Risk and IT professionals continue to disagree on cyber priorities
Written by Deborah Ritchie
Risk and IT professionals may agree on one thing: cyber risk is problem that needs addressing; but when it comes to how organisations should assess, manage and mitigate the threat, views are not quite so well aligned. Of course, this is not a new problem, but it is a worryingly persistent one.
The findings of a new research project serve both to underline the issue and examine ways of dealing with it. The report, carried out by Chubb and launched today at the FERMA European Risk Management Forum in Monte Carlo, sought the views of more than 250 senior managers in both IT and risk each from major businesses across Europe with annual revenues exceeding US$500m, and identifies some major fundamental differences of opinion when it comes to addressing cyber risks.
IT professionals are more likely than their counterparts in the risk function to expect the impact of a cyber event to be severe, it says -- evidence that not all organisations have reached a single view of the scope of the threat or how to tackle it, which can leave them vulnerable. However, for almost all areas of cyber risk, IT respondents think more highly of their capabilities than their peers in the risk function.
What was once an issue managed by an organisation’s IT function is increasingly viewed as a crucial C-suite priority, and functions as diverse as risk, legal and HR are all expected to play a part in responding. Despite this broad response, many organisations are struggling to build governance models that allow for a consistent approach.
Six in ten respondents to the survey say senior leaders expect their business to be invulnerable to cyber attack. As the cyber threat is constantly evolving, this places intense pressure on risk and IT teams to mitigate these with a 100% success rate.
Cyber risk manager for Europe at Chubb, Kyle Bryant, says the results of this piece of work show that a clear and worrying disparity continues to exist between risk and IT managers. He believes insurers may hold the key to bringing functions together to assess, quantify and prioritise different cyber risks, and build stronger defences and protections.
“Nothing will provide you with total assurance that an incident won’t happen,” he added. “But insurance now provides a practical solution to help you identify, mitigate and protect your organisation’s vulnerabilities.”