The Blind Spot in Cybersecurity: Assessing Value and Efficacy in Risk Management

Risk managers are flying blind when it comes to the value and efficacy of cybersecurity systems, according to a report by McKinsey. They are unable to assess the return from their cybersecurity investments for two key reasons: reliance on a hodge-podge of reports from different sources, and a lack of solid information about risk levels, the effectiveness of countermeasures, and how key assets are protected.

Many are frustrated by the complexity of cyber risk-management tools, particularly governance-risk-compliance (GRC) systems that can take years to implement and rarely produce satisfying results. GRC software was created by technicians, and the kind of expertise they possess is required to make sense of the output. GRC does not focus on cyber risk. It covers financial, legal, natural, and regulatory risks as well, and is functionally incapable of creating a useful overview of cybersecurity.

Additionally, in one survey by McKinsey, more than half of executive respondents said cybersecurity reporting was too technical for their purposes. Another insight from their surveys revealed that cyber-risk reporting is often inadequate. Because of a lack of information, a standard suite of controls is often applied to all company assets. As a result, low-priority assets can be overprotected, while critical assets remain dangerously exposed.