Understanding roles, responsibilities, and perspectives will strengthen cyber risk resilience.
How do professionals across the Middle East and Africa view their role in cyber insurance, cyber incident management, and cybersecurity tools and services? Do they consider their function to be the decision maker? To be part of the overall team, with inputs into the decisions? Or are they not at all involved?
- IT/cybersecurity professionals were the most involved across the board, according to our 2022 Marsh Microsoft Cyber Survey respondents. In the majority of the responses, they were either the decision maker or part of the team in the three areas, and had the lowest level overall of “not involved.” They were also the most likely to see themselves as the decision makers for cyber incident management and cybersecurity tools and services.
- The board/CEO/president respondents were most likely to see themselves as the ultimate decision makers on cyber insurance, with risk management and finance close behind.
- It’s interesting that 90% of risk manager respondents said a cyber incident response plan existed, while only 60% of executive level leaders said so. Possibly, some of the low response among executives had more to do with a lack of engagement with those responsible for cyber risk management than a lack of an actual plan.
- Cyber insurance decisions show the highest level of respondents saying they are part of the team.
- Cybersecurity tools and services have the lowest levels of collaboration among professionals across the enterprise compared to other areas.
Confidence in cyber risk management strategies relatively low.
Confidence in one’s organization’s ability to assess, measure, mitigate, and respond to cyber threats remains low, with no substantial changes seen in survey responses from those gathered in the 2019 Marsh and Microsoft Cyber Survey — only 19% of respondents indicated they are highly confident in their cyber risk management in 2019. Overall, executive leaders expressed the lowest level of confidence in these areas compared to departmental leaders.
- Both the executive leaders and departmental leaders showed the highest confidence levels regarding organizations’ ability to understand and assess cyber threats. This reflects the ever-increasing exposure to information about cyber risk experienced by most areas of society.
- The biggest gap in perception also related to the ability to manage and respond to cyberattacks, with nearly one-third of executive leaders saying they were not confident, compared to around a quarter of departmental leaders. Such differing perceptions could well affect where resources are ultimately deployed as part of a cyber risk strategy. More effective cross-enterprise communication holds the potential to bridge such gaps. As information is shared across functions, there may well be better alignment around the organization’s abilities — and where to make investments.
As cyber investments increase, cross-enterprise strategy is needed.
There was broad consensus among organizational roles on the need to increase investments in cyber risk management resources and capabilities, compared to 2019. Very few respondents expect investments will decrease, and more than half said some level of increase is likely in most areas. Like most budgetary decisions, deciding where to invest can be a complicated, time-consuming matter. Organizations that share their cyber risk expertise across the enterprise are likely to find the task more effective and efficient.
- Cyber risk leaders in different roles and departments can be expected to have varied plans and priorities for future investments. IT and cybersecurity respondents were more likely to plan increased spending on cybersecurity technology; those in finance and procurement roles less so.
- Risk management and insurance leaders were more likely to anticipate greater spending on cyber insurance and on hiring more cybersecurity professionals; those at the board and CEO level were significantly less likely.
- Lack of relevant staff/talent was seen as one of the top barriers holding companies back from implementing more formal and rigorous risk assessment methods. At the same time, executive leaders were the least likely to foresee increased hiring of cybersecurity talent. Does this represent a miscommunication among the various functions and leaders? If it does, this is yet another area that would benefit from an enterprise-wide approach to cyber risk management.