75% CISOs Lack Cyber Security Maturity

by CXOtoday News Desk    Jun 17, 2015


With the explosion of digital technologies and practices, cyber-security continues to be one of the principal issues faced by organizations and their CISOs. Despite the growing awareness on this topic, there still remains a gap which prompts analysts to bring it into focus time and again. In a recent survey of top security executives by RSA, the security division of EMC. nearly 75% of all respondents self-reported insufficient levels of security maturity. 

The global survey that polled over 400 CISOs and security officers across 60 countries, aimed to offer valuable global insight into how organizations rate their overall cybersecurity maturity and practices across a variety of organizational sizes, industries and geographies

While larger organizations are typically thought of as having the resources to mount a more substantive cyber defense, the results of the survey indicate that size is not a determinant of strong cybersecurity maturity, said the study.

The lack of overall maturity is not surprising as many organizations surveyed reported security incidents that resulted in loss or damage to their operations over the past 12 months.  The most mature capability revealed in the research was the area of Protection.

The research results provide quantitative insight that organizations’ most mature area of their cybersecurity program and capabilities are in preventative solutions despite the common understanding that preventative strategies and solutions alone are insufficient in the face of more advanced attacks.

Counter to expectations, the research indicates that the size of an organization is not an indicator of maturity.  In fact, 83% of organizations surveyed with more than 10,000+ employees rated their capabilities as less than “developed” in overall maturity. This result suggests that large organizations’ overall experience and visibility into advanced threats dictate the need for greater maturity than their current standing.

Large organizations’ weak self-assessed maturity ratings indicate their understanding of the need to move to detect and response solutions and strategies for a more robust and mature security, said the study.

Also counterintuitive to expectations were the results from financial services organizations, a sector often cited as industry-leading in terms of security maturity. The financial organizations surveyed did not rank themselves as the most mature industry, with only one third rating as well-prepared. Critical infrastructure operators, the original target audience for the CSF, will need to make significant steps forward in their current levels of maturity.

Organizations in the Telecommunications industry reported the highest level of maturity with 50% of respondents having developed or advantaged capabilities, while Government ranked last across industries in the survey, with only 18% of respondents ranking as developed or advantaged. The lower self-assessments of maturity in otherwise notably mature industries suggest a greater understanding of the advanced threat landscape and their need to build more mature capabilities to match it.  

“This research demonstrates that enterprises continue to pour vast amounts of money into next generation firewalls, anti-virus, and advanced malware protection in the hopes of stopping advanced threats. Despite investment in these areas, however, even the biggest organizations still feel unprepared for the threats they are facing,” said Amit Yoran, President, RSA, The Security Division of EMC.

He believes organizations need to change the way we think about security and that starts by acknowledging that prevention alone is a failed strategy and more attention needs to be spent on strategy based on detection and response.

For a holistic cyber security perspective, security maturity begins in the boardroom. “Company management must acknowledge information security as a priority, and support the IT team in its implementation,” Robert C. Covington, the founder and president of togoCIO.co and security expert stated in a Computerworld blog.

 ”Everyone in the organization must accept that their responsibilities include information security. It has been my experience that most employees, once someone explains the high stakes, will do their part. The few that won’t are a liability, and should be directed to alternate employment opportunities,” he added.

The bottom line is security maturity is not measured by the amount of money you spend, but by how well you handle the fundamentals, believe experts, and cxos should have adequate protection, detect and response capabilities to handle these issues, the study noted.