State of IT and Cyber Risk Management Survey Report 2021 Highlights  

  • Lack of visibility on cyber risks across the organization coupled with manual processes for managing cyber risks and compliance were the biggest challenges this year
  • Top focus areas for future investments include regulatory compliance, tools for IT and security data aggregation and analytics, and cyber risk and compliance solutions
  • There is increasing awareness of the critical role played by dedicated Chief Information Security Officers (CISO) among most organizations

Modern business has been operating in an environment of increased risk for a while, but the outbreak of the COVID-19 pandemic in early 2020 added to their challenges. As workforces moved to remote working models almost overnight, bad actors intensified efforts to manipulate vulnerabilities in the enterprise architecture for their gains. MetricStream’s State of IT and Cyber Risk Management Survey comes at a time of great tumult and disruption in the world of business. It aims to understand the impact of the pandemic on IT and cyber risk functions and organizational priorities for the future.

This year’s survey covered a wide gamut of sectors ranging from banking and financial services and telecommunications to healthcare, aerospace, education and more. We connected with companies of varying sizes across geographies to compile a comprehensive picture of their cyber risk and compliance posture, technology frameworks, and future plans. Our report this year covers a wide spectrum of industries ranging from Banking and Financial Services to Telecom, Healthcare, Aerospace, Retail, Automotive, Utilities, Government and Not for Profit organizations. It includes both small companies with less than 1000 employees and less than 5-member compliance teams as well as corporate giants with more than 10,000 employees and 100+ strong compliance teams.

Major Pain Points for Cybersecurity Professionals

Even before the pandemic, organizations operated in a complex threat environment. Despite this, most organizations lack automated state of the art solutions for managing cyberthreats and risks. As the pandemic forced people into remote working models, it resulted in a highly distributed architecture and a greatly expanded threat surface. Consequently, the risk management task got tougher than ever before. Almost half the respondents said that lack of visibility into cyber risks across the enterprise was their biggest challenge. Manual processes and security awareness trainings were close seconds.


Lack of visibility into cyber risks across the organization


Manual processes and lack of security awareness and training

The current remote working conditions and augmented digital interconnectedness of people, systems, processes, and organizations are likely to stay even after the crisis is over. It necessitates the adoption of a matured integrated IT and cyber risk and compliance management solution.

Current IT and Cyber Risk and
Compliance Management Practices

The cyber risk landscape has been getting progressively more serious, with the cost of breaches rising year on year. The pandemic has only made matters worse. We noted a clear connect between this and increasing number of companies that reported they conducted risk and control assessments on an ongoing basis. Last year, most had reported that they conducted assessments only once a quarter.

Integrating cyber strategy with enterprise risk management is critical for ensuring a robust and comprehensive cyber risk strategy and business resilience. But only 28% of organizations say their cyber risk and compliance program is fully integrated with their ERM program. And of these, 37 % use an integrated solution for policy, risk, compliance, and vendor management, such as an IT GRC solution.


of organization’s have aligned their cyber risk and compliance program with enterprise risk and compliance management


programs of organizations use basic office productivity software for cyber risk management


use IT and cyber risk management software for identification and assessment of IT and cyber risks

Despite the availability of integrated risk management platforms, many organizations still use basic office productivity software for risk management functions. Knowledge management software and point solutions that are not integrated with risk and compliance systems are also being commonly used. Identification and assessment of cyber risk are the predominant uses of IT and cyber risk management software.

Cyber risk can no longer be dealt with effectively with a siloed and manual approach.

Impact of COVID-19

Almost half the organizations surveyed said that COVID -19 had forced them to change their cyber risk management plans and approaches, and 33 % said they deployed new tools and systems to improve efficiencies.


of respondents believe that the pandemic has increased the scope of IT and cyber risk and compliance programs.


CISO: A Business Imperative

Given the dramatic increase in risks and cyber threats, it is not surprising to note that many companies today consider the role of the CISO to be critical for better security and resilience strategies. 39% of the respondents already have CISOs to overlook IT and cyber risk and IT compliance management. This is a considerable improvement from last year when only 29% of organizations had reported having CISOs to oversee their IT and cyber risk programs.


of organizations still depend on CIOs, CTOs, and Chief Risk officers (CROs) for IT and cyber risk programs

Looking Ahead into 2021

Real time access to risk information is crucial for quick mitigation of issues. But given that most organizations are still not using integrated cyber risk management solutions, lack of visibility into enterprise risks and lack of automated processes are the biggest challenges before them. As they plan for a post pandemic future, almost half the respondents intend to implement targeted solutions to ensure regulatory compliance. 30% intend to implement centralized cyber risk and compliance solutions and 38 % say they want to adopt tools for IT and security data aggregation and analytics.


respondents say continuous monitoring of IT and cyber controls is a key challenge


say harmonizing and rationalizing controls across standards and compliance requirements is a challenge


Very few businesses were prepared for the scale of disruption caused by the pandemic. It has accelerated digital transformation of key processes and highlighted the need to invest in cutting edge integrated technology platforms for functions like IT and cyber risk management.


4 Ways To Bolster

Cyber Risk Management and Compliance

In A Covid-19 World


Ready to get started?

Speak to our experts Let’s talk