The State of CyberGRC Survey:Looking into 2023

Question Title

* 2. Which of these best describes your job role?

CISO

CIO

Chief Risk Officer/Risk Manager

Chief Compliance Officer/Compliance Manager

IT Risk Director/Manager

IT Vendor Head/Manager

Other (please specify)

Question Title

* 3. Which function is primarily responsible for overall IT/cyber-related risk and compliance management in your organization?

IT Security

Data/Information Security

IT Operations

Risk Management

Compliance

Technology

Don’t know

Other (please specify)

Question Title

* 4. How does your organization primarily assess cyber risks today? Please select all that apply

Qualitative (red, yellow, green heatmaps or high, med, low rating)

Quantitative (expressing cyber risks in monetary terms, other quantitative)

Key Risk Indicators (incidents, data complaints, access controls, policy exceptions)

All the above

Other (please specify)

Question Title

* 5. How frequently does your organization conduct cyber risk & controls assessments?

Monthly

Quarterly

Half yearly

Annually

Continuously

Ad-hoc

Question Title

* 6. How frequently does your organization review its cyber risk strategy and policies?

Half yearly

Annually

Once in 2 years

There is no fixed schedule/cadence

Other (please specify)

Question Title

* 7. What software does your organization currently use for IT/cyber-related risk and compliance management?

Office productivity software (documents, spreadsheets, etc)

Knowledge management software (e.g. SharePoint / Jira)

Point solutions (single use-case), but not integrated with risk and compliance systems

One integrated solution for Cyber Risk, Policy, Compliance and Third-Party/Vendor Management

Outsourced completely

Question Title

* 8. Among the following, what are the top use cases of such software? Please select your top three use cases.

Identify, assess and treat cyber risks

Assign risk rating for assets

Centrally manage processes, assets, risks, and controls

Automating processes and workflows

Continuously monitoring and testing controls

Harmonize controls across standards and compliance requirements

Threats & Vulnerabilities prioritization & mitigation

Analytics and reporting

Quantifying IT/cyber risks

Question Title

* 9. Thinking about today, what are your organization’s top IT/cyber related risk and compliance challenges? Please select all that apply.

Lack of visibility into cyber and compliance risks across the organization

Manual and siloed approach to cyber risk and compliance management

Efficiently monitoring compliance with regulations, standards, policies, etc

Monitoring controls frequently and quickly

Inability to quantify and prioritize cyber risks/investments

Managing and monitoring third party and fourth party risks

Creating/maintaining a culture of security awareness and compliance

Threat and vulnerability detection

Other (please specify)

Question Title

* 10. Please choose the statement that best reflects how integrated your current cyber risk and compliance program is, with your organization’s overall enterprise risk and compliance programs

My organization's cyber risk and compliance program is fully integrated with the enterprise risk and compliance management programs

My organization's cyber risk and compliance program is somewhat integrated with the enterprise risk and compliance management programs

My organization's cyber risk and compliance program is not integrated with the enterprise risk and compliance management programs

Question Title

* 11. How has the threat landscape in 2022 affected your cyber risk management program?

Changed our plans, approaches to IT/cyber risk & compliance, reprioritized our activities

No change in plans, approaches, and activities

Increase in budget and/or team size

New and/or increased scope of IT & Cyber Risk and Compliance Programs

Deployed new/additional tools & systems

Question Title

* 12. In your opinion, what is the biggest cyber risk your organization faces today?

Lack of focus/awareness at the board level

Third-parties (including their employees)

Lack of appropriate resources (budget, qualified personnel, tools, etc)

Data breaches

Cyber attacks

Employees

Lack of integration with overall risk strategy

Other (please specify)

Question Title

* 13. As we enter 2023, how confident are you about your organization’s preparedness for the evolving cyber risk and threat landscape?

Extremely confident

Very confident

Somewhat confident

Not so confident

Not at all confident

Question Title

* 14. Where does your organization plan to invest in 2023? Please choose one option in each row below

