2018 Cyber Balance Sheet Report

One year after our initial study, we continue chipping away at the walls of misunderstanding between business leaders and security teams. This 2018 report expands its scope to 157 respondents to answer a fundamental question: how is cyber risk actually perceived relative to other enterprise risks? We explore whether shared demographics like industry equate to shared risk profiles, or if unique business drivers like growth strategy and regulatory pressure dictate the approach.

The data confirms that cyber risk has arrived at the center of the business. 80% of respondents now rank cyber risk at or toward the top of all risks facing their firms, making it a top-tier Boardroom concern. This report rewards the click by examining why “satisfaction” with reporting remains high (75%) while “enablement” lags. Business leaders may nod in approval during a report, but they retain deep concerns about how to use that data for actual oversight.

A major roadblock identified is the lack of a formal “cyber risk appetite.” Many firms operate in a grey zone where appetite is decided on an informal, case-by-case basis, making it impossible to answer “Are we secure enough?” The report concludes with a six-step “path to enablement” for security leaders, urging them to understand profit and loss as well as they understand vulnerabilities.

Key Findings

• 80% Priority Rate: 80% of organizations now rank cyber risk among their top-tier enterprise risks, with nearly 20% placing it “at the top.”
• Reporting Return Gap: Compliance metrics rank #2 in reporting frequency but sit at the very bottom of the list for boardroom dialogue and value.
• Training Habits: 60% of technical staff use their personal time for training, while only 13% are permitted to train during normal business hours.
• Risk Appetite Void: The majority of firms have no formally established cyber risk appetite, often treating it as a binary “within or outside” qualitative guess.
• The Satisfied-But-Uneasy Board: 3 out of 4 business leaders are satisfied with security reporting, yet significantly fewer feel actually enabled to provide oversight.
• High-Growth Risk Tolerance: Firms with aggressive growth strategies are significantly more likely to rank cyber risk as their top organizational concern.
• Situational Value: Boards place the highest value on security incident metrics and situational awareness (external threat trends).