Many Organizations Lack Maturity to Address Security Risks: RSA

Nearly three quarters of global organizations lack the maturity to address cybersecurity risks, and size is not a determinant of strong maturity, according to RSA’s inaugural Cybersecurity Poverty Index.

The report from EMC’s security division is based on the responses of over 400 IT security professionals from 61 countries who were asked to self-assess the maturity of their cybersecurity programs using the NIST Cybersecurity Framework as a benchmark.

Respondents answered 18 questions covering the identify, protect, detect, respond, and recover functions outlined in NIST’s Cybersecurity Framework. They rated their capabilities by using a five point scale indicating their organization’s maturity level: negligent, deficient, functional, developed, and advantaged.

The survey shows that only 25 percent of organizations have well-developed (developed) or superior (advantaged) security programs. The rest of respondents indicated having significant cybersecurity exposure with overall capabilities falling below the “developed” level.

Geographical location and size are factors that don’t seem to influence the maturity level of an organization’s security strategy. For instance, 83 percent of organizations with more than 10,000 employees are not well prepared to handle cyber threats.

As for location, organizations in the Asia Pacific Japan (APJ) and Europe, the Middle East and Africa (EMEA) regions are better prepared than ones in the Americas, despite the fact that the NIST Cybersecurity Framework was created in the United States. The figures show that 39 percent of organizations in APJ have developed or advantaged security strategies, while in EMEA and the Americas only 26 percent, respectively 24 percent, have the same overall maturity.

RSA has also noticed some differences when comparing critical sectors such as telecommunications, financial services, and government. The telecommunication sector ranked highest with half of organizations having developed or advantaged capabilities. At the other end of the chart we have the government sector, where only 18 percent of respondents are pleased with their capabilities.

It’s not uncommon for organizations to experience cyber security incidents that have a negative impact on business operations. RSA’s study shows that the more incidents an organization deals with, the more mature its capabilities are. More precisely, companies that reported 40 or more incidents in the past year are 2.5 times more likely to have developed or advantaged capabilities. On the other hand, 63 percent of the respondents with 40 or more incidents still admitted having an inadequate level of maturity.

“This research demonstrates that enterprises continue to pour vast amounts of money into next generation firewalls, anti-virus, and advanced malware protection in the hopes of stopping advanced threats. Despite investment in these areas, however, even the biggest organizations still feel unprepared for the threats they are facing,” said Amit Yoran, president of RSA. “We believe this dichotomy is a result of the failure of today’s prevention-based security models to address the advancing threat landscape. We need to change the way we think about security and that starts by acknowledging that prevention alone is a failed strategy and more attention needs to be spent on strategy based on detection and response.”