The FAIR™ Institute’s third annual Cyber Risk Management Maturity Benchmark Survey results are in, and show “a lot of opportunity left in the risk management space for improvement,” says survey report author and FAIR Institute Fellow Jack Freund, PhD.
A record 211 respondents from risk and security professions in more than a dozen industries rated their organizations’ strengths using the FAIR Institute’s Risk Management Maturity (RMM) framework.
Unlike typically maturity frameworks that rate organizations based on the number of installed security controls, the Institute’s RMM focusses on how risk-based decision making actually occurs.
Watch the recorded version of a webinar discussion of the results, led by Jack Freund (A free FAIR Institute membership and registration on LINK discussion board required).
Respondents rated their skills and capabilities for:
- How well they prioritize
- How well they execute on the expectations of the organization
- How capable they are to meet those expectations
The average overall maturity score of 30 dipped slightly from last year’s results in a non-statistically significant way, however the score is still up from the initial survey in 2017.
Other findings in the survey that show the weaknesses and strength of risk and security teams:
Room to Improve
Motivation – how well employees are incented to meet security policies and standards, particularly in the face of other non-security management directives – 46% rated themselves as weak
Model quality – 35% rated as weak for risk analysis models in use – perhaps showing the ongoing use of qualitative, best-guess analysis
Decision making visibility – 35% weak, indicating no disciplined, defensible standards for risk-based analysis.
Compliance requirements – 38% strong - how much the organization is driven by outside regulators or third parties. Probably, this result was influenced by the fact that 30% of the respondents are in financial services.
Organizational resources. 44% strong – budget wars are being won.
The Maturity Survey yielded some telling results on other current topics of debate in cybersecurity:
Some positive trends on board reporting. 49% report to their boards quarterly, the most common cadence. 22% report just once a year. 60% rated the board’s reaction to reporting as “somewhat satisfied”. A surprisingly high 32% said that the board had at least one member with an infosec background.
Acceptance of quantitative cyber risk analysis still lags. For board reporting, just 17% are using “quantitative reports showing the organization’s economic loss exposure”. 60% are still using “narrative based, threat-oriented story telling” and 48% qualitative heat maps.
Lots of upside for FAIR + NIST CSF. The breakthrough development of last year – addition of the FAIR standard to the NIST CSF list of best practices for risk management – should increasingly win acceptance, based on these stats: 71% of organizations use NIST CSF and 36% use FAIR.
You’ll want to read the survey report not just as a snapshot of current risk management practices but as a benchmark to rate your own program on a practical level. The report also includes some specific advice on how to improve on risk-based decision-making (hint: adoption of the FAIR model goes a long way).
The Risk Management Maturity Survey is just one of the many activities and resources for risk and security professionals from the FAIR Institute, including the annual FAIR Conference and local networking through the FAIR Institute Chapters. Join the FAIR Institute now (it’s free)!