Good Reads: The Aon 2023 Cyber Resilience Report

Aon's Cyber Solutions combines digital risk management services, Professional Risk Solutions and their Global Risk Consulting Practice. They recently published findings from their assessments of almost 3,000 global clients using their Aon Cyber Quotient (CyQu) methodology in the Aon 2023 Cyber Resilience Report.

Summarized here are the key findings, which have outstanding insights useful for every cyber (and many general executive) professionals.

How Cyber Risk Touches Nearly all Aspects of Business Risk:

1. Cyber Maturity: In general, organizations across industries and revenue bands improved their cyber maturity from "basic" to "managed." This improvement indicates progress in managing cyber risks effectively.

This increasing maturity is also seen from our perspective in cyber security culture, human protection, and human factors cyber risk management. In our conversations with global organizations big and small and with our clients, there is a need to bring together an increased level of maturity that goes beyond just slamming in a toolset, delegating risk management to an LMS, or running only push-based programs without the necessary metrics attached. It's become increasingly important in the security awareness space to prove progress, to better understand the roles and audiences within the organization, and to work strategically on a programmatic level. Secure Human Risk Management is emergent, and similar to what we’ve seen in SOC, Secops, and with CISO’s overall, we have to do more than delegate information security culture to a tech admin running a toolset.

2. Most Improved: Five domains showed the most significant improvement in risk profiles:

data security
application security
remote work
access control
endpoint and systems security.

These areas received increased focus and investment.

In any change or maturity wave that we see happening at organizations over the last 20 years in order to create substantial process technology or people improvement. It requires strategy management focus and resources. That’s just Business 101. And the areas which were most improved were absolutely critical for organizations to mature in order to reduce an overall risk profile. However, budgets and resources toward training culture, human risk, and awareness are not on that list, and I’m not sure they will be changing anytime soon. In some regards the human element market has been driven into commodity Pricing (especially by one rather large industry player, cough cough) but also by the enduring misunderstanding by the technologists of the industry that ‘you can’t fix people’. Here’s hoping that 2024 will see those gains in Human Risk Management as well.

3. Preparedness Evaluation: Teams must continuously evaluate their organization's preparedness for evolving cyber threats. Providing quantifiable evidence of the current effectiveness of security controls is crucial to demonstrate resilience.

This topic resonates very much with us and indeed was a key point during the panel we hosted at RSA. The underlying culture of security teams and their ability to maintain a high performance and “High Trust” culture in order to have the discipline to continuously evaluate preparedness is an important aspect—and one that many organizations miss.

One of the panelists who is both a NYC fireman and a reservist in the United States Air Force said something that really struck me when answering one of the questions. He said, “At the end of the day, under any kind of pressure, you fight like you train”. And that's what led us into the conversation around culture and responsibility and the Deep sense of trust that is required to run a productive and mentally healthy team under extremely stressful circumstances. Preparedness to me also means that people have to be mentally prepared, they have to be behaviorally and value-aligned and Leadership needs to keep a very close finger on the pulse of how well their team is able to respond in order to deliver resilience.

4. Top Global Risk: Cyber threat was predicted to remain the top global risk for 2024, outranking other major risks like COVID-19 and supply chain disruptions. The increasing prominence of long-term hybrid working, supply chain-related attacks, geopolitical instability, and digital connectivity has driven a much greater focus on cyber risk worldwide.

5. Beyond Technology: Cyber risk is not limited to technology-related issues but encompasses financial, operational, people, regulatory, and even catastrophic threats to organizations of all sizes and sectors. Understanding business drivers and daily decisions is vital for managing holistic and sustainable cyber resilience.

This is absolutely true. Between the July 2023 SEC ruling regarding compliance of public companies and the responsibilities of the board of directors, as well as the emergent conversations around cyber insurance and the way companies and insurers need to manage an almost impossible pool of shared risk… everyone at the organization needs to be cyber literate.

The challenges with that from my perspective are many; which is why we developed a comprehensive, holistic, role-based, audience-based approach to learning development training compliance education, and culture change so that all these levels at the organization can speak to each other to really perceive risk, communicate risk, and mitigate risk. To embed something like that requires both an educational focus and a cultural focus.

6. Cyber Budgets: Aon Clients reported an increase in the budget allocated to cybersecurity between 2020 and 2022, with around 10 percent of the information technology budget spent specifically on security.

6. Cyber Budgets: Improvements in the security profile were driven by incident response planning, data protection, endpoint logging and monitoring, and remote work vulnerability and monitoring. Access controls, data and security, and business resilience were areas of focused improvement.

Conclusion

In conclusion, the report highlights the increasing importance of cyber risk management and the need for organizations to continually improve their cyber maturity to stay resilient against evolving threats. It emphasizes the holistic nature of cyber risk and the need for constant evaluation and evidence-based approaches to ensure effective cyber controls.

THE POWER OF PARTNERING WITH CYBERMANIACS

Leveraging psychology and neuroscience, Cybermaniacs humor-infused content goes beyond traditional training ingraining cybersecurity awareness into an organization's fabric. Ultimately, Cybermaniacs' focus on habit and mindset building equips organizations to navigate the evolving risk landscape effectively, making them a valuable partner for CISOs seeking innovative, engaging, and comprehensive cybersecurity solutions.

Learn more at cybermaniacs.com/demo.