurity and Business Risk Survey asked respondents to start by answering some big-picture questions to help set the stage. Of the results, a select few stood out as indicative of the current threat environment and the surveyed organizations daily challenges. When asked if their organization had experienced a security breach in the past two years, 70 percent of respondents confirmed they had (see FIGURE 4). What s more, 85 percent of those who had experienced a breach in the past two years actually experienced two or more in that timeframe (see FIGURE 5). FIGURE 4: EXPERIENCED A SECURITY BREACH IN LAST 2 YEARS? Source: ESG Research, Cybersecurity and Business Risk Survey, March 2018; n=175 36% 33% 15% 13% 3% Once Between 2 and 5 times Between 6 and 10 times Between 11 and 25 times More than 25 times FIGURE 5: NUMBER OF SECURITY BREACHES IN LAST 2 YEARS? Source: ESG Research, Cybersecurity and Business Risk Survey, March 2018; n=122 This grim trend isn t surprising, though. Today s attackers are able to employ the tools, techniques and procedures at their disposal to orchestrate sophisticated campaigns, target a specific organization or employee, persist until successful, and dig in for the long haul. This particular threat multiplier dwell time is a salient one for respondents: more than 60 percent overall said, in some cases, attackers had been on their network for several months prior to being detected (see FIGURE 6). Strongly agree Agree Neither agree nor disagree Disagree Strongly disagree My organization considers security breaches as a business risk rather than just an IT risk 47% 35% 9% 6% 3% My organization s executive leaders are fully invested in supporting efforts to prevent, 45% 37% 13% 5% 1% detect, and respond to security breaches The relationship between business risk and IT security can be difficult to coordinate 30% 43% 13% 9% 5% regards to the IT and business risk management 30% 37% 18% 10% 5% skills necessary for security breach detection We ve determined that attackers were on our network for several months before detection in some cases 30% 32% 16% 15% 7% Business risk and IT security personnel tend to use different tools and language, making 29% 40% 19% 9% 3% communications between these groups challenging regards to the IT and business risk management 29% 39% 18% 9% 5% skills necessary for security breach response It can be difficult to detect security breaches in a timely manner 26% 41% 17% 11% 5% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% FIGURE 6: RESPONDENTS BREACH INCLUDED DWELL TIME 5 Pain and Progress: The RSA Cybersecurity and Business Risk Study

Knowing more about the frequency and success of attacks, among these other insights, is critical to better understanding the overall threat environment. This is largely because such information is often closely guarded, because it could impact the revenue and brand reputation of the victim, even if reasonable precautions were taken. As such, most of the world tends to only see the big breaches that make the news, and that affects our understanding of the current state. From the perspective of the respondents, who live each day with the realities of security and risk management, the view is much different. Despite the multitude of outside challenges highlighted in the responses, there is some agreement that change needs to come from within, focusing on bridging cultural and operational differences and creating a common language, expectation and measurement for security and risk management. Leadership can help; in fact, the convergence can only happen with real sponsorship and support all the way up to the board. Fortunately, a resounding 82 percent of respondents believe their organizations executive leadership is on board with efforts to secure their network and data (see FIGURE 7), and 91 percent say their organization s cybersecurity budget will increase in 2018 (see FIGURE 8). Strongly agree Agree Neither agree nor disagree Disagree Strongly disagree 3% 5% 50% 41% Yes, substantially Yes, somewhat No Don t know My organization considers security breaches as a business risk rather than just an IT risk 47% 35% 9% 6% 3% My organization s executive leaders are fully invested in supporting efforts to prevent, 45% 37% 13% 5% 1% detect, and respond to security breaches The relationship between business risk and IT security can be difficult to coordinate 30% 43% 13% 9% 5% regards to the IT and business risk management 30% 37% 18% 10% 5% skills necessary for security breach detection We ve determined that attackers were on our network for several months before detection in some cases 30% 32% 16% 15% 7% Business risk and IT security personnel tend to use different tools and language, making 29% 40% 19% 9% 3% communications between these groups challenging regards to the IT and business risk management 29% 39% 18% 9% 5% skills necessary for security breach response It can be difficult to detect security breaches in a timely manner 26% 41% 17% 11% 5% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% FIGURE 7: ARE LEADERS ON BOARD? FIGURE 8: ANTICIPATED INCREASE IN 2018 SECURITY BUDGET? Source: ESG Research, Cybersecurity and Business Risk Survey, March 2018; n=175 The combination should be seen as good news; if organizations want to enact real change and start defending what they hold most valuable, this additional resourcing and support is critical to embracing and accelerating the convergence of security and business risk. With this set of indicators, we can start to understand the general mindset of the respondents. This is an important context to keep in mind when considering the difficulties they experience from a lack of coordination between IT security and business risk. 6 Pain and Progress: The RSA Cybersecurity and Business Risk Study

