Every security organization is looking for insight into whether it’s headed in the right direction, but many get distracted by easy outs, like checking off boxes on a list of best practices and mistaking that for true maturity. FAIR Institute Chairman Jack Jones sets a higher standard of maturity: The ability to “cost effectively achieve and maintain an acceptable level of risk” by making well-informed decisions carried out with reliable execution.
Jack designed the FAIR Institute’s annual Maturity Benchmark Survey for organizations to measure themselves against that standard. The results are in for the 2018 survey and, though improved from the 2017 survey, the overall rating the respondents (most of them CISOs) gave themselves was 26 out of a possible 100.
Download The Road to Cyber Risk Maturity: FAIR Institute 2018 Risk Management Maturity Benchmark Survey. Membership in the FAIR Institute's Link Member Resources service required. Join the FAIR Institute now.
Watch Jack Jones discuss the survey results in a webinar – scroll down to the bottom of this page.
“The fact that 75% of the respondents have less than a 50% chance of cost effectively achieving and maintaining an acceptable level of risk should not feel good to any of us,” Jack said in a recent webinar to announce the results.]
On the bright side, the level of honest self-examination shown by survey respondents is a very hopeful sign – as is the fast-rising membership number for the FAIR Institute (now over 4,000). As Jack said in his keynote address to the 2018 FAIR Conference, “The fact that we have so many people in the FAIR Institute…who are committed to evolving the profession, that’s tremendously good news and incredibly important to our future as a profession.”
Security executives and analysts looking to evolve their organizations should find plenty of direction by digging into the 13 categories of the Maturity Survey Report, each of which offers specifics on achieving cost effective, well informed and reliable risk management.
Survey respondents rated themselves as Strong, Partial or Weak on their capabilities and here’s a small sample of some of the high and low scores.
On the high side...
Respondents felt relatively confident that they are well-staffed and well organized and competent at meeting compliance standards:
Compliance Requirements. Strong 49%. Partial 48%. Weak 3%
One of the few categories in which respondent rated themselves relatively highly, indicating that they are doing consistent and meaningful compliance with external standards
Organizational Resources. Strong 54% Partial 43% Weak 3%
This question about the organization’s willingness to fund the cybersecurity program also drew a relatively confident response.
Awareness. Strong 33% Partial 58% Weak 9%
A strong program includes well-documented policies that employees are required to understand. Survey participants were generally positive about their organization’s performance.
On the low side...
Respondents rated themselves weakest at consistently using a risk model such as FAIR, at supporting decision-making with accurate risk information and defending security objectives.
Motivation. Strong 13% Partial 44% Weak 43%
Can security objectives stay high priority against other organizational initiatives? A strong approach holds senior as responsible for security as revenue goals.
Model Quality. Strong 14% Partial 51% Weak 35%
Strong: “Risk analyses consistently leverage a well-defined and publicly vetted analytic framework (i.e., is not checklist-based). An example would be the OpenFAIR model.”
Decision-Making Visibility. Strong 16%. Partial 50%. Weak 34%
A strong organization would once a year review its risk management decisions to make sure they are made at the appropriate level of management and also bring in outside, independent reviewers to check that accurate risk management information is being given to decision makers.
Download the complete report on the Maturity Survey for more tips on achieving excellence in cyber risk management. (FAIR Institute LINK membership required)
Watch the Risk Maturity Survey Results Webinar with Jack Jones: