RSA just released results of our second annual RSA Cybersecurity Poverty Index. We're really excited about the results, but it may not be for the reasons you think. We're excited because of the number of respondents (more than double the 2015 Index), the breadth of industries and governments represented, and the amount of time organizations are taking to assess their security and risk management programs. The results themselves show that there is a lot of room for organizations to improve.
The basis of the RSA Cybersecurity Poverty Index is the internationally developed and recognized NIST Cybersecurity Framework (CSF). Based on the CSF's 5 foundational capabilities: Identify, Protect, Detect, Respond and Recover, respondents answer questions that determine their level of maturity in an online self-assessment.
One of the main findings from the survey is that, overwhelmingly, organizations believe they aren't where they need to be. The overall survey results found that 75% of respondents reported significant cybersecurity risk exposure. Only 18% of respondents indicated that they have Developed capabilities and just 7% have Advantaged capabilities. Two thirds of respondents rated themselves as inadequate in all 5 of the CSF's foundational capabilities. For the majority of respondents, these numbers haven't improved since our last Index.
The survey also reflects that organizations know there are things they need to do to improve, but don't necessarily know how to do it or where to start. Again, when we look at the CSF, organizations can develop a roadmap so they can begin their journey, based on best practices and a solid framework. The RSA Cybersecurity Poverty Index results show that many organizations need help in identifying and managing risks. This is exactly why we used the CSF as the basis for the assessment- it allows organizations and their leaders to identify and manage cyber risk.
I'm often asked by organizations, from the board room, C-Suite and operators: "how do we get better?" The first thing I tell them is that they need to know themselves. I ask: "What are your priorities, biggest risks, and current status?" Combined with the CSF - it's possible to develop a roadmap to answer the questions I posed above. I also highly recommend a third-party assessment. Something I learned in all my years in the Navy - a different set of eyes, trained and experienced in a particular field, will provide insight that I missed. It doesn't matter how mature or experienced organizations and leaders are, a clean view from an external source always pays dividends.
So, are we getting any better? My answer is Yes. Through the use of the CSF, organizations have begun to take action. The RSA Cybersecurity Poverty Index results demonstrate greater acceptance, awareness, and adoption of the CSF. But there is a long cruise ahead of them - and they need to continue to focus on the mission!
If you haven't already done so this year, take RSA's Cybersecurity Maturity self-assessment, and find out about your organization's cybersecurity maturity to start building your own plan.