THE SHARED PAIN IN SECURITY AND RISK Security and risk teams not only experience challenges from external threats and actors; some of their pain comes from their internal relationship with one another. More than 70 percent of respondents agreed the relationship between the two teams can be difficult to coordinate (see FIGURE 9). Strongly agree Agree Neither agree nor disagree Disagree Strongly disagree My organization considers security breaches as a business risk rather than just an IT risk 47% 35% 9% 6% 3% My organization s executive leaders are fully invested in supporting efforts to prevent, 45% 37% 13% 5% 1% detect, and respond to security breaches The relationship between business risk and IT security can be difficult to coordinate 30% 43% 13% 9% 5% regards to the IT and business risk management 30% 37% 18% 10% 5% skills necessary for security breach detection We ve determined that attackers were on our network for several months before detection in some cases 30% 32% 16% 15% 7% Business risk and IT security personnel tend to use different tools and language, making 29% 40% 19% 9% 3% communications between these groups challenging regards to the IT and business risk management 29% 39% 18% 9% 5% skills necessary for security breach response It can be difficult to detect security breaches in a timely manner 26% 41% 17% 11% 5% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% FIGURE 9: DIFFICULTY IN COORDINATING THE SECURITY AND RISK RELATIONSHIP? Respondents cited a number of relationship challenges, some of which spring from the cultural differences between security and risk functions, including differences in terminology, tools, and priorities. Business risk and IT security personnel tend to use different tools and language, exacerbating communication gaps between these groups, according to 69 percent of those surveyed (see FIGURE 10). Strongly agree Agree Neither agree nor disagree Disagree Strongly disagree My organization considers security breaches as a business risk rather than just an IT risk 47% 35% 9% 6% 3% My organization s executive leaders are fully invested in supporting efforts to prevent, 45% 37% 13% 5% 1% detect, and respond to security breaches The relationship between business risk and IT security can be difficult to coordinate 30% 43% 13% 9% 5% regards to the IT and business risk management 30% 37% 18% 10% 5% skills necessary for security breach detection We ve determined that attackers were on our network for several months before detection in some cases 30% 32% 16% 15% 7% Business risk and IT security personnel tend to use different tools and language, making 29% 40% 19% 9% 3% communications between these groups challenging regards to the IT and business risk management 29% 39% 18% 9% 5% skills necessary for security breach response It can be difficult to detect security breaches in a timely manner 26% 41% 17% 11% 5% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% FIGURE 10: DIFFERENCES IN TOOLS AND LANGUAGE Overall, respondents went on to report how the differences in technology, language, metrics, structure, and goals created challenges that made improving the security-risk relationship more difficult (see FIGURE 11 on the next page). 7 Pain and Progress: The RSA Cybersecurity and Business Risk Study

In your opinion, what challenges are there to establishing a strong working relationship between IT security and business risk management? (Percent of respondents, N=175, multiple responses accepted) IT security and business risk personnel use different tools and technologies to do their jobs 46% IT security and business risk personnel use different terms and language to communicate IT security and business risk personnel are measured using different metrics IT security and business risk personnel have different reporting structures 41% 40% 39% IT security and business risk personnel are not aligned in terms of goals and objectives My organization hasn t really embraced IT security threats as a true business risk, so this relationship isn t considered very important 31% 34% None of the above 3% FIGURE 11: TOP CHALLENGES TO BUILDING THE SECURITY-RISK RELATIONSHIP Different tools and technologies (46 percent) stood out as the most cited reasons respondents felt they weren t growing closer to their peers on the security or risk side of the business. Security systems tend to be very technical and focused on the infrastructure, identifying and addressing the perceived threat and stopping it first and foremost. Risk leaders tend to use different techniques, and thus different tools, focused more on the business to anticipate and assess risk based on their knowledge of the organization and the strategy. When security systems are not able to incorporate risk data, and vice -versa, then neither of these systems will be in concert when the data is used to make important decisions about what protections to invest in, where to apply them, and in what priority. But the technologies they use are just a part of the web of cultural and operational factors standing between security and risk teams. Terms and Language (41 percent): Poor communication can be as problematic to the relationship as any technology challenge, if not more. Security performance is often described in pragmatic terms: hits, blocks, alerts, breaches. Risk management tends to use more speculative terms: likelihood, potential, impact. This demonstrates how some security and risk teams, not to mention their tools, may be talking right past one another. Goals and Metrics (34 percent and 40 percent, respectively): Understanding what success looks like (i.e., goals and objectives), and measuring against commonly understood indicators (i.e., metrics) are requirements in any business undertaking. Technology is where these understandings take shape, and can only provide what it has been asked to provide, based on the human understanding of direction and status. 8 Pain and Progress: The RSA Cybersecurity and Business Risk Study

Reporting Structures (39 percent): With differing goals, it is not surprising security and risk teams have differing organizational structures and reporting hierarchies. This can confound cooperation, given that peer levels are not always clearly identifiable, and communication may move differently throughout each team structure. These cultural divides are important hurdles organizations must clear to embrace the convergence of security and risk. Breaking out of strategic and operational silos is only useful in the pursuit of something larger, something that can truly work in the favor of both teams, and ultimately the entire organization. Fortunately, as divided as they may seem, there is additional data from the survey to suggest that many more security and risk teams are reaching across the gap that divides them, and combining forces to achieve a common goal. 9 Pain and Progress: The RSA Cybersecurity and Business Risk Study

46% 1% 6% 1% 47% Very good, the teams have established formal processes, metrics, and communication vehicles to collaborate on identifying and mitigating business/it risks Good, the teams have established some processes, metrics and communication vehicles to collaborate on identifying and mitigating business/it risks, but continue to work on their processes, metrics and communication vehicles Fair, the teams are working on establishing processes, metrics, and communication vehicles to collaborate on identifying and mitigating business/it risks but this work is just beginning Poor, the teams do not have established formal processes, metrics, and communication vehicles to collaborate on identifying and mitigating business/it risks Don t know FIGURE 12: RESPONDENTS CHARACTERIZE SECURITY-RISK RELATIONSHIP Source: ESG Research, Cybersecurity and Business Risk Survey, March 201; n=1758 A CONVERGENCE OF SECURITY AND RISK Despite lingering challenges and uncharted territory for some, there are indications in the survey responses suggesting that a change is underway drawing security and risk teams together. To start, an overwhelming 93 percent of respondents to the Cybersecurity and Business Risk Survey characterized the relationship between their IT security and business risk teams as good or very good (see FIGURE 12). This satisfaction with one another is crucial to encouraging these teams to develop security and risk management strategies in concert, fueled by context and enabled by visibility across the spectrum. The continued satisfaction with this relationship will be absolutely instrumental in enabling the convergence of security and risk. The same pain points that separate these teams are noted as the areas where these teams are prioritizing their efforts. In another good sign, most respondents (82 percent) said their organizations consider security breaches as a business risk, not just a security risk (see FIGURE 13). This is just one simple, but critical, agreement that can help organizations bridge some of the aforementioned organizational and cultural gaps between security and risk teams, from language to goals and metrics. Strongly agree Agree Neither agree nor disagree Disagree Strongly disagree My organization considers security breaches as a business risk rather than just an IT risk 47% 35% 9% 6% 3% My organization s executive leaders are fully invested in supporting efforts to prevent, 45% 37% 13% 5% 1% detect, and respond to security breaches The relationship between business risk and IT security can be difficult to coordinate 30% 43% 13% 9% 5% regards to the IT and business risk management 30% 37% 18% 10% 5% skills necessary for security breach detection We ve determined that attackers were on our network for several months before detection in some cases 30% 32% 16% 15% 7% Business risk and IT security personnel tend to use different tools and language, making 29% 40% 19% 9% 3% communications between these groups challenging regards to the IT and business risk management 29% 39% 18% 9% 5% skills necessary for security breach response It can be difficult to detect security breaches in a timely manner 26% 41% 17% 11% 5% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% FIGURE 13: MANY ORGANIZATIONS CONSIDER BREACHES AS BUSINESS RISKS Part of the problem with cultural and operational silos is that they prevent a well-rounded understanding of the strategic or tactical situation. One way to remedy this is to approach security strategy as a collaborative exercise that should include business risk management as much and as early as possible in the process. When asked about this, 41 percent of respondents agreed collaboration was the best action they could take to improve the security-risk relationship (see FIGURE 14 on the next page). 10 Pain and Progress: The RSA Cybersecurity and Business Risk Study

