Closing the gap between cyber risk strategy and execution

Effective cyber risk management is more crucial than ever for organizations across all industries as threat actors are constantly evolving their tactics. Yet, the latest Cyber Risk Peer Benchmarking Report from Critical Start unveils a striking dichotomy between strategy and execution in cyber risk management. While 91 percent of organizations acknowledge the criticality of having a robust risk management strategy, the execution of these strategies appear to fall short.

This gap between cyber risk strategy and execution widens as organizations grow larger. To fully comprehend an organization’s risk and executive strategies effectively, IT leaders must first understand the lifecycle of cyber risk and ensure each stage is addressed.

Managing the Lifecycle of Cyber Risk

Cyber risk is complex, with a lifecycle sprawling across multiple stages: Discover, Assess, Prioritize, Remediate, and Measure. Each stage is singularly important, but the effectiveness of the entire lifecycle hinges on how well each part is executed and integrated with the others. Unfortunately, data suggests there’s often a significant gap between these stages, especially when it comes to actionable insights and measurable outcomes:

• Discover -- Asset Visibility: Discovery focuses on gaining complete visibility of the assets within an organization. Despite its critical nature, only 31 percent of organizations have comprehensive asset inventory and visibility. This foundational gap can cascade into further vulnerabilities as unidentified assets can’t be protected. A surprisingly high percentage of organizations lack continuous asset inventory, leaving them vulnerable to threats targeting unknown and unprotected assets. Even among organizations maintaining basic asset inventories through manual processes or tools, only up to 70 percent of critical assets are identified.
• Assess -- Vulnerability and Exposure Awareness: After discovering assets, the next logical step is assessing vulnerabilities. Here, the situation is equally grim. Only 28 percent of organizations scan for vulnerabilities with a frequency of monthly or greater, and even fewer manage to apply critical patches within seven days of detection. The result is a slower response that leaves systems open to exploitation far longer than necessary.
• Prioritize -- Using Intelligence to Predict Exploitation: Even if vulnerabilities are known, prioritizing them efficiently remains a hurdle. Many available tools either lack effective vulnerability prioritization or charge steep premiums for contextualized prioritization. Critical vulnerabilities are left unaddressed, increasing the risk of a breach.
• Remediate -- Implementation of Mitigating Measures: About 72 percent of organizations wait 30 days or more to patch critical systems, with some updates delayed up to four months after patches become available. Such delays are risky, particularly when the exploits for these vulnerabilities might be actively used in the wild; something else to factor into prioritization.
• Measure -- Identifying Gaps and Prioritizing Improvements: Finally, organizations must measure the effectiveness of the cybersecurity measures that are in place. Shockingly, 53 percent of organizations conduct risk assessments only in an ad-hoc manner, sometimes going years between assessments. This sporadic approach often aims more at compliance than genuine security improvement, leading to outdated and inefficient cybersecurity practices.

Cybersecurity Workforce Shortages Magnify The Issue

The gap between cyber risk strategy and execution continues to widen as the cybersecurity industry faces current expertise and headcount shortages. According to CyberSeek, over 200,000 cybersecurity workers are needed to close the talent gap. As demand continues to outstrip supply, organizations are struggling to find, hire, and retain staff with the necessary training and skills to perform successful cyber risk assessments and remediate based on the findings. As a result, businesses are unable to execute cyber risk strategies effectively, leaving critical data and systems vulnerable to emerging threats.

Organizations both large and small are affected by this -- According to a recent GAO report, the Department of Defense (DoD) failed to consistently report cybersecurity assessments on its software, which is critical to identifying and fixing vulnerabilities during the cyber risk lifecycle. Talent shortages are exacerbating this issue, leading to slower development and deployment of new weapons.An urgent solution is needed to solve the disconnect between finding and retaining skilled workers who can understand and effectively manage vulnerabilities.

Making Data-Driven Decisions

Managing a cyber exposure lifecycle is daunting, but not insurmountable. It's clear that proactive, integrated strategies are essential to enhance security effectiveness. With the right tools and strategies, organizations can transform their cybersecurity practices from reactive to proactive without rebuilding a cybersecurity team. Ensuring each stage of the lifecycle is efficiently managed will significantly reduce overall cyber risk, safeguarding critical data and systems from emerging threats.

Cyber risk peer benchmarking provides valuable insights into how organizations are performing in terms of their risk management strategies and execution. Benchmarking involves comparing an organization's cyber risk management practices against those of similar size and industry organizations. Businesses can identify strengths and weaknesses across the tools and strategies they use to secure their assets, allowing them to make data-driven decisions to reduce cyber risk.

Organizations have made strides in developing cyber risk strategies, but execution remains a challenge. By utilizing innovative security solutions alongside peer benchmarking insights, security leaders can bridge the gap between strategy and execution, ultimately strengthening their cyber resilience.

Image Credit: wan wei/Shutterstock

Randy Watkins is the Chief Technology Officer (CTO) for Critical Start and an emerging thought-leader in the security industry. As CTO, Randy is responsible for designing and executing the company’s strategic technology initiatives, which includes defining the strategy and direction of Critical Start’s Managed Detection and Response (MDR) services.