Chapter 2. Findings: Understanding Cyber Risks and Response Readiness:
3. Large companies lack the facts and processes to make effective decisions about cyber resilience
A survey conducted in parallel to augment the interviews points to gaps across sectors in current risk management capabilities. Of the 100 companies whose cyber risk management processes were examined, 90% had “nascent” or “developing” risk management capabilities. Only 21% were rated “mature” or better on four or more of the eight practice areas studied. (See Figure 5.)
FIGURE 5: MAJORITY OF FIRMS HAVE NASCENT OR DEVELOPING CYBER RISK MANAGEMENT CAPABILITIES
Institutions can be segmented based on the sophistication of their risk management capabilities and the scale of their cyber resilience expenditure. Spending and enterprise maturity are not correlated, however. “Unprotected” companies spend little and spend it poorly. Others punch above their weight by spending little but doing a better job of risk management. Still others, the “well-protected”, spend vigorously and have relatively good capabilities for extracting value from their investment. Finally, some seem to throw resources at the problem, spending a great deal without much risk management sophistication. (See Figure 6.)
FIGURE 6: CYBERSECURITY MATURITY
The workshops and other research found that banking is slightly more mature than other sectors in cyber resilience capabilities. The largest companies across sectors also are slightly more mature than smaller ones. Variations within a sector and a size band are much larger than variations between sectors and between size bands. Even the largest firms have substantial room for improvement. For example, while financial services organizations tend to be more mature than other sectors, senior non-technical executives still struggle to incorporate cyber risk management into enterprise risk management discussions, and often are unable to make informed decisions because of lack of data.