A new survey reveals some of the biggest challenges organizations face when implementing an effective cyber/IT risk management program. Among those challenges, 49% of respondents say an increase in the quantity of cyber threats and 49% say increase in the severity of cyber threats.

The Cyber Risk Viewpoints Survey, released last week by RiskOptics, reveals that while those working in information security (InfoSec) and governance, risk and compliance (GRC) have high levels of confidence in their cyber/IT risk management systems, persistent problems may make them less effective than perceived. Other top challenges included a lack of funding (37%) and a lack of staffing/cyber risk talent (36%). The report also found that general misunderstandings in common cyber risk terminology could be a deterrent in developing effective strategies and communicating risk to company leadership.

In partnership with Researchscape, RiskOptics conducted the research via an online survey fielded in March 2023 which yielded 261 responses from U.S. InfoSec and GRC leaders in a variety of job levels and across various industries.

Other key findings included:

  • Perceived challenges in cyber/risk management programs vary by title and level. Directors (59%) and managers (51%) say that the increase in the quantity of cyberattacks was their biggest challenge. Alternatively, SVPs say their biggest challenge is a lack of understanding of cyber/IT risks from leadership (52%), while C-Suite respondents indicate the top challenges are a lack of funding (42%) and leadership turnover (40%).
  • More than half of respondents find that completing a cyber/IT risk assessment is as hard or harder than signing up for health insurance (54%) or getting a license renewed at the RMV/DMV (55%).
  • There are general misunderstandings around common terms. Despite all of the respondents working in InfoSec or GRC, many of them define risk, threats and vulnerabilities differently.
  • 23% of respondents do not evaluate third-party vendors for risk, 30% of respondents who work in manufacturing and 25% of those who work in healthcare say their companies do not evaluate third-party vendor risk.
  • 30% of CIO and CISO respondents say they do not communicate risk around specific business initiatives to other company leaders.
  • Manufacturing respondents were the highest percentage to say they do not communicate risk around specific business initiatives (36%). Meanwhile, 20% of healthcare respondents rate their risk management software as being somewhat effective or less effective in mitigating risk (which is more than any other industry).