RSA released its inaugural Cybersecurity Poverty Index that compiled survey results from more than 400 security professionals across 61 countries. The survey allowed participants to self-assess the maturity of their cybersecurity programs leveraging the NIST Cybersecurity Framework (CSF) as the measuring stick.
While larger organizations are typically thought of as having the resources to mount a more substantive cyber defense, the results of the survey indicate that size is not a determinant of strong cybersecurity maturity and nearly 75% of all respondents self-reported insufficient levels of security maturity.
The lack of overall maturity is not surprising as many organizations surveyed reported security incidents that resulted in loss or damage to their operations over the past 12 months. The most mature capability revealed in the research was the area of Protection. Organizations’ most mature area of their cybersecurity program and capabilities are in preventative solutions despite the common understanding that preventative strategies and solutions alone are insufficient in the face of more advanced attacks.
“Our industry and the people in it have been pushing to balance detection and response with cybersecurity’s natural bias toward prevention,” according to Trey Ford, global security strategist at Rapid7. “We know it isn’t if but when an incident will happen. – they will happen The question that matters is where it happens and how long it takes to identify the incident, contain and eradicate what follows – dwell time is a critical stat executives should be tracking,” Ford added.
“Teams that are actively looking for issues in their environments will more often than not find them, and as a result, will be able to better inform preventative measures and have a better handle on how resilient the organization is to an attack. Those security teams will have a more grounded, and probably humble, perspective on their program maturity — and they may find better funding or executive-level support as a result,” according to Ford.
The greatest weakness of the organizations surveyed is the ability to measure, assess and mitigate cybersecurity risk with 45% of those surveyed describing their capabilities in this area as “non-existent,” or “ad hoc,” and only 21% reporting that they are mature in this domain. This shortfall makes it difficult or impossible to prioritize security activity and investment, a foundational activity for any organization looking to improve their security capabilities today.
Read the full article here
The Blue Cube ethos is to offer fully independent and accurate advice providing the expertise, technology and management skills to help identify where to protect, what to protect and how to protect corporate IT resources and enable secure access for authorised users.
Blue Cube Security Ltd
0345 094 3070
68-72 Queen Victoria Street
020 3137 9227
©2017 BLUE CUBE SECURITY LTD. ALL RIGHTS RESERVED.