The Security Division of EMC – a leading provider of IT storage hardware solutions to promote data backup and recovery and accelerate the journey to cloud computing – released its inaugural Cyber Security Poverty Index that compiled survey results from more than 400 security professionals across 61 countries.
The survey allowed participants to self-assess the maturity of their cyber security programmes leveraging the NIST Cyber Security Framework (CSF) as the measuring stick. The research provides valuable global insight into how organisations rate their overall cyber security maturity and practices across a variety of organisational sizes, industries and geographies. While larger organisations are typically thought of as having the resources to mount a more substantive cyber defense, the results of the survey indicate that size is not a determinant of strong cyber security maturity and nearly 75 per cent of all respondents self-reported insufficient levels of security maturity.
The lack of overall maturity is not surprising as many organisations surveyed reported security incidents that resulted in loss or damage to their operations over the past 12 months. The most mature capability revealed in the research was the area of protection. The research results provide quantitative insight that organisations’ most mature area of their cyber security programme and capabilities are in preventative solutions despite the common understanding that preventative strategies and solutions alone are insufficient in the face of more advanced attacks. Further, the greatest weakness of the organisations surveyed is the ability to measure, assess and mitigate cyber security risk with 45 per cent of those surveyed describing their capabilities in this area as “non-existent,” or “ad hoc,” and only 21 per cent reporting that they are mature in this domain. This shortfall makes it difficult or impossible to prioritize security activity and investment, a foundational activity for any organisation looking to improve their security capabilities today.
Counter to expectations, the research indicates that the size of an organisation is not an indicator of maturity. In fact, 83 per cent of organisations surveyed with more than 10,000+ employees rated their capabilities as less than “developed” in overall maturity. This result suggests that large organisations’ overall experience and visibility into advanced threats dictate the need for greater maturity than their current standing. Large organisations’ weak self-assessed maturity ratings indicate their understanding of the need to move to detection and response solutions and strategies for a more robust and mature security.
Also counterintuitive to expectations were the results from Financial Services organisations, a sector often cited as industry-leading in terms of security maturity. Despite conventional wisdom, however, the Financial Services organisations surveyed did not rank themselves as the most mature industry, with only one third rating as well-prepared. Critical infrastructure operators, the original target audience for the CSF, will need to make significant steps forward in their current levels of maturity. Organisations in the Telecommunications industry reported the highest level of maturity with 50 per cent of respondents having developed or advantaged capabilities, while government ranked last across industries in the survey, with only 18 per cent of respondents ranking as developed or advantaged.
Despite the fact that the CSF was developed in the United States, the reported maturity of organisations in the Americas ranked behind both APJ and EMEA. Organisations in APJ reported the most mature security strategies with 39 per cent ranked as developed or advantaged in overall maturity while only 26 per cent of organisations in EMEA and 24 per cent of organisations in the Americas rated as developed or advantaged.
