Despite their best efforts and investments, some organizations still experience difficulty as a result of organizational, operational and even cultural differences between their IT security and business risk functions. These gaps can be seen in the ways security and risk teams describe their environments, their challenges, and their relationships with one another.
In early 2018, RSA® commissioned the Cybersecurity and Business Risk Survey, executed by Enterprise Strategy Group (ESG), to learn more about the challenges and priorities of IT security and business risk professionals.
RSA’s new report, “Pain and Progress: The RSA Cybersecurity and Business Risk Study” reflects findings from the survey, and is intended as a glimpse into the minds of security and risk leaders. It describes the pain these teams feel in pursuit of protecting their organizations’ digital assets and data, in the face of challenges from the forces of modernization, malice and mandates.
For example, when asked if their organization had experienced a security breach in the past two years, 70 percent of respondents confirmed they had, and 85 percent of those who had experienced a breach in the past two years said their organization had actually experienced two or more in that timeframe.
RSA’s study revealed another trend -- that IT security and business risk teams are breaking out of their silos and starting to work more closely together toward their common goal of managing the organization’s digital risk. Most respondents (82 percent) said their organizations consider security breaches as a business risk, not just a security risk. This is just one simple, but critical, agreement that helps organizations bridge some of the gaps the respondents said often stand between security and risk teams, including language, goals and metrics.
Other survey responses indicate these teams are embracing the convergence of IT security and business risk by prioritizing the interconnectivity of security and business functions, and by seeking to overcome the limitations of siloed strategies with a more inclusive approach. This kind of approach, driven by business priorities and context, is best positioned to protect what the organization values most.
The RSA Cybersecurity and Business Risk Study contributes to the ongoing discussion about whether and how to rethink and strengthen the relationship between these teams, including how far they have come and how much farther they still need to go. If one thing is clear in the survey’s responses, it is that these teams have a lot of ground upon which to establish common metrics, integrate tools and agree upon priorities to help their organizations more effectively and efficiently manage digital risk.