Cyber risk management controls & indicators

  • 28 February 2020

The challenge of controls & indicators for cyber risk management

Good controls and indicators are vital for effective cyber risk management. Members of our cyber and information security risk management working group identified them as a key area of interest, but also a major challenge.

One of the reasons for this is balancing appropriate controls and indicators for cyber risk management while maintaining a focus on the most material ones. For example, what makes a good indicator, or which controls are the most material in operation across the industry?

Find out how the rest of the industry is using controls & indicators for cyber risk management

As a cyber risk management specialist, it's hard to know how your controls and indicators compare with other financial organisations. This is where ORX can support you. 

To begin with, we surveyed some of the financial institutions taking part in our work to create a programme to support cyber and information security risk management on the indicators and external control standards they use. From this, we've created a freely available report which explores our key findings and identifies what makes a control or indicator effective.

Download the free report

Cyber controls and indicators

But that's not all. We've also used the information to create a library of controls and indicators used for cyber risk management – the first of its kind in the industry!

Headline survey results

Through the survey and discussions with our group of participants, we identified four key takeaways about the controls and indicators used for cyber and information security risk management:

  1. Financial organisations reference multiple industry control frameworks
  2. Controls and indicators differ in levels of maturity
  3. Controls and indicators are largely manually operated and monitored
  4. Institutions often lack expertise and good data to support robust cyber risk management

Improving cyber controls is a priority

With a median of 51-100 per organisation, our survey clearly showed that firms tend to operate large numbers of controls. It may come as no surprise then, that most of our participants told us they were looking to improve their control environment. Improvements include automation and transferring responsibilities between the lines of defence.

Cyber indicators are less mature than controls

While the majority of organisations surveyed felt that their controls were mature, the same was not true for indicators. Our participants also tended have fewer indicators, with a median of 25-50 indicators per organisation across multiple risks.

Download the report for further insights

Download the free report to read the results of the survey and our analysis in more detail. You'll also find out what factors make an effective control or indicator for cyber and information security risk management.

Download the cyber controls & indicators report

Data, resources and more for cyber risk managers

ORX Cyber is a premium service which combines information sharing, research and collaboration to support second line cyber and information security risk managers at financial firms.

Discover ORX Cyber

Download the report

Get your free copy of the ORX report exploring the controls and indicators used for cyber and information security risk management.

Download the report