	Definitely	Most likely	Maybe/Not sure	Unlikely	Definitely Not
Hiring more IT/Cyber risk/GRC professionals	Hiring more IT/Cyber risk/GRC professionals Definitely	Hiring more IT/Cyber risk/GRC professionals Most likely	Hiring more IT/Cyber risk/GRC professionals Maybe/Not sure	Hiring more IT/Cyber risk/GRC professionals Unlikely	Hiring more IT/Cyber risk/GRC professionals Definitely Not
Improving real-time insights and analytics on cyber risks and compliance posture	Improving real-time insights and analytics on cyber risks and compliance posture Definitely	Improving real-time insights and analytics on cyber risks and compliance posture Most likely	Improving real-time insights and analytics on cyber risks and compliance posture Maybe/Not sure	Improving real-time insights and analytics on cyber risks and compliance posture Unlikely	Improving real-time insights and analytics on cyber risks and compliance posture Definitely Not
Quantifying cyber risks in monetary terms	Quantifying cyber risks in monetary terms Definitely	Quantifying cyber risks in monetary terms Most likely	Quantifying cyber risks in monetary terms Maybe/Not sure	Quantifying cyber risks in monetary terms Unlikely	Quantifying cyber risks in monetary terms Definitely Not
Automating processes and workflows	Automating processes and workflows Definitely	Automating processes and workflows Most likely	Automating processes and workflows Maybe/Not sure	Automating processes and workflows Unlikely	Automating processes and workflows Definitely Not
Harmonizing & rationalizing controls across standards and compliance requirements	Harmonizing & rationalizing controls across standards and compliance requirements Definitely	Harmonizing & rationalizing controls across standards and compliance requirements Most likely	Harmonizing & rationalizing controls across standards and compliance requirements Maybe/Not sure	Harmonizing & rationalizing controls across standards and compliance requirements Unlikely	Harmonizing & rationalizing controls across standards and compliance requirements Definitely Not
Continuous monitoring of IT controls using automation	Continuous monitoring of IT controls using automation Definitely	Continuous monitoring of IT controls using automation Most likely	Continuous monitoring of IT controls using automation Maybe/Not sure	Continuous monitoring of IT controls using automation Unlikely	Continuous monitoring of IT controls using automation Definitely Not
Consolidating multiple cyber risk tools/software	Consolidating multiple cyber risk tools/software Definitely	Consolidating multiple cyber risk tools/software Most likely	Consolidating multiple cyber risk tools/software Maybe/Not sure	Consolidating multiple cyber risk tools/software Unlikely	Consolidating multiple cyber risk tools/software Definitely Not
Improve employee awareness on cybersecurity	Improve employee awareness on cybersecurity Definitely	Improve employee awareness on cybersecurity Most likely	Improve employee awareness on cybersecurity Maybe/Not sure	Improve employee awareness on cybersecurity Unlikely	Improve employee awareness on cybersecurity Definitely Not

Question Title

* 15. Please share thoughts or comments, if any, about your cyber/IT risk strategy that you believe will be helpful to other users of GRC and IT/Risk management solutions

Question Title

* 16. Which of the following best describes the primary industry of your organization?

Airlines & Aerospace (including Defense)

Apparel

Automotive & Ancillaries

Banking & Financial Services

Chemicals

Consulting

Consumer Equipment & Goods

Energy

Food & Beverages

Government & Non-profit

Healthcare & Pharmaceuticals

Hospitality

Industrial Equipment

Infrastructure & Utilities

Insurance

Internet Company/App/SaaS

Manufacturing

Media & Entertainment

Metals & Mining

Oil & Gas

Real Estate (including development)

Retail

Telecommunications

Transport & Logistics

Other (please specify)

Question Title

* 17. Where is your company headquarters located?

Asia Pacific (includes ANZ)

North America

Europe (including UK)

Middle East

Africa

South America

Question Title

* 18. What is the size of your company?

Less than 500 employees

501 – 2,000 employees

2,000 – 5,001 employees

5,001 – 10,000 employees

10,000+ employees

Question Title

* 19. What is the size of your organization's IT/cyber risk and compliance team?

Less than 5 members

5 - 10 members

10 - 20 members

20 - 50 members

50- 100 members

100+ members

The State of CyberGRC Survey:Looking into 2023

Welcome!

Question Title

* 1. Please fill in your company name

Question Title

* 2. Which of these best describes your job role?

Question Title

* 3. Which function is primarily responsible for overall IT/cyber-related risk and compliance management in your organization?

Question Title

* 4. How does your organization primarily assess cyber risks today? Please select all that apply

Question Title

* 5. How frequently does your organization conduct cyber risk & controls assessments?

Question Title

* 6. How frequently does your organization review its cyber risk strategy and policies?

Question Title

* 7. What software does your organization currently use for IT/cyber-related risk and compliance management?

Question Title

* 8. Among the following, what are the top use cases of such software? Please select your top three use cases.

Question Title

* 9. Thinking about today, what are your organization’s top IT/cyber related risk and compliance challenges? Please select all that apply.

Question Title

* 10. Please choose the statement that best reflects how integrated your current cyber risk and compliance program is, with your organization’s overall enterprise risk and compliance programs

Question Title

* 11. How has the threat landscape in 2022 affected your cyber risk management program?

Question Title

* 12. In your opinion, what is the biggest cyber risk your organization faces today?

Question Title

* 13. As we enter 2023, how confident are you about your organization’s preparedness for the evolving cyber risk and threat landscape?

Question Title

* 14. Where does your organization plan to invest in 2023? Please choose one option in each row below

Question Title

* 15. Please share thoughts or comments, if any, about your cyber/IT risk strategy that you believe will be helpful to other users of GRC and IT/Risk management solutions

Question Title

* 16. Which of the following best describes the primary industry of your organization?

Question Title

* 17. Where is your company headquarters located?

Question Title

* 18. What is the size of your company?

Question Title

* 19. What is the size of your organization's IT/cyber risk and compliance team?

Question Title

* 20. If you would like to receive a copy of the report and findings (to be released in January 2023), please leave your company email ID

The State of CyberGRC Survey:
Looking into 2023