Which of the following actions could your organization take to improve the relationship between the IT security team and business risk managers? (Percent of respondents, N=175, multiple responses accepted) Get both groups to work more collaboratively on security breach prevention and preparation Expose business risk managers to IT security initiatives early so they can assess risk properly Improve the relationship between CISOs and Chief Risk Officers (CROs) Improve the understanding and quantification of the impact of security breaches Standardize on common language and terminology Move from ad-hoc to more formal processes and communications between these groups Create formal and documented incident response plans Get executive management more involved on the oversight of both groups Improve business risk identification tools and metrics 30% 41% 41% 38% 37% 37% 36% 35% 35% Standardize on common tools 25% None of the above 1% FIGURE 14: TOP RECOMMENDATION TO BUILD THE SECURITY-RISK RELATIONSHIP Source: ESG Research, Cybersecurity and Business Risk Survey, March 2018 There are indications from the respondents that some teams are doing more than just thinking about the value of security and risk working together, and especially so in response to a previous breach. Following up on the aforementioned breach statistics, 44 percent of respondents said that their organizations increased coordination and communications between risk and IT security personnel as a result of a security breach within their organization or within their industry. Further, 43 percent said their organizations developed or enhanced an enterprise-wide business risk framework as a result of a breach (see FIGURE 15). What business risk-oriented actions, if any, has your organization taken or expanded as a result of a previous security breach in the past two years at your organization or within your industry? (Percent of respondents, N=175, multiple responses accepted) Increased coordination and communication between business risk and IT security personnel Developed or enhanced an enterprise-wide business risk framework Developed ways for business risk management and IT security teams to improve collaboration Invested in new software solutions to support business risk management process Increased executive management s involvement in business risk management Found ways to leverage IT security tool investments to manage business risk 44% 43% 42% 42% 41% 37% Hired new or additional risk analysis staff Hired a Chief Risk Officer or other executive focused on business risk Purchased some type of cyber insurance 26% 29% 32% None of the above 2% FIGURE 15: TOP 2 RISK-ORIENTED ACTIONS RESULTING FROM A BREACH Source: ESG Research, Cybersecurity and Business Risk Survey, March 2018 11 Pain and Progress: The RSA Cybersecurity and Business Risk Study

CONCLUSION The Cybersecurity and Business Risk Survey sheds new light on the experiences and hopes of security and risk leaders in pursuit of the ultimate goal: protecting organizations from the increasing challenges of modernization, malice and mandates. RSA s study contributes to the ongoing discussion about whether and how to rethink and strengthen the relationship between these teams, including how far they have come and how much further they still need to go. The latter point is clear when looking at another facet of the responses, one that betrays a difference of opinion on the priority and direction of next steps. Some responses to this survey showed that, for all of their general agreement, the teams themselves don t seem to agree on what steps are most important to pursue first. For example, there was a notable difference between how IT/IT security and GRC respondents prioritized exposing risk managers to IT security initiatives early as a way to improve the relationship between the two groups. While 47 percent of IT/IT security respondents selected this as an option, the most popular response among the cohort, only 28 percent of GRC respondents felt this was a viable action to take (see FIGURE 16). Another salient example comes when respondents were asked about the importance of improving business risk identification tools and metrics (See FIGURE 16). As with the previous example, it was cited much more by IT/IT security respondents (36 percent) compared to GRC respondents (17 percent). Which of the following actions could your organization take to improve the relationship between the IT security team and business risk managers? (Percentage of respondents; IT/IT Security N = 122 and GRC N = 53; multiple responses accepted) Expose business risk managers to IT security initiatives early so they can assess risk properly IT/Security 47% GRC 28% Improve business risk identification tools and metrics IT/Security 36% GRC 17% FIGURE 16: SECURITY-RISK DISAGREEMENT ON SOME OPTIONS FOR IMPROVEMENT Source: ESG Research, Cybersecurity and Business Risk Survey, March 2018 12 Pain and Progress: The RSA Cybersecurity and Business Risk Study

In both of these examples, not only are these teams not in concert around key aspects of the security and risk management relationship, but also the IT/IT security respondents were more interested in taking firm steps to improve the gaps and consider business risk than the business risk respondents. Whether a cultural gap or a misunderstanding of where the important work needs to be done, fundamental discrepancies like these will continue to challenge security and risk teams, despite their level of commitment to the security-risk convergence. 2018 Dell Inc. or its subsidiaries. All rights reserved. RSA and the RSA logo, are registered trademarks or trademarks of Dell Inc. or its subsidiaries in the United States and other countries. All other trademarks are the property of their respective owners. RSA believes the information in this document is accurate. The information is subject to change without notice. Published in the USA 04/18 White Paper 13 Pain and Progress: The RSA Cybersecurity and Business Risk Study

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback