Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Many Organizations Lack Maturity to Address Security Risks: RSA

Nearly three quarters of global organizations lack the maturity to address cybersecurity risks, and size is not a determinant of strong maturity, according to RSA’s inaugural Cybersecurity Poverty Index.

Nearly three quarters of global organizations lack the maturity to address cybersecurity risks, and size is not a determinant of strong maturity, according to RSA’s inaugural Cybersecurity Poverty Index.

The report from EMC’s security division is based on the responses of over 400 IT security professionals from 61 countries who were asked to self-assess the maturity of their cybersecurity programs using the NIST Cybersecurity Framework as a benchmark.

Respondents answered 18 questions covering the identify, protect, detect, respond, and recover functions outlined in NIST’s Cybersecurity Framework. They rated their capabilities by using a five point scale indicating their organization’s maturity level: negligent, deficient, functional, developed, and advantaged.

The survey shows that only 25 percent of organizations have well-developed (developed) or superior (advantaged) security programs. The rest of respondents indicated having significant cybersecurity exposure with overall capabilities falling below the “developed” level.

Geographical location and size are factors that don’t seem to influence the maturity level of an organization’s security strategy. For instance, 83 percent of organizations with more than 10,000 employees are not well prepared to handle cyber threats.

As for location, organizations in the Asia Pacific Japan (APJ) and Europe, the Middle East and Africa (EMEA) regions are better prepared than ones in the Americas, despite the fact that the NIST Cybersecurity Framework was created in the United States. The figures show that 39 percent of organizations in APJ have developed or advantaged security strategies, while in EMEA and the Americas only 26 percent, respectively 24 percent, have the same overall maturity.

RSA has also noticed some differences when comparing critical sectors such as telecommunications, financial services, and government. The telecommunication sector ranked highest with half of organizations having developed or advantaged capabilities. At the other end of the chart we have the government sector, where only 18 percent of respondents are pleased with their capabilities.

It’s not uncommon for organizations to experience cyber security incidents that have a negative impact on business operations. RSA’s study shows that the more incidents an organization deals with, the more mature its capabilities are. More precisely, companies that reported 40 or more incidents in the past year are 2.5 times more likely to have developed or advantaged capabilities. On the other hand, 63 percent of the respondents with 40 or more incidents still admitted having an inadequate level of maturity.

Advertisement. Scroll to continue reading.

“This research demonstrates that enterprises continue to pour vast amounts of money into next generation firewalls, anti-virus, and advanced malware protection in the hopes of stopping advanced threats. Despite investment in these areas, however, even the biggest organizations still feel unprepared for the threats they are facing,” said Amit Yoran, president of RSA. “We believe this dichotomy is a result of the failure of today’s prevention-based security models to address the advancing threat landscape. We need to change the way we think about security and that starts by acknowledging that prevention alone is a failed strategy and more attention needs to be spent on strategy based on detection and response.”

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem