Enterprises face a challenging and fast-changing risk environment, and that's only going to increase for the foreseeable future. Technologies such as artificial intelligence and connected devices are becoming increasingly commonplace, as are the growing privacy and security considerations related to voice-first technology that lets devices listen to almost everything people say.
This unprecedented degree of complexity on the risk horizon and the pace of change in the risk landscape are important factors to understand and prepare for.
New research, "The State of Enterprise Risk Management"—from ISACA, the CMMI Institute, and Infosecurity—highlights many of the key challenges enterprises face in establishing their risk tolerances and optimizing risk management processes. For the C-suite, one of the main opportunities for improvement is to prioritize faster turnarounds for acting on newly identified risks.
Here are top takeaways from the report for your security team.
Security response time is lagging
The research shows that only 31% of respondents indicate their company is able to put countermeasures in place to mitigate a new technology threat or vulnerability in less than a month. Further, a combined 40% of respondents report it takes three months or longer to implement countermeasures.
Given the pace of today's business change, coupled with a growing threat landscape, enterprises that take too long to respond will inevitably find themselves unprepared to deal with critical business challenges. Streamlining the process—from identifying the risk to facilitating executive decision making—can help businesses become quicker and more agile in their execution.
As the research underscores, cyber risk is top of mind for companies of all sizes and across all sectors. Not only is cybersecurity the most acute pain point, it's also one of the most challenging risks to define and address.
Many organizations struggle to pinpoint the right methods of assessing and measuring their cybersecurity and may lack the needed talent or tools. This is especially true for small and medium-size businesses.
Risk tolerance and maturity: Grow up, already
The need to clearly define risk tolerances in order to advance along the maturity spectrum is another highlighted area in the report. It is important that the right stakeholders have ongoing discussions around risk tolerance and clearly convey that stance to others throughout the organization whose daily decisions influence the level of risk to which an organization is exposed.
While nearly two-thirds of respondents have defined processes for risk identification, only 38% report that those processes are at either the managed or optimized level of the maturity spectrum.
In many cases, a lack of organizational alignment around risk management can serve as a stumbling block to optimizing those processes.
Security takes a village
Risk management is certainly not a new function for organizations, but many of the challenges on the enterprise risk landscape today are both new and more complex than ever. The good news is that there are additional steps you can take to bolster your security posture.
David will further address the "State of Enterprise Risk Management" research findings at the Infosecurity-ISACA North America Expo and Conference, taking place November 20-21, 2019, in New York.
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.