CISOs are Still Making These Three Risk Management Mistakes

CISOs are Still Making These Three Risk Management Mistakes

Cybersecurity has become a top priority for most enterprises, especially in recent months, due to the evolving nature of cyberattacks. However, many CISOs are still struggling to effectively manage cyber risk.

Enterprise leaders now rank cybersecurity as a top-level priority and view it as a strategic risk requiring immediate attention. However, surveys conducted over the years showcase a different scenario. In fact, the 2019 Global Cyber Risk Perception Survey, conducted by Marsh and Microsoft, found that 79% of respondents say cybersecurity is among the top five concerns of their enterprise. Yet, only 11% admit they have a high degree of confidence in their organization’s cyber resiliency.

As per another survey –2019-2020 Public Company Governance Survey conducted by the National Association of Corporate Directors, 66% of respondents said that their organizations addressed cyber risk at least once a year in their board agenda in the previous year. Yet, despite the board-level attention, 61% of respondents stated that their companies would still prioritize business operations and their upcoming initiatives over cybersecurity.

Also Read: The Complexity of the Cybersecurity Executive Order

Since security risk management is still maturing, most executives have a hard time effectively managing security risks. Despite the fact that they make several errors in various areas, the following four are the most common:

Not aligning security and business objectives

Since most CISOs struggle to measure what their enterprises care for, they only focus on the technical exposures and not the overall impact to the business. Hence, instead of getting caught up in the solutions and the total number of vulnerabilities, they should identify the risks to the factors that their enterprises prioritize.

They should also clearly define what they perceive to be acceptable risk levels. They would strengthen the existing silos between security and business if they do not, making effective risk management difficult. Hence, it is crucial that CISOs align security and business objectives.

Not having full visibility 

Even though CISOs seem to be responsible for managing risks of the entire cybersecurity infrastructure, most of them only manage a part of the enterprise as they don’t have full visibility of the enterprise. Since they don’t have full IT asset inventory or a list of third-party suppliers and cloud applications, they execute risk management programs on inventories that are not robust and accurate. Hence, CISOs should collaborate with counterparts to gain full visibility into the technology framework of the enterprise and break down the silos of IT activities that provide quantitative insights.

Each threat given equal weight

As the number of threats, attack vectors and security vulnerabilities evolve and grow, many CISOs are tempted to address all of them. However, trying to do so can waste a lot of time and resources. Hence, CISOs should have a focused and targeted approach. They should carefully evaluate the risk factor associated with each attack and then should build appropriate approaches and tools to mitigate them.

Also Check: Introducing the TOUGHBOOK S1 Developed to deliver all the features you want, and all the rugged you need


With cyber-attacks becoming increasingly sophisticated, the importance of risk management is only growing day by day. Hence, CISOs must attempt to mitigate cyber risks as much as possible. By effectively addressing these issues and collaborating with their peers on a frequent basis, CISOs not only will strengthen the infrastructure of the enterprise but will also secure their leadership position in the eyes of the board.

For more such updates follow us on Google News ITsecuritywire News