Security Experts:

Organizations Prefer Quick Technological Fix Over Deep-Rooted Cyber Resiliency: Report

The Marsh/Microsoft 2019 Global Risk Perception Survey is a follow-on to a similar survey published in February 2018 (conducted in 2017). SecurityWeek criticized the earlier survey results for not including a specific cybersecurity function among the respondents. There are arguments on both sides, since the survey seeks to understand the overall business position rather than the CISO/CSO position -- but for organizations that delegate security to a siloed function, the organizational results could have been skewed.

In the latest survey, a combined IT and infosec category is included among the 1,500 global business leaders. Furthermore, the role of the CISO/CSO has also become better integrated into the business of organizations over the last few years; so, the lack of a specific security function among the respondents is less of an issue.

There are five primary takeaways from the results of the new survey. These are:

Cyber concern is up, but cyber confidence is down

The perception of cyber risk as a major priority has grown from 62% in 2017 to 79% in 2019. Today, cyber threats outweigh other threats by a wide margin -- the second most concerning risk is economic uncertainty at 59%.

However, while concern has grown, confidence in cyber resiliency has declined. The percentage of organizations 'not at all confident' in their ability to understand and assess cyber threats has doubled from 9% to 18%. Lack of confidence in the ability to mitigate or prevent attacks has grown from 12% to 19%; while no confidence in the ability to manage or respond to attacks has grown from 15% to 22%.

The report suggests that this could lead to confusion and frustration if increased investment in security does not 'does not directly correlate to improved outcomes'. However, concern over readiness is also a natural outcome from a better understanding of the extent of the threat, and these two outcomes could simply be two sides of the same coin.

Organizations prefer the quick technological fix to building cyber resilience throughout the organization

The argument for this conclusion is primarily based on the increase in IT/infosec as the main owner of cyber risk management (from 70% in 2017 to 88% in 2019). This is considered to be a negative indication. At the same time, ownership of cyber risk management by the risk management team has grown from 32% to 49%. This is considered a positive indication.

However, there is no indication of any degree of cooperation between security officers and risk officers, and the assumption that risk officers would not recommend a technological solution while security officers would not recommend a non-technological solution is not proven. Organizations may or may not prefer a quick technological solution, but the case is not proven either way by this survey.

The danger in any survey is not in the figures obtained, but in the interpretation of them. For example, the survey report states that the increase in ownership by the risk management team (by 17% from 2017 to 2019) signals "a trend toward increased ownership by risk management". It doesn't highlight that ownership by IT/infosec increased by 18% over the same period.

Organizations embrace new technologies but do not necessarily understand the associated new risks

Adoption of new technologies ranges from 90% for cloud computing, and 74% for connected devices/IoT, down to 32% for blockchain. Fifty percent of respondents believe the benefits offered by new technologies outweigh the risks in adopting them, while 23% believe the risk outweighs the benefit. There is a natural reverse correlation in understanding between the most adopted (and perhaps the oldest) new technology, and the least adopted (and perhaps the newest) new technology: only 12% of respondents 'don't know' the risk associated with cloud, while 37% don't know the risk associated with blockchain.

Of particular concern is the process of onboarding new technologies. "Among respondents, assessment of cyber risk was too often seen as an event that occurs at a single point in time -- often, the initial exploration and testing stage -- rather than a continuous evaluation at multiple stages of implementation." More specifically, only 36% of respondents evaluated risks both prior to and after adoption, while only 5% evaluated risk at all possible stages of the lifecycle. Eleven percent do not evaluate the risks at all.

Partly, this may be affected by the level of trust placed in the new technology supplier. Thirty-two percent of the respondents trust their supplier to have already considered all relevant cybersecurity risks in their products. Forty percent, however, say they never accept vendors' claims, and always perform their own due diligence.

Organizations do not fully appreciate the risks inherent in digitized cyber supply chains

What concerns the report writers most is not that 39% of respondents recognize the risk posed by their own supply chain, but that only 16% recognize the onward risk they pose in the supply chain. To a degree, however, this is natural when organizations have an intimate knowledge of their own security practices, but a much lesser knowledge of third-party practices. 

Concern over supply chain integrity is important given the increasing incidence of attacks via the supply chain -- from both nation-state attackers such as APT10  and criminal groups such as Magecart. The report is concerned that in many cases organizations expect less security practices from their suppliers than from themselves. "For example," it says, "56% of organizations said they expect suppliers in their digital supply chains to implement awareness training for their employees; yet 71% said that their organization has implemented such a requirement for itself. Such disparities could lead organizations to think their suppliers are less prepared to manage cyber risk than they themselves are, thus diminishing the organization's trust in its supply chain."

Organizations doubt the effectiveness of cyber regulations but welcome increased government support against nation-state threats

The survey highlights an interesting difference in attitudes to the role of government in cybersecurity. Recent years have seen a rapid growth in new legislation designed to hold organizations to account for their cybersecurity, from GDPR in 2018 to CCPA in 2020. Organizations are not at all sure that these benefit their cybersecurity posture, and have greater faith in the standards and guidance from organizations such as NIST and ISO. Thirty-seven percent of organizations believe that NIST/ISO are "very effective in helping us improve our cybersecurity posture" while only 28% believe that "government regulation and laws are very effective".

However, there is considerable concern over the threat posed by nation-state actors -- from up to 70% for large organizations and critical industries. Overall, 55% of the respondents believe that there is a need for governments to do more to protect private enterprise from nation-state cyber-attacks. "These results," says the report, "show that while firms generally prefer a non-prescriptive approach to managing their cyber security and cyber risk affairs, nation-state activity is a clear exception."

One of the biggest issues in any survey is the tendency for interpretations to support the business function of the surveyor. It is possible that some of the interpretations in this survey fall into this trap. For example, the preference for technological solutions over deeper security resilience is frowned upon, and appears to be blamed on IT/infosec owning risk management. The implication is that if risk management owned cybersecurity, the company would have a better-balanced approach to cybersecurity.

This is not proven by the survey. However, risk management is probably more aware of and sympathetic towards risk transfer over risk mitigation -- and that generally means insurance. Indeed, the report specifically declares, "Not all cyber risks can be mitigated through technology, policy, or process, especially those low frequency but high severity losses that can inflict significant financial and operational damage. In these cases, risk transfer through insurance or other methods is essential." 

Concern that organizations are more worried about what supply chain damage can be done to them than the damage they can do to the supply chain is another example. Forward looking damage is more a liability than a security risk, and is best tackled by risk transfer than risk mitigation.

Marsh is an insurance firm. It describes itself as, "a global leader in insurance broking and innovative risk management solutions." It would be natural for interpretations to lean towards the use of cyber insurance. Readers of the report should bear this in mind. But cyber security is probably too complex to be handled by anyone other than a dedicated cyber security specialist. That means a CISO or CSO, rather than just an aspect of business risk management.

It is true, however, that the security function needs to be fully integrated with risk management, and that cyber insurance is a valuable addition to an organization's cyber security posture. It is not a replacement for technology, and the correct level and content for insurance is best determined through the combined offices of security and risk management -- not one or the other.

Related: Structure of Cyber Risk Perception Survey Could Distort Findings 

Related: Zurich Rejects Mondelez' $100M NotPetya Insurance Claim Citing 'Act of War' 

Related: Cyber Insurance Market to Double by 2020

Related: AXA Partners With SecurityScorecard to Set Cyber Insurance Premiums 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.