CRA Study: Cyber Risk Takes Center Stage in the Boardroom

Published on
March 9, 2022

New York, NY, March 9, 2022 – Risk management has risen from a checklist item to one of the key pillars required to ensure a corporation can manage security risk at the board of directors’ level, according to new survey findings from CRA Business Intelligence, the research and content arm of cybersecurity information services company CyberRisk Alliance.

The survey, sponsored by GRC platform provider Reciprocity, assessed cyber risk priorities among 252 senior-level executives in IT, cybersecurity and governance, risk, and compliance roles at mid-size to large organizations in the United States.

The urgency for boards is driven by the significant escalation of ransomware and other attacks in the past year, including those that have led to real-world consequences, like the Colonial Pipeline attack in May that ground operations to a halt and left people scrambling to fuel their vehicles.

Board members also increasingly understand that security challenges include finding qualified staff and training employees. Survey respondents reported that this has been no easy task.

Corporate investments are increasingly devoted to GRC, audits, and ways to realign the strategies of technical staff, CIOs and CISOs with the boards’ strategic priorities. Increasingly, companies are bringing in external auditors because they are considered more credible than audits conducted in house. There’s also a growing push to invest in the human element of security to balance out investments in technology. Part of this realignment is implementing a security framework, such as the one developed by the National Institute of Standards and Technology (NIST), as well as developing more effective auditing policies and procedures, to clearly identify the ROI of cybersecurity.

Among the findings:
• More than half of all respondents (54%) said they have a proactive risk management approach, but fewer than 20% of all respondents claimed that they have a real-time approach. Financial and professional services respondents were the most likely to use frameworks and other best practices.
• Continuous risk monitoring, improving risk identification, and aligning risk to business objectives — a key requirement of many boards of directors — are top objectives for investing in GRC software.
• Top risks to organizations include data privacy (67%), insider threats (53%), data theft (44%), and ransomware (38%). The shifts created by the pandemic accounted for 31% of the risk.
• At least half of all respondents say that improving their risk program and training for employees and IT staff are top challenges.

“We know, from our own customer base, that companies are struggling to not only see risk and understand the impact to their business, but to communicate it out in a way that other parts of the organization can really understand the impact,” said Michael Geller, COO at Reciprocity.

The full research report is available for download here.

About CyberRisk Alliance
CyberRisk Alliance (CRA) is a business intelligence company serving the high growth, rapidly evolving cybersecurity community with a diversified portfolio of services that inform, educate, build community, and inspire an efficient marketplace. Our trusted information leverages a unique network of journalists, analysts and influencers, policymakers, and practitioners. CRA’s brands include SC Media, Security Weekly, InfoSec World, Cybersecurity Collaboration Forum, our research unit CRA Business Intelligence, the peer-to-peer CISO membership network, Cybersecurity Collaborative, ChannelE2E, MSSP Alert, and
Identiverse. More information is available at

About Reciprocity
Reciprocity equips organizations with the fastest, easiest and most prescriptive information security solutions in the market. Our fully integrated and automated ZenGRC platform powers a full catalog of compliance, risk and other infosec applications. Supported by our award-winning customer service and industry-leading GRC expert teams, we help businesses realize the industry’s fastest time to value while fostering in-house expertise. More information is available at

We're Here to Help

From news, analysis, and insight, to events, communities, custom content and marketing solutions, the CyberRisk Alliance portfolio provides support to the entire cybersecurity ecosystem. We'd love to help support your goals.