Story image

Organisations are severely lacking in cybersecurity maturity

16 Jun 2015

Overall, organisations are displaying a lack of maturity and an over reliance on prevention when it comes to security, according to RSA Research.

RSA, the security division of EMC, released its inaugural Cybersecurity Poverty Index that compiled survey results from more than 400 security professionals across 61 countries.

While larger organisations are typically thought of as having the resources to mount a more substantive cyber defence, the results of the survey indicate that size is not a determinant of strong cybersecurity maturity and nearly 75% of all respondents self-reported insufficient levels of security maturity. 

The lack of overall maturity is not surprising as many organisations surveyed reported security incidents that resulted in loss or damage to their operations over the past 12 months, says RSA.

The most mature capability revealed in the research was the area of protection.

The research results showed organisations' most mature area of their cybersecurity program and capabilities are in preventative solutions, despite the common understanding that preventative strategies and solutions alone are insufficient in the face of more advanced attacks. 

Further, the greatest weakness of the organisations surveyed is the ability to measure, assess and mitigate cybersecurity risk, with 45% of those surveyed describing their capabilities in this area as ‘non-existent’, or ‘ad hoc’, and only 21% reporting that they are mature in this domain.

This shortfall makes it difficult or impossible to prioritise security activity and investment, a foundational activity for any organisation looking to improve their security capabilities today, says RSA.

Counter to expectations, the research indicates that the size of an organisation is not an indicator of maturity.

In fact, 83% of organisations surveyed with more than 10,000+ employees rated their capabilities as less than ‘developed’ in overall maturity.

This result suggests that large organisations' overall experience and visibility into advanced threats dictate the need for greater maturity than their current standing.

Large organisations' weak self-assessed maturity ratings indicate their understanding of the need to move to detect and response solutions and strategies for a more robust and mature security.

"This research demonstrates that enterprises continue to pour vast amounts of money into next generation firewalls, anti-virus, and advanced malware protection in the hopes of stopping advanced threats. 

"Despite investment in these areas, however, even the biggest organisations still feel unprepared for the threats they are facing," says Amit Yoran, RSA president. 

"We believe this dichotomy is a result of the failure of today's prevention-based security models to address the advancing threat landscape. 

"We need to change the way we think about security and that starts by acknowledging that prevention alone is a failed strategy and more attention needs to be spent on strategy based on detection and response."

Also countering expectations were the results from financial services organisations, a sector often cited as industry-leading in terms of security maturity.

Despite conventional wisdom, however, the financial services organisations surveyed did not rank themselves as the most mature industry, with only one third rating as well-prepared.

Critical infrastructure operators will need to make significant steps forward in their current levels of maturity, according to RSA.

Organisations in the telecommunications industry reported the highest level of maturity with 50% of respondents having developed or advantaged capabilities, while Government ranked last across industries in the survey, with only 18% of respondents ranking as developed or advantaged.

The lower self-assessments of maturity in otherwise notably mature industries suggest a greater understanding of the advanced threat landscape and their need to build more mature capabilities to match it.  

Organisations in APJ reported the most mature security strategies with 39% ranked as developed or advantaged in overall maturity while only 26% of organisations in EMEA and 24% of organisations in the Americas rated as developed or advantaged.

NVIDIA announces Jetson Nano: A US$99 tiny, yet mighty AI computer 
“Jetson Nano makes AI more accessible to everyone, and is supported by the same underlying architecture and software that powers the world's supercomputers.”
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
NVIDIA introduces a new breed of high-performance workstations
“Data science is one of the fastest growing fields of computer science and impacts every industry."
Apple says its new iMacs are "pretty freaking powerful"
The company has chosen the tagline “Pretty. Freaking powerful” as the tagline – and it’s not too hard to see why.
NZ ISPs issue open letter to social media giants to discuss censorship
Content sharing platforms have a duty of care to proactively monitor for harmful content, act expeditiously to remove content which is flagged to them as illegal.
Partnership brings AI maths tutor to NZ schools
“AMY can understand why students make a mistake, and then teach them what they need straight away so they don't get stuck."
Polycom & Plantronics rebrand to Poly, a new UC powerhouse
The name change comes after last year’s Plantronics acquisition of Polycom, a deal that was worth US $2 billion.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.