Takeaway from ISACA Report: Cybersecurity Needs New, Quantitative Focus
The annual “State of Cybersecurity” report from ISACA is a respected resource in the cyber industry, offering detailed insights into the latest cybersecurity trends, threats, and organizational challenges. The 2024 edition brings a mix of familiar and novel challenges, along with the rise of new threats and evolving industry practices. Notably, there’s a strong alignment between the report’s findings and the FAIR (Factor Analysis of Information Risk) cyber risk management model, suggesting a path for organizations to enhance their security frameworks and focus on quantifiable risk.
Here’s a look at how ISACA’s key findings intersect with the FAIR model and how organizations can leverage these insights for effective risk management.
Growing Cyber Threat Landscape and Threat Intelligence
ISACA Findings: The report highlights an expanded and more sophisticated threat landscape in 2024, emphasizing the role of up-to-date threat intelligence in combating these risks. 55% of survey respondents reported an increasing number of attacks in 2024, with only 12% reporting fewer attacks. Many organizations are struggling to keep pace with emerging threats such as AI-enhanced cyber attacks and vulnerabilities in rapidly expanding cloud environments.
FAIR Approach: The FAIR model focuses on quantifying the impact of cyber threats by breaking them down into measurable components such as loss event frequency and magnitude. Using FAIR, organizations can contextualize threat intelligence by assessing the potential impact of these emerging threats on their unique environment. For instance, by categorizing and prioritizing threats based on probable loss-event frequency (how often an attack might occur) and probable loss magnitude (potential damage), organizations can focus resources on the most significant and relevant threats, rather than spreading their efforts thin.
Skills Shortage and the Talent Gap
ISACA Findings: Cybersecurity skills shortages remain a persistent issue. Roughly 57% of respondents reported that their current cybersecurity team is understaffed, and 55% reported difficulties in retaining qualified securities staff. ISACA’s report points out that while organizations continue to invest in cybersecurity technologies, many struggle to attract and retain the right talent in part due to a higher level of occupational stress caused by an increasingly complex threat landscape. The gap in staffing can lead to overstretched teams and inadequate security operations, increasing vulnerability to cyber attacks.
FAIR Approach: The FAIR model’s emphasis on quantifying risk helps organizations make a compelling business case for cybersecurity investments, including talent acquisition and retention. When security budgets are justified with clear, quantitative risk reduction metrics, executives are more likely to support increased spending on critical hires. By showing the potential financial impact of an understaffed cybersecurity team, risk managers using the FAIR model can communicate the strategic importance of investing in people as well as technology. Furthermore, FAIR analyses help cybersecurity teams focus on the most significant risks to the business, helping reduce the stress caused by a lack of prioritization.
A majority of those surveyed said budgets were underfunded.
Budget Constraints and Resource Optimization
ISACA Findings: Many cybersecurity teams face budget limitations that challenge their ability to maintain or expand their security operations. Indeed, roughly 59% of respondents reported that cybersecurity was underfunded. On a positive note, about 47% said they expect budgets to increase in the next 12 months.
FAIR Approach: The FAIR model is particularly effective in helping organizations optimize budgets by focusing on the financial impact of risk mitigation strategies. Through quantification, organizations can determine which investments will yield the highest risk reduction per dollar spent. This process allows cybersecurity leaders to make data-driven decisions about where to allocate resources, whether that’s investing in advanced detection technologies, improving security training, or focusing on high-risk assets. By aligning expenditures with actual risk reduction, organizations can maximize the return on their cybersecurity investments, even within tight budgets.
The ISACA survey found that risk assessments were most commonly done once a year.
Focus on “Cyberrisk”
ISACA Findings: Notably, the ISACA report includes a short section on “cyberrisk,” with a discussion of cyberrisk assessments. On a positive note, 81% of respondents reported that their executive leaders see value in conducting cyberrisk assessments. However, most (roughly 50%) perform them infrequently (annually or less often).
The report also covers the use of cyberinsurance, with 45% of respondents reporting they do not know if their organization carries cyberinsurance. Of those that do, only 40% reported that their policy provides adequate coverage and 33% reported that they had used their policy.
FAIR Approach: FAIR offers a robust methodology for implementing the kind of cyberrisk assessments that ISACA highlights, but with a twist: the inclusion of risk quantification. As the only international standard for cyber risk quantification, FAIR provides stakeholders with clear, financially grounded insights into their risk landscape, facilitating informed decisions about risk tolerance and security investment. FAIR’s quantification approach helps to bridge the communication gap between technical teams and the executive suite, making risk management a collaborative, enterprise-wide endeavor. It can also help with cyberinsurance decisions and submitting cyber loss claims.
We also believe that cyber risk must be continuously monitored over time. The FAIR model allows for this when supported by the right software and data by providing regular updates to risk insights, such as annualized loss expectancies. Annual or less frequent analyses should become a thing of the past and instead cyber risk should be a more routine, data-driven discipline based on the FAIR model.
Conclusion: A FAIR-Aligned Path Forward
ISACA’s “State of Cybersecurity 2024” report underscores the pressing challenges facing cybersecurity teams, from expanding threat landscapes to budget constraints. These challenges can feel insurmountable, especially without a structured framework for prioritizing risks and making financially sound decisions. FAIR provides a powerful methodology for addressing these issues by translating complex cyber risks into quantitative, actionable insights.
By leveraging FAIR, organizations can respond to ISACA’s findings with a risk-based approach that optimizes their resources, enhances cloud and regulatory compliance strategies, and prioritizes talent acquisition based on measurable risk reduction. As the cybersecurity landscape continues to evolve, the FAIR model offers a path forward that is data-driven, financially sound, and adaptable to the unique needs of every organization.
Join the FAIR movement! Become a member of the FAIR Institute (individual memberships are free).
Related:
ISACA’s New Risk IT Framework “More Closely Aligned with FAIR,” Jack Jones Finds