Cyber risk management controls & indicators
- 28 February 2020
The challenge of controls & indicators for cyber risk management
Good controls and indicators are vital for effective cyber risk management. Members of our cyber and information security risk management working group identified them as a key area of interest, but also a major challenge.
One of the reasons for this is balancing appropriate controls and indicators for cyber risk management while maintaining a focus on the most material ones. For example, what makes a good indicator, or which controls are the most material in operation across the industry?
Find out how the rest of the industry is using controls & indicators for cyber risk management
As a cyber risk management specialist, it's hard to know how your controls and indicators compare with other financial organisations. This is where ORX can support you.
To begin with, we surveyed some of the financial institutions taking part in our work to create a programme to support cyber and information security risk management on the indicators and external control standards they use. From this, we've created a freely available report which explores our key findings and identifies what makes a control or indicator effective.
But that's not all. We've also used the information to create a library of controls and indicators used for cyber risk management – the first of its kind in the industry!
Headline survey results
Through the survey and discussions with our group of participants, we identified four key takeaways about the controls and indicators used for cyber and information security risk management:
- Financial organisations reference multiple industry control frameworks
- Controls and indicators differ in levels of maturity
- Controls and indicators are largely manually operated and monitored
- Institutions often lack expertise and good data to support robust cyber risk management
Improving cyber controls is a priority
With a median of 51-100 per organisation, our survey clearly showed that firms tend to operate large numbers of controls. It may come as no surprise then, that most of our participants told us they were looking to improve their control environment. Improvements include automation and transferring responsibilities between the lines of defence.
Cyber indicators are less mature than controls
While the majority of organisations surveyed felt that their controls were mature, the same was not true for indicators. Our participants also tended have fewer indicators, with a median of 25-50 indicators per organisation across multiple risks.
Download the report for further insights
Download the free report to read the results of the survey and our analysis in more detail. You'll also find out what factors make an effective control or indicator for cyber and information security risk management.
Data, resources and more for cyber risk managers
ORX Cyber is a premium service which combines information sharing, research and collaboration to support second line cyber and information security risk managers at financial firms.