BEDFORD, Mass., June 9, 2015 /PRNewswire/ --
STORY HIGHLIGHTS
- Nearly 75% surveyed lack the maturity to address cybersecurity
risks
- 83% of large organizations ranked themselves as below
"developed" in maturity
- Up to 45% admit inability to measure, assess and mitigate
cybersecurity risk
- The most mature capability revealed in research is in the area
of Protection, Detect and Response capabilities lag
- Only one-third of financial services organizations report being
adequately prepared
- NIST Cybersecurity Framework used as the measuring stick; yet
the Americas rank themselves behind both APJ and EMEA in overall
maturity
Today, RSA, The Security Division of EMC (NYSE: EMC), released
its inaugural Cybersecurity Poverty Index that compiled survey
results from more than 400 security professionals across 61
countries. The survey allowed participants to self-assess the
maturity of their cybersecurity programs leveraging the NIST
Cybersecurity Framework (CSF) as the measuring stick. The research
provides valuable global insight into how organizations rate their
overall cybersecurity maturity and practices across a variety of
organizational sizes, industries and geographies. While larger
organizations are typically thought of as having the resources to
mount a more substantive cyber defense, the results of the survey
indicate that size is not a determinant of strong cybersecurity
maturity and nearly 75% of all respondents self-reported
insufficient levels of security maturity.
The lack of overall maturity is not surprising as many
organizations surveyed reported security incidents that resulted in
loss or damage to their operations over the past 12 months.
The most mature capability revealed in the research was the
area of Protection. The research results provide quantitative
insight that organizations' most mature area of their cybersecurity
program and capabilities are in preventative solutions despite the
common understanding that preventative strategies and solutions
alone are insufficient in the face of more advanced attacks.
Further, the greatest weakness of the organizations surveyed is the
ability to measure, assess and mitigate cybersecurity risk with 45%
of those surveyed describing their capabilities in this area as
"non-existent," or "ad hoc," and only 21% reporting that they are
mature in this domain. This shortfall makes it difficult or
impossible to prioritize security activity and investment, a
foundational activity for any organization looking to improve their
security capabilities today.
Counter to expectations, the research indicates that the size of
an organization is not an indicator of maturity. In fact, 83%
of organizations surveyed with more than 10,000+ employees rated
their capabilities as less than "developed" in overall maturity.
This result suggests that large organizations' overall experience
and visibility into advanced threats dictate the need for greater
maturity than their current standing. Large organizations' weak
self-assessed maturity ratings indicate their understanding of the
need to move to detect and response solutions and strategies for a
more robust and mature security.
Also counterintuitive to expectations were the results from
Financial Services organizations, a sector often cited as
industry-leading in terms of security maturity. Despite
conventional wisdom, however, the Financial Services organizations
surveyed did not rank themselves as the most mature industry, with
only one third rating as well-prepared. Critical infrastructure
operators, the original target audience for the CSF, will need to
make significant steps forward in their current levels of maturity.
Organizations in the Telecommunications industry reported the
highest level of maturity with 50% of respondents having developed
or advantaged capabilities, while Government ranked last across
industries in the survey, with only 18% of respondents ranking as
developed or advantaged. The lower self-assessments of maturity in
otherwise notably mature industries suggest a greater understanding
of the advanced threat landscape and their need to build more
mature capabilities to match it.
Despite the fact that the CSF was developed in the United States, the reported maturity of
organizations in the Americas ranked behind both APJ and
EMEA. Organizations in APJ reported the most mature security
strategies with 39% ranked as developed or advantaged in overall
maturity while only 26% of organizations in EMEA and 24% of
organizations in the Americas rated as developed or advantaged.
Methodology
To assess cybersecurity maturity, respondents self-assessed
their capabilities against a sampling of the NIST Cybersecurity
Framework (CSF). The CSF provides guidance based on existing
standards, guidelines, and practices for reducing cyber risks, and
was created through collaboration between industry and government.
While the CSF was initially developed in the United States with the aim of helping to
reduce cyber risks to critical infrastructure, organizations
worldwide have found it to be a prioritized, flexible, repeatable,
and cost-effective approach for managing cyber risk. Thus, it
serves as an excellent baseline to assess any organization's core
cyber security and cyber risk management maturity.
Organizations rated their own capabilities in the five key
functions outlined by the CSF: Identify, Protect, Detect, Respond,
and Recover. Ratings used a 5 point scale, with 1 signifying that
the organization had no capability in a given area, and 5
indicating that they had highly mature practices in the area.
EXECUTIVE QUOTES:
Amit Yoran, President, RSA,
The Security Division of EMC
"This research demonstrates that enterprises continue to pour
vast amounts of money into next generation firewalls, anti-virus,
and advanced malware protection in the hopes of stopping advanced
threats. Despite investment in these areas, however, even the
biggest organizations still feel unprepared for the threats they
are facing. We believe this dichotomy is a result of the failure of
today's prevention-based security models to address the advancing
threat landscape. We need to change the way we think about
security and that starts by acknowledging that prevention alone is
a failed strategy and more attention needs to be spent on strategy
based on detection and response."
Stephen T. Whitlock, Chief of
Strategy & Technology, Information Security Solutions,
Boeing
"Boeing has supported and contributed to the NIST Cybersecurity
Framework from its inception. We use it as a basis to assess the
overall security of both internal organizations and with external
customers. The CSF promotes a comprehensive, adaptable, risk
based approach that is technology and regulatory neutral. As we
have used the Framework, the results have had significant impact in
explaining issues and setting the direction for future cyber
security capability."
ADDITIONAL RESOURCES:
- Download the Cybersecurity Poverty Index eBook providing
valuable insights into organizations' cyber security maturity
- Take the same Cybersecurity Maturity Assessment that was used
for the Cybersecurity Poverty Index to determine your own
organization's maturity
- Watch a video from Amit Yoran,
Zulfikar Ramzan, and Mike Brown discussing insights from the
Cybersecurity Poverty Index
- Download an infographic highlighting key research results
- Connect with RSA via Twitter, Facebook, YouTube, LinkedIn and
the RSA Speaking of Security Blog and Podcast
ABOUT RSA
RSA's Intelligence Driven Security solutions help organizations
reduce the risks of operating in a digital world. Through
visibility, analysis, and action, RSA solutions give customers the
ability to detect, investigate and respond to advanced threats;
confirm and manage identities; and ultimately, prevent IP theft,
fraud and cybercrime. For more information, please visit
www.rsa.com.
RSA and EMC are either registered trademarks or trademarks of
EMC Corporation in the United
States and/or other countries. All other products
and/or services referenced are trademarks of their respective
companies.
To view the original version on PR Newswire,
visit:http://www.prnewswire.com/news-releases/rsa-research-finds-size-doesnt-matter-in-cybersecurity-300096142.html
SOURCE RSA