Cybersecurity Awareness: 3 Risk Management Lessons

  • October 30, 2019
  • Quantivate

Lessons from National Cybersecurity Awareness Month

As October wraps up, National Cybersecurity Awareness Month (NCSAM) is also coming to an end. Established by the U .S. Department of Homeland Security and the National Cyber Security Alliance (NCSA), NCSAM is now in its 16th year.

The 2019 theme of “Own IT. Secure IT. Protect IT” includes an emphasis on enterprise cybersecurity, particularly protecting customer and consumer data. For the past few weeks, we’ve expanded on this topic to offer some insights on managing cyber and IT risk.

Missed the previous articles in this month’s cybersecurity awareness lineup? Read more:

Let’s recap some of the takeaways:

Lesson #1: Cybersecurity is part of a bigger picture

Cybersecurity is only one piece of the puzzle in a holistic approach to protecting internal and customer data, managing and mitigating technology risk, and keeping tabs on your IT assets. A comprehensive IT risk management program goes beyond just cybersecurity threats to ensure proper governance, risk management, and compliance for all IT systems and processes that support business operations.

To dive deeper on this topic, browse some of our other resources:

Lesson #2: Alignment with business strategy and integration with other risk & compliance functions is essential

According to a recent survey of C-level executives, many organizations struggle with cybersecurity, in large part because they lack an effective, integrated framework for governance, risk, and compliance (GRC). As the survey puts it, “the challenges are not limited to budget and resources but to a collective enterprise alignment on integrating cyber into critical business strategy and operations.”

Respondents identified specific challenges such as:

  • Prioritizing cyber risks across the enterprise
  • Lack of management alignment on priorities
  • Inadequate governance

Cross-functional integration through data-sharing and a unified approach to GRC is key to preventing and resolving common cybersecurity challenges like these.

Learn more about risk integration:

Lesson #3: Organizations need a plan for cybersecurity program maturity

In addition to the challenges of integrating IT and cyber risk management with organizational strategy, businesses struggle to keep up with the rapid pace of technological change and the increasing threat of cybercrime.

Recent research indicates that few organizations have adequate data security and IT risk management processes in place — by one estimate, only 16% of executives say their organizations are well prepared to deal with cyber risk.

Some other eye-opening statistics demonstrate the need for improvement in core management capabilities and overall program maturity:

  • 87% of organizations see tech risk management as a siloed, reactive process rather than “an organization-wide function for proactive risk management.” (Source: KPMG / Forbes Insights)
  • 77% of organizations are operating with limited cybersecurity and resilience. (Source: Ernst & Young)
  • Only 8% of organizations have information security functions that fully meet their needs. (Source: Ernst & Young)
  • Fewer than 10% of organizations believe they are mature in key cybersecurity categories such as architecture, identity and access management, metrics and reporting, software security, third-party management, and threat/vulnerability management. (Source: Ernst & Young)
  • Only 18% of organizations have a cybersecurity incident response plan. (Source: Marsh & McLennan)

To effectively measure and mitigate risk, protect data and assets, and monitor their cybersecurity posture, organizations must continually improve and mature their IT risk management capabilities.

For more insights on the current IT risk landscape, take a look at:


Stay up to date with the latest news, compliance alerts, and thought leadership for the financial services industry: