The moment of truth for Cyber Risk and Compliance

3 min read


The recent MetricStream IT Risk and Compliance Survey Report 2021 reveals a deep divide between IT Cyber Risk Management Strategy and Actual Practice.


Since COVID-19, the pace of digital transformation has accelerated dramatically increasing our dependence on technology. Almost everything we do today is digital-first. Unfortunately, this has opened doors to new risks that can have wide-ranging consequences on business profitability and reputation. Today, companies need a clear understanding of their exposure, vulnerabilities, and potential losses related to every decision they make, in order to build and implement a concrete risk-based approach to cybersecurity. Decision-makers need faster and better risk visibility—which calls for an advanced, integrated, and automated IT GRC approach.

A couple of months ago, we decided to ask IT risk and cybersecurity practitioners from around the world some pressing questions on the current scenario – How effectively are IT and Cyber risks being managed? How mature are risk assessments and monitoring processes? Who is leading IT and cyber risk programs? And how robust are the tools being used?

As it turns out, the pandemic is likely to trigger a surge in IT and cyber risk investments where key focus areas include IT security solutions and regulatory compliance, evidences the latest insights gleaned from hundreds of companies that participated in our MetricStream IT Risk and Compliance Survey 2021.

A look inside the report:

The key areas of consensus among those who took part in the research, lead to the emergence of several broad themes. Here are some of them:

1.  Risks are evolving; compliance violations remain top of mind.

To find out what keeps security and risk professionals up at night, MetricStream asked what risks and threats their organization faced in the last two years. “Denial of Service” took the top spot, followed closely by “Compliance violations and regulatory actions.” Taking third was “Spoofing of company social media.”, reported AiThority.

2. IT risk programs have executive visibility; the majority are not driven by the CISO.

The survey shows that 70 percent of respondents agree that their senior management and leadership help establish the strategic direction of their IT risk management program. However, only 29 percent of respondents say that their IT risk program rolls up to the Chief Information Security Officer (CISO), reported Continuity Central in their article, ‘Survey looks at IT cyber risk management trends’.

“First, this report can help CISOs and compliance officers really understand how the pandemic transformed IT risk…CISOs have to think about how to keep corporate systems working — in a secure manner, and in compliance with all the usual regulatory requirements — in a much more loosely controlled IT environment. Even a task as simple as tracking all the IT devices accessing your data becomes much more complicated,” notes Radical Compliance, in their article Thoughts on IT Risk Management featuring key findings from the Survey.

3. Most IT risk programs have yet to reach optimal maturity.

When asked about the maturity level of their IT risk programs, 69 percent of respondents stated that they are not quantitatively managing their IT risk program. Furthermore, 31 percent of respondents report having IT risk assessment reviews on a quarterly basis. Only 15 percent stated having monthly reviews, highlighted yahoo!finance while featuring the report.

4. The number one tool used for IT risk management – spreadsheets.

Dark Reading while covering the report highlights, “When asked what tools are used for IT risk management, the number one response was spreadsheets. More than 45 percent of respondents reported using spreadsheets, even if they had an IT GRC solution in place. Moreover, 54 percent stated not using any IT GRC solution to manage IT risks.”

5. Investment in security and compliance are top risk priorities for 2021.

When asked about future plans, 38 percent of respondents stated that they are planning to increase their spend on IT risk management in 2021. Additionally, respondents ranked their top 2021 priorities to be: 1) investment in IT security solution, 2) compliance with federal and government regulations, and 3) IT security data aggregation and reporting, informed Cision Newswire while highlighting the key findings in the survey.

“Most security and risk professionals know that IT security is like a chain; you are only as strong as the weakest link,” said Gaurav Kapoor, COO, MetricStream. Overall, we can hope that the more organizations prioritize and invest in IT and cyber risk management, the better prepared they will be to deal with both the opportunities and threats of operating in an increasingly digital world. Access the complete report here.  



Read more about the latest happenings in the GRC universe. MetricStream experts share their valuable insights on how organizations can turn risk into a strategic advantage and thrive on risk.