90% of cyber leaders find managing cyber risks harder today than five years ago, mainly due to the explosion of AI and expanding attack surfaces, according to BitSight. These threats are also fueling high rates of burnout, with 47% of cybersecurity and cyber risk professionals reporting exhaustion.
Another key factor in the burnout crisis is the lack of threat visibility. Those who work at organizations with the tools to regularly map threats across their environments and contextualize them with multiple risk factors for full visibility, a capability that just 17% have, experience a significantly lower burnout rate of 44%. Those who don’t have a burnout rate of 63%.
More than 1 in 10 respondents said they feel very burned out or are close to quitting. Burnout is even higher, at 54%, in companies without a formal cyber risk management program.
Consequences of cyber risk immaturity
The good news is that many organizations say they’ve already taken the first steps toward building a formal, structured approach to measuring and managing cyber risk. This progress is helping drive improvements at most companies today.
67% of respondents said their cyber risk practices are at least moderately mature, and 83% of organizations reported having some type of formal cyber risk program in place. Only 19% of those surveyed would judge their cyber risk management practices as very mature. Meantime, one in five organizations admit their practices still remain immature.
Even though most organizations have a formal cyber risk program, far fewer said that it effectively guides decisions based on business priorities. Only 29% reported having a formal cyber risk management program that is also well aligned with their business goals.
Monitoring is a top priority, but still out of reach
Security leaders overwhelmingly rank continuous monitoring as their number one priority, yet only 17% have the capability to do it, leaving major gaps in threat detection, prioritization, and response.
Immature companies are 3x as likely as mature companies to lack the kind of asset discovery and visibility they need to implement consistent controls over anything but their most critical assets. Only one in three organizations have mature exposure management processes in place.
TPRM monitoring remains inconsistent
99% of organizations today report that they assess third-party relationships for cyber risk in at least one shape or form. It’s difficult to say exactly what that form might take for a large number of that 99%.
- It could be done purely manually in the form of periodic vendor assessment questionnaires.
- It could be done solely through continuous monitoring of a few select organizations and little else.
- It could be done as a combination of continuous monitoring and questionnaires.
- Or it could be done through a thorough use of continuous monitoring across all third-parties.
While almost everyone does assess their third-party relationships, effectiveness of those assessment methods will vary wildly. It’s a dangerous blind spot, considering 30% of breaches last year were tied to third parties, doubling from the previous year.
Communicating risk
Most organizations don’t think they do a poor job of communicating cyber risk to business leaders, but few believe they do it very well. Only 28% gave themselves top marks, while 56% said they do “somewhat well,” and 16% rated their efforts poorly.
The data shows a link between strong cyber risk communication and mature cybersecurity practices. Organizations with a formal cyber risk program and better asset visibility are far more likely to communicate risk effectively. In fact, 93% of mature organizations say they communicate risk well, compared to just 63% of less mature ones.
“As AI-automated threats accelerate, organizations are struggling with both the technical complexities of risk management and the critical need to align cybersecurity efforts with business priorities,” said Stephen Boyer, Chief Innovation Officer at Bitsight. “The data shows that continuous monitoring and comprehensive visibility into cyber risk intelligence are no longer optional – they are foundational for effective risk management and communication, and for combating the increasing rates of burnout within security teams.”
