Blog
The State of Cyber Risk Management
Meridith Levinson
August 19, 2024
It’s been a tumultuous four years for CISOs and for the practice of cyber risk management.
The trouble started on August 20, 2020, when a prominent CSO was charged by the U.S. Department of Justice with obstruction of justice and misprision of a felony–in this case, for not reporting a data breach. Concurrently, the CSO’s organization was being investigated by the FTC for their response to a separate data breach.
The indictment and eventual guilty verdict sent chills through the CSO and CISO community. Then, another security leader was brought up on criminal charges–this time for fraud and internal control failures related to a data breach. Security leaders were officially on notice.
The tide seemed to begin turning in CISOs’ favor in early July 2024, when a U.S. Supreme Court ruling shifted authority for the interpretation of Congressional laws from regulatory agencies to the courts. This ruling has cast doubt on the enforceability of existing federal cybersecurity laws. The Supreme Court decision has the potential to “upend all federal cybersecurity regulations” by “moving ultimate regulatory approval” from agencies like the SEC, FCC, and CISA to the court system, according to CSO.
Two weeks later, the judge in the aforementioned fraud case dismissed some of the charges the SEC brought against the CISO, which prompted some security leaders to publicly express cautious optimism about an eventual advantageous verdict.
Against this volatile regulatory backdrop, ExtraHop wanted to know what effect this mounting scrutiny and criminal liability was having on CISOs’ cyber risk management practices. We polled 1100 security and IT decision makers across the U.S., UK, France, Germany, Singapore, Australia, and the UAE to assess their confidence in their organizations’ abilities to manage cyber risk. The survey also sought to learn about respondents’ cyber risk management practices, cybersecurity budgets, and more. Read on for highlights from this survey.
Cyber Risk Management: Overall Confidence Levels Globally
While many current and former CISOs in the U.S. publicly expressed concerns about the impact of criminal indictments against CISOs on LinkedIn and at conferences, similar distress signals failed to manifest in the ExtraHop survey. In fact, most survey respondents said they were somewhat confident that their organizations were effectively managing cyber risk. Because the survey results represent respondents across geographies, it’s possible higher confidence levels are skewed by respondents from countries where CISOs aren’t facing criminal liability for cyber incidents.
Indeed, a closer look at geographical breakdowns shows that overall confidence levels in the U.S. are four percentage points below the global average (84% confident in the U.S. vs. 88% confident globally), and are second only to France for the lowest confidence level. Similarly, the proportion of U.S. respondents saying they are not confident in their organization’s ability to manage cyber risk is four percentage points higher than the global average (15.9% in the U.S. vs. 11.6% globally), and U.S. respondents are second only to French respondents for the highest “not confident” rating (15.9% in the U.S. to 25.3% in France).
Executive Involvement in Cyber Risk Management: Global Results
Notably, executive- and board-level involvement in cyber risk governance was lowest in the U.S., with just over half of U.S. respondents (51%) saying top executives were involved, compared with the global average of 59%. Executive and board-level involvement was highest in Singapore (88%), followed by Germany (70%) and Australia (68%).
Cyber Risk Management Practices Globally
Barriers to Effective Cyber Risk Management Globally
In the U.S., the biggest barrier to effective cyber risk management was the pace of business, followed by insufficient personnel. One in five U.S. respondents said the business moved too fast for their organizations to keep up from a cybersecurity perspective; 17% said they lacked enough people to do the job.
Global Cybersecurity Budgets
The budget increases required to facilitate better management of cyber risk were among the highest in the U.S., with U.S. respondents saying a mean increase of 62.5% was needed, compared to a mean increase of 44% globally.
For more information on the state of cyber risk management, see the 2024 Global Cyber Confidence Index report from ExtraHop.
Discover more