Size just doesn’t matter. That’s the word from RSA, which found that the size of organization is not an indicator of cybersecurity maturity.
In its inaugural Cybersecurity Poverty Index, the company assessed the maturity of cybersecurity programs using the NIST Cybersecurity Framework (CSF) as a benchmark, and found that 83% of organizations surveyed with more than 10,000+ employees are not well prepared for today’s threats. Overall, nearly 75% of all businesses lack the maturity to address cybersecurity risks.
The Framework, launched in final form last year, is meant to be a voluntary blueprint of standards, guidelines and practices to help organizations charged with providing the nation's financial, energy, health care and other critical systems better protect their information and physical assets from cyber-attack.
“Boeing has supported and contributed to the NIST Cybersecurity Framework from its inception,” said Stephen Whitlock, chief of strategy & technology for information security solutions at Boeing. “We use it as a basis to assess the overall security of both internal organizations and with external customers. The CSF promotes a comprehensive, adaptable, risk-based approach that is technology and regulatory neutral. As we have used the Framework, the results have had significant impact in explaining issues and setting the direction for future cybersecurity capability.”
About 66% of all survey participants rated themselves as inadequate across five key functional areas (identify, protect, detect, respond and recover).
The most mature capability revealed in the research was in the area of protection. The research results provide quantitative insight that organizations' most mature area of their cybersecurity program and capabilities are in preventative solutions, despite the common understanding that preventative strategies and solutions alone are insufficient in the face of more advanced attacks.
“This research demonstrates that enterprises continue to pour vast amounts of money into next-generation firewalls, anti-virus and advanced malware protection in the hopes of stopping advanced threats,” said Amit Yoran, president at RSA, in a statement. “Despite investment in these areas, however, even the biggest organizations still feel unprepared for the threats they are facing. We believe this dichotomy is a result of the failure of today's prevention-based security models to address the advancing threat landscape. We need to change the way we think about security and that starts by acknowledging that prevention alone is a failed strategy and more attention needs to be spent on strategy based on detection and response.”
Disturbingly, less than half (45%) of respondents describe their capabilities to measure, assess and mitigate cybersecurity risk as “non-existent” or “ad hoc.” This was in fact the greatest weakness of the organizations surveyed, with only 21% reporting that they are mature in this domain. This shortfall makes it difficult or impossible to prioritize security activity and investment, a foundational activity for any organization looking to improve their security capabilities today.
In terms of verticals, telecom reported the highest level of maturity, with 50% of respondents having developed or advantaged capabilities, while government ranked last across industries in the survey, with only 18% of respondents ranking as developed or advantaged. The lower self-assessments of maturity in otherwise notably mature industries suggest a greater understanding of the advanced threat landscape and their need to build more mature capabilities to match it.
Interestingly, despite being touted as well-developed in security, only 34% of financial services respondents achieved a rating of developed or advantaged (the two highest maturity rankings).
And, critical infrastructure operators, the original target audience for the CSF, also will need to make significant steps forward in their current levels of maturity, RSA found.
Despite the fact that the CSF was developed in the United States, the reported maturity of organizations in the Americas ranked behind both APJ and EMEA. Organizations in APJ reported the most mature security strategies, with 39% ranked as developed or advantaged in overall maturity. Only 26% of organizations in EMEA did, followed by 24% of organizations in the Americas.