MetricStream Global Survey Reveals Chasm Between IT Cyber Risk Management Strategy and Actual Practice

Survey Shows IT Risk Management Elevated to the Executive Level, However Most Organizations Still Use Spreadsheets to Manage Risk and Compliance

SAN JOSE, Calif., February 9, 2021 – MetricStream, the market leader in governance, risk, and compliance (GRC), and integrated risk management products and solutions, today unveiled the results of their global IT Risk and Compliance Survey, in which enterprise security and risk professionals from around the world addressed top IT cyber risk concerns for 2021. Key findings show despite risk management taking center stage at the executive level, most organizations still rely on spreadsheets to manage IT risks.

“Most security and risk professionals know that IT security is like a chain; you are only as strong as the weakest link,” said Gaurav Kapoor, COO, MetricStream. “Despite breakthrough advancements in artificial intelligence, machine learning and other advanced risk management technologies, the weakest links – spreadsheets – underpin a majority of enterprise risk management programs.”  

The MetricStream IT Risk and Compliance Survey queried security and risk professionals from around the world to address top issues around IT and cyber risks. Respondents include representatives from multiple industries, including: financial services, telecom, technology, manufacturing, government, education, healthcare and transportation.

Key Finding: Risks are evolving; compliance violations remain top of mind
To find out what keeps security and risk professionals up at night, MetricStream asked what risks and threats their organization faced in the last two years. “Denial of Service” took the top spot, followed closely by “Compliance violations and regulatory actions.” Taking third was “Spoofing of company social media.”

Key Finding: IT risk programs have executive visibility; the majority are not driven by the CISO
The survey shows that 70 percent of respondents agree that their senior management and leadership help establish the strategic direction of their IT risk management program. However, only 29 percent of respondents say that their IT risk program rolls up to the Chief Information Security Officer (CISO).

Key Finding: Most IT risk programs have yet to reach optimal maturity
When asked about the maturity level of their IT risk programs, 69 percent of respondents stated that they are not quantitatively managing their IT risk program. Furthermore, 31 percent of respondents report having IT risk assessment reviews on a quarterly basis. Only 15 percent stated having monthly reviews.

Key Finding: The number one tool used for IT risk management – spreadsheets
When asked what tools are used for IT risk management, the number one response was spreadsheets. More than 45 percent of respondents reported using spreadsheets, even if they had an IT GRC solution in place. Moreover, 54 percent stated not using any IT GRC solution to manage IT risks.

Key Finding: Investment in security and compliance are top risk priorities for 2021
When asked about future plans, 38 percent of respondents stated that they are planning to increase their spend on IT risk management in 2021. Additionally, respondents ranked their top 2021 priorities to be: 1) investment in IT security solution, 2) compliance with federal and government regulations, and 3) IT security data aggregation and reporting.

The entire results of the MetricStream 2021 IT and Cyber Risk Survey is available for download here: MetricStream IT Risk and Compliance Survey Report 2021


About MetricStream

MetricStream is the global market leader for Governance, Risk, and Compliance (GRC) and integrated risk management solutions, providing the most comprehensive solutions based on a single platform that includes Operational Risk, Compliance, Audits, IT and Cybersecurity, Business Continuity and Third-Party Risk Management. Since 2008, MetricStream has empowered organizations to intuitively harness front-line intelligence that enables all stakeholders to make real-time risk-aware business decisions. MetricStream is headquartered in San Jose, California, with an operations and R&D center in Bangalore, India, and sales and operations support around the globe. More information is available at www.metricstream.com, LinkedIn, Facebook and Twitter