A report by Bitsight and Diligent, which includes contributions from 4,000 medium to large-sized companies across the globe, has found that only 5% of businesses have a cyber expert as a member of staff. At the same time, a correlation was found between strong cybersecurity measures and higher financial performance. In fact, cybersecure companies typically produce a financial performance that is four times higher than those that do not.
“It takes a village to perform well in cybersecurity! For years we've discussed the tactical and technical layers of defense, like that of an onion, while largely ignoring the same needs on the leadership level,” says Ken Dunham, Cyber Threat Director at Qualys Threat Research Unit. “It's not enough to only elevate the visibility and authority of the CISO, or have a board involved in cybersecurity matters. It takes an entire ecosystem and culture of an organization, united and aligned, with clear focus and priorities, to achieve cybersecurity maturity manifested in operations.”
The report found that highly regulated industries (for example, healthcare) possessed a higher cybersecurity performance than others. Similarly, organizations that utilized specialized risk or audit committees typically had a better cybersecurity performance.
“Pillars of success frequently involve top-down leadership that understands this vision and what risk really is, and how to unify, empower, and align global disparate teams. Organizationally everyone is involved from the board down to separate mature teams of risk, audit, SecOps, and others, all working together in regulatory, compliance, and cybersecurity framework-driven operations to ensure efficiency and efficacy in outcomes,” says Ken. “Once an organization is able to become process driven, instead of people being solely dependent on SecOps, the governance risk management process can be automated and optimized to prioritize risk with measurable results, compared to those that do not implement these core components of a risk management program.”