TRENDING
using fail to provide the visibility and focus
required to manage, measure and reduce
cyber-risk in the digital era.
Of those organisations that measure the
business costs of cyber-risk, 62% are not
confident their metrics are actually accurate.
Thus, decisions about the allocation of
resources, investments in technologies
and the prioritisation of threats are being
made without critical information – such
as the costs of IP theft, loss of revenue or
loss of productivity.
Organisations admit to not using the
key performance indicators (KPIs) they
26
INTELLIGENTCIO
consider important to assessing and
understanding cyber-risks: share critical information about the business
costs of cyber-risks with their boards.
• A total of 64% rated ‘time to assess’
an essential KPI but only 49% actually
measure it
• A total of 70% rated ‘time to remediate’
an essential KPI but only 46% measure it
• Only 30% of respondents believe their
organisations can translate cyber-risk KPIs
into actionable steps “In today’s digital economy, cyber-risk
equates to business risk. It’s shocking to learn
that organisations are suffering business-
impacting cyberevents yet are struggling to
accurately measure the resulting financial
cost,” said Bob Huber, CSO, Tenable. “This
study powerfully highlights that most
organisations have not implemented
security metrics that reflect cybersecurity’s
role as a core business function. CISOs
need reliable metrics to help them make
educated decisions on the allocation of
resources, investments in technology and the
prioritisation of threats.” n
This lack of rigour leaves boards of directors
in the dark about the true cost of cyber-risks
to their organisations. Without confidence in
the accuracy of their measures, CISOs and
other security executives are reluctant to
www.intelligentcio.com