Cyber risk management controls & indicators

  • 28 February 2020

The challenge of controls & indicators for cyber risk management

Good controls and indicators are vital for effective cyber risk management. Members of our cyber and information security risk management working group identified them as a key area of interest, but also a major challenge.

One of the reasons for this is balancing appropriate controls and indicators for cyber risk management, while maintaining a focus on the most material ones. For example, what makes a good indicator, or which controls are the most material in operation across the industry?

Find out how the rest of the industry is using controls & indicators for cyber risk management

As a cyber risk management specialist, it's hard to know how your controls and indicators compare with other financial organisations. This is where ORX can support you. 

To begin with, we surveyed some of the financial institutions taking part in the ORX cyber risk management programme on the indicators and external control standards they use. From this, we've created a freely available report which explores our key findings and identifies what makes a control or indicator effective.

Download the free report

Cyber controls and indicators

But that's not all. We've also used the information to create a library of controls and indicators used for cyber risk management – the first of its kind in the industry!

Get in touch today to find out more about the ORX cyber programme

Headline survey results

Through the survey and discussions with our group of participants, we identified four key takeaways about the controls and indicators used for cyber and information security risk management:

  1. Financial organisations reference multiple industry control frameworks
  2. Controls and indicators differ in levels of maturity
  3. Controls and indicators are largely manually operated and monitored
  4. Institutions often lack expertise and good data to support robust cyber risk management

Improving cyber controls is a priority

With a median of 51-100 per organisation, our survey clearly showed that firms tend to operate large numbers of controls. It may come as no surprise then, that most of our participants told us they were looking to improve their control environment. Improvements include automation and transferring responsibilities between the lines of defence.

Cyber indicators are less mature than controls

While the majority of organisations surveyed felt that their controls were mature, the same was not true for indicators. Our participants also tended have fewer indicators, with a median of 25-50 indicators per organisation across multiple risks.

Download the report for further insights

Download the free report to read the results of the survey and our analysis in more detail. You'll also find out what factors make an effective control or indicator for cyber and information security risk management.

Download the cyber controls & indicators report

Benchmark your controls & indicators

Using the information shared in this study, we've developed a library of controls and indicators used for cyber risk management. This unique resource allows financial organisations to compare and benchmark their controls and indicators against other those used by other firms.

Having access to this information, which you can't currently get anywhere else, will help you gain a deeper insight into industry practice. You'll be able to see the top controls and indicators for major risk types, and use this data to strengthen your cyber and information security risk management.

The library is currently free for all ORX members.

Find out more about the cyber controls and indicators library

Download the report

Get your free copy of the ORX report exploring the controls and indicators used for cyber and information security risk management.

Download the report