Make Time To Focus On Cyber Risk
Consider this an editorial.
According to a post on youTalkinsurance (https://youtalk-insurance.com/broker-news/business-leaders-have-less-than-1-day-a-year-to-focus-on-cyber-risk), the 2019 Marsh Microsoft Global Cyber Risk Perception Survey of 1,5000 organizations showed that a majority of board members and senior executives “had” (their word, not mine) less than one day a year to focus on cyber risk.
Some statistics from the survey:
- Nearly 80% of organizations rank cyber risk as a top five concern, but only 11% had a high degree of confidence in their ability to assess, prevent and respond to cyber threats. (In a 2017 survey the percentages were 62% and 19% respectively.)
- 65% of organizations identified a senior executive or board member as “owning” cyber risk management, but only 17% of executives and board members spend more than a few days focusing on cyber risk. 51% spend several hours or less.
- 88% of respondents identified their information technology and security workers as “owners” of cyber risk management, but 30% of IT respondents only spent a few days or less focusing on cyber risk.
- 77% of respondents have adopted or are adopting new technologies, but only 36% evaluate cyber risk before and after adoption, and 11% don’t evaluate risk at all.
There are serious disconnects here. Perception of cyber as a top risk is UP, but confidence in dealing with it is DOWN. The people who supposedly “own” the risk spend little time focusing on it. New technologies are adopted with little or no evaluation of risk (have these people not heard the expression “Failing to plan is planning to fail”?).
If cyber risk is a top five concern – and it should be- organization leaders should be spending close to 20% of their time focusing on it. Make the time. Refusal is a failure of leadership.