- For the second straight year, 75% of survey respondents have a significant cybersecurity risk exposure
- Organizations that report more business-impacting security incidents are 65% more likely to have advanced cyber maturity capabilities
- Half of those surveyed assess their incident response capabilities as either "ad hoc" or "nonexistent"
- Less mature Organizations continue to mistakenly implement more perimeter technologies as a stop gap measure to prevent incidents from occurring
- Government and Energy ranked lowest among industries in cyber preparedness
- American entities continue to rank themselves behind both APJ and EMEA in overall cyber maturity
BEDFORD, MA, June 14, 2016 – Today, RSA, The Security Division of EMC (NYSE: EMC), released data demonstrating that organizations that invest in detection and response technologies, rather than perimeter-based solutions, are better poised to defend against cyber incidents. The second annