Cyber risk management controls & indicators
- 28 February 2020
The challenge of controls & indicators for cyber risk management
Good controls and indicators are vital for effective cyber risk management. Members of our cyber and information security risk management working group identified them as a key area of interest, but also a major challenge.
One of the reasons for this is balancing appropriate controls and indicators for cyber risk management, while maintaining a focus on the most material ones. For example, what makes a good indicator, or which controls are the most material in operation across the industry?
Find out how the rest of the industry is using controls & indicators for cyber risk management
As a cyber risk management specialist, it's hard to know how your controls and indicators compare with other financial organisations. This is where ORX can support you.
To begin with, we surveyed some of the financial institutions taking part in the ORX cyber risk management programme on the indicators and external control standards they use. From this, we've created a freely available report which explores our key findings and identifies what makes a control or indicator effective.
But that's not all. We're also using the information to create a library of controls and indicators used for cyber risk management – the first of its kind in the industry! You'll be able to get access to this library if you subscribe to the ORX Cyber service (launching soon).
Headline survey results
Through the survey and discussions with our group of participants, we identified four key takeaways about the controls and indicators used for cyber and information security risk management:
- Financial organisations reference multiple industry control frameworks
- Controls and indicators differ in levels of maturity
- Controls and indicators are largely manually operated and monitored
- Institutions often lack expertise and good data to support robust cyber risk management
Improving cyber controls is a priority
With a median of 51-100 per organisation, our survey clearly showed that firms tend to operate large numbers of controls. It may come as no surprise then, that most of our participants told us they were looking to improve their control environment. Improvements include automation and transferring responsibilities between the lines of defence.
Cyber indicators are less mature than controls
While the majority of organisations surveyed felt that their controls were mature, the same was not true for indicators. Our participants also tended have fewer indicators, with a median of 25-50 indicators per organisation across multiple risks.
Download the report for further insights
Download the free report to read the results of the survey and our analysis in more detail. You'll also find out what factors make an effective control or indicator for cyber and information security risk management.
Benchmark your controls & indicators
Using the information shared in this study, we're creating a library of controls and indicators used for cyber risk management. This will allow financial organisations to compare and benchmark their controls and indicators against other those used by other firms.
Having access to this information, which you can't currently get anywhere else, will help you gain a deeper insight into industry practice. You'll be able to see the top controls and indicators for major risk types, and use this data to strengthen your cyber and information security risk management.
The library will available as part of the ORX Cyber service, which will be launching later this year.