Cyber-risk management is more difficult today than it was two years ago. So say 74% of cybersecurity professionals in a recent ESG research survey. Respondents point to an expanding attack surface, an increase in software vulnerabilities, and more sophisticated tactics, techniques, and procedures (TTPs) from cyber-adversaries. (Note: I am an ESG employee.)
OK, so there’s a cyber-risk management gap at most organizations. What are they going to do about it? The research indicates that:
34% will increase the frequency of cyber-risk communications between the CISO and executive management. Now, more communication is a good thing, but CISOs must make sure they have the right data and metrics, and this has always been a problem. I see a lot of innovation around some type of CISO cyber-risk management dashboard from vendors such as Kenna Security, RiskLens (supporting the Factor Analysis of Information Risk (FAIR) standard), and Tenable Networks. Over time, cyber-risk analytics will become a critical component of a security operations and analytics platform architecture (SOAPA), so look for vendors such as Exabeam, IBM, LogRhythm, MicroFocus (ArcSight), Splunk, and SumoLogic to make investments in this area.32% will initiate a project for sensitive data discovery, classification, and security controls. Gaining greater control of sensitive data is always a good idea, yet many organizations never seem to get around to this. Why? It’s really, really hard work. This is another area ripe for more VC investment. Rather than paying Accenture, E&Y, or PWC millions, we need tools that can help automate data discovery and classification – especially as organizations ramp up on data privacy.
31% plan to hire more cybersecurity staff. That's a sound idea, but it is difficult to execute. According to recent research from ESG and the Information Systems Security Association ( organizations bridging cyber management
