Skip to main content
Article

Cybersecurity: Attention, assessment and quantification

Cyber Risk Management
N/A

February 19, 2021

Introducing a series of articles focused on management attention to cybersecurity, assessing security posture and quantifying cyberrisk exposure.

Unlock More

About our “Cybersecurity: Attention, assessment and quantification” series

A series of articles on the impact of management attention, security assessments and risk quantification on an organization's cybersecurity posture.

It has been almost ten years since the first of the recognized cyber security ratings firms came into being. BitSight was founded in 2011, UpGuard in 2012, SecurityScorecard in 2013 and Cyber Global Risk Exchange in 2015. While this is not an exhaustive list of cyber security rating firms, they do represent like methods of scoring an organization’s security posture. Their assessments are based on data gleaned from active and passive scans they perform against an organization’s web domain name. Businesses are increasingly making use of these services to assist in vendor management, utilizing available outputs to determine whether to or how to work with specific organizations.

The intent of security rating firms is applauded, given that they offer a quick and objective assessment of an organization’s technical security posture. Yet, the emphasis is on the assessment of technical security, rather than anything related to organizational culture or cybersecurity decisioning practices.

As Willis Towers Watson has outlined in prior thought leadership pieces, our data suggests that over 60+ percent of cyberattacks can be directly attributed to internal resources. There is a need therefore, to also focus on an organization’s cyber culture dimension, workforce attitudes and behaviors, in addition to properly implementing security measures to harden an organization’s technical environment relative to potential cyber threats. A strong cyber culture is just as important as an organization’s technical security posture.

Now, a third security dimension, that of management attention to cybersecurity in an organization, is also being outlined. Management attention represents the level of attention that an organization’s management applies to cybersecurity, related decisioning, investment, resourcing and related risk-averse security practice adoption. For example, if an organization’s management team is focused on certain critical initiatives, outside of normal operational tempo, which dilute management’s ability to focus on other lower priority initiatives or do not address the attainment of target metrics, it is possible that the management team’s attention to cybersecurity may wane. In the absence of focused and dedicated attention, the management team may inadvertently ‘drop the ball’, leaving them and their organization ripe for a potential cyberattack.

We are pleased to share this series of articles devoted to exploring: 1) management attention and its impact on the cyber security posture of an organization, 2) how a holistic mix of security assessments can more accurately reflect an organization’s security posture, and 3) how quantification of cyber risk exposure is needed to support management attention to cybersecurity. Properly and accurately assessing an organization’s security posture is critical for managers in order to understand, prepare for and protect their organizations against increasingly frequent and impactful cyber security risks.

Disclaimer

Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed subsidiaries of Willis North America Inc., including Willis Towers Watson Northeast Inc. (in the United States) and Willis Canada, Inc.

Contact

Product Director, Cyber Analytics

Related content tags, list of links Article Cyber Risk Management United States
Contact Us