Companies are proactively shoring-up risk management according to new research, demonstrating a promising awareness of the increasingly sophisticated tactics used by adversaries to penetrate networks and need to be more proactive.
Research conducted by CyberRisk Alliance Business Intelligence and sponsored by Reciprocity showed that 89% of surveyed companies are “very likely” to or “have already adopted or added” a new risk framework, such as the one developed by the National Institute of Standards and Technology (NIST).
Some 91% say they are “very likely” to or “have already hired” additional IT security staff, while 83% said they are “very likely” to or have “already outsourced” cybersecurity risk management to an outside firm. Another 87% said they are “very likely” to or “already have made” the purchase of a governance, risk and compliance (GRC) tool or platform.
According to the report, respondents “plainly see” a need to enhance security and recognize that security has become not just a technology issue, but also a top concern of the boardroom and senior management.
The data and insights are based on an October 2021 online survey of 252 senior-level U.S. executives in IT, cybersecurity and governance, risk, and compliance roles employed at mid-size to large organizations, 250 to 5,000 employees. Respondents were employed in a variety of industries focusing on IT services/software, manufacturing, financial services, banking, and professional services. The study was underwritten by Reciprocity, makers of the ZenGRC Platform.
With awareness comes proactive measures
Over the years, U.S.-based companies tended to take a more reactive approach to security (respond and recover) than proactive (identify, protect, and detect) based on the NIST cybersecurity framework.
That has changed of late, as 54% of all respondents now say they have a proactive risk management approach. However, fewer than 20% of respondents claim that they have a real-time approach. Financial and professional services respondents were the most likely to use frameworks and other best practices.
Underscoring the importance of a hybrid security environment, a financial services director of IT said this about the change in attitude among senior leadership. “They realize the importance of cybersecurity, as more of our employees are working in a hybrid environment," said the respondent. "So they are quite supportive when we ask for an increased budget, especially in the current hybrid working environment.”
Indeed, a senior director of IT at a telecom firm said the company’s loss of reputation from a breach or ransomware attack was a top concern of senior management: “When it comes to reputation, we have to be strategic. Frequent cyber-attacks tarnish the company’s reputation and put it at risk of losing clients to competitors.”
Finally, a software industry chief information security officer said risks from ransomware and other attacks, including regular attacks on the company’s database by hackers, are likely to require an increase in the cybersecurity budget for 2022. Some 69% added that they will hire additional cybersecurity staff.