Connect with us

Hi, what are you looking for?


Management & Strategy

Many Organizations Lack Maturity to Address Security Risks: RSA

Nearly three quarters of global organizations lack the maturity to address cybersecurity risks, and size is not a determinant of strong maturity, according to RSA’s inaugural Cybersecurity Poverty Index.

Nearly three quarters of global organizations lack the maturity to address cybersecurity risks, and size is not a determinant of strong maturity, according to RSA’s inaugural Cybersecurity Poverty Index.

The report from EMC’s security division is based on the responses of over 400 IT security professionals from 61 countries who were asked to self-assess the maturity of their cybersecurity programs using the NIST Cybersecurity Framework as a benchmark.

Respondents answered 18 questions covering the identify, protect, detect, respond, and recover functions outlined in NIST’s Cybersecurity Framework. They rated their capabilities by using a five point scale indicating their organization’s maturity level: negligent, deficient, functional, developed, and advantaged.

The survey shows that only 25 percent of organizations have well-developed (developed) or superior (advantaged) security programs. The rest of respondents indicated having significant cybersecurity exposure with overall capabilities falling below the “developed” level.

Geographical location and size are factors that don’t seem to influence the maturity level of an organization’s security strategy. For instance, 83 percent of organizations with more than 10,000 employees are not well prepared to handle cyber threats.

As for location, organizations in the Asia Pacific Japan (APJ) and Europe, the Middle East and Africa (EMEA) regions are better prepared than ones in the Americas, despite the fact that the NIST Cybersecurity Framework was created in the United States. The figures show that 39 percent of organizations in APJ have developed or advantaged security strategies, while in EMEA and the Americas only 26 percent, respectively 24 percent, have the same overall maturity.

RSA has also noticed some differences when comparing critical sectors such as telecommunications, financial services, and government. The telecommunication sector ranked highest with half of organizations having developed or advantaged capabilities. At the other end of the chart we have the government sector, where only 18 percent of respondents are pleased with their capabilities.

Advertisement. Scroll to continue reading.

It’s not uncommon for organizations to experience cyber security incidents that have a negative impact on business operations. RSA’s study shows that the more incidents an organization deals with, the more mature its capabilities are. More precisely, companies that reported 40 or more incidents in the past year are 2.5 times more likely to have developed or advantaged capabilities. On the other hand, 63 percent of the respondents with 40 or more incidents still admitted having an inadequate level of maturity.

“This research demonstrates that enterprises continue to pour vast amounts of money into next generation firewalls, anti-virus, and advanced malware protection in the hopes of stopping advanced threats. Despite investment in these areas, however, even the biggest organizations still feel unprepared for the threats they are facing,” said Amit Yoran, president of RSA. “We believe this dichotomy is a result of the failure of today’s prevention-based security models to address the advancing threat landscape. We need to change the way we think about security and that starts by acknowledging that prevention alone is a failed strategy and more attention needs to be spent on strategy based on detection and response.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.