Size doesn’t matter in cybersecurity: RSA research

• 83% of large organisations rank themselves as below ‘developed’
• Index shows ‘troubling’ lack of maturity, overreliance on prevention

WHILE larger organisations are typically thought of as having the resources to mount a more substantive cyber-defence, the results of an RSA survey indicate that size is not a determinant of strong cybersecurity maturity.
 
In its inaugural Cybersecurity Poverty Index that compiled survey results from more than 400 security professionals across 61 countries, nearly 75% of all respondents self-reported insufficient levels of security maturity, said RSA, the security division of EMC Corp.
 
In fact, 83% of organisations with more than 10,000+ employees rated their capabilities as less than ‘developed’ in overall maturity.
 
This result suggests that large organisations’ overall experience and visibility into advanced threats dictate the need for greater maturity than their current standing, RSA said in a statement.
 
Large organisations’ weak self-assessed maturity ratings indicate their understanding of the need to move to detect and response solutions and strategies for a more robust and mature security, the company added.
 
The RSA survey allowed participants to self-assess the maturity of their cybersecurity programmes leveraging the NIST Cybersecurity Framework (CSF) as the measuring stick.
 
The lack of overall maturity is not surprising as many organisations surveyed reported security incidents that resulted in loss or damage to their operations over the past 12 months, RSA said.
 
The most mature capability revealed in the research was the area of ‘Protection.’ The research results provide quantitative insight that organisations’ most mature area of their cybersecurity program and capabilities are in preventative solutions despite the common understanding that preventative strategies and solutions alone are insufficient in the face of more advanced attacks.
 
Further, the greatest weakness of the organisations surveyed is the ability to measure, assess and mitigate cybersecurity risk, with 45% of those surveyed describing their capabilities in this area as ‘non-existent’ or ‘ad hoc,’ with only 21% reporting that they are mature in this domain.
 
This shortfall makes it difficult or impossible to prioritise security activity and investment, a foundational activity for any organisation looking to improve their security capabilities today, RSA argued.
 
“This research demonstrates that enterprises continue to pour vast amounts of money into next-generation firewalls, antivirus, and advanced malware protection in the hopes of stopping advanced threats,” said RSA president Amit Yoran (pic).
 
“Despite investment in these areas, however, even the biggest organisations still feel unprepared for the threats they are facing.
 
“We believe this dichotomy is a result of the failure of today’s prevention-based security models to address the advancing threat landscape.
 
“We need to change the way we think about security and that starts by acknowledging that prevention alone is a failed strategy and more attention needs to be spent on strategy based on detection and response,” he added.
 
FSIs lag, telcos lead, govts weakest
 
Also counterintuitive to expectations were the results from Financial Services organisations, a sector often cited as industry-leading in terms of security maturity.
 
Financial Services organisations surveyed did not rank themselves as the most mature industry, with only one third rating as well-prepared.
 
Critical infrastructure operators, the original target audience for the CSF, will need to make significant steps forward in their current levels of maturity.
 
Organisations in the Telecommunications industry reported the highest level of maturity with 50% of respondents having developed or advantaged capabilities, while Government ranked last across industries in the survey, with only 18% of respondents ranking as developed or advantaged.
 
The lower self-assessments of maturity in otherwise notably mature industries suggest a greater understanding of the advanced threat landscape and their need to build more mature capabilities to match it, RSA said.
 
Despite the fact that the CSF was developed in the United States, the reported maturity of organisations in the Americas ranked behind both Asia Pacific and EMEA (Europe/ Middle East/ Africa).
 
Organisations in Asia Pacific reported the most mature security strategies with 39% ranked as developed or advantaged in overall maturity, while only 26% of organisations in EMEA and 24% of organisations in the Americas rated as developed or advantaged.
 
Methodology
 
To assess cybersecurity maturity, respondents self-assessed their capabilities against a sampling of the NIST CSF.
 
The framework provides guidance based on existing standards, guidelines, and practices for reducing cyber risks, and was created through collaboration between industry and government.
 
Organisations rated their own capabilities in the five key functions outlined by the CSF: Identify, Protect, Detect, Respond, and Recover.
 
Ratings used a 5-point scale, with 1 signifying that the organisation had no capability in a given area, and 5 indicating that it had highly mature practices in the area.
 
Related Stories:
 
IT leaders on the harsh reality of cyber-protection
 
Security industry needs to abandon fear and trepidation: RSA chief
 
Security chiefs call for investments in ‘transformative’ technologies
 
Security leaders admit to being outgunned by cybercriminals: IBM study
 
 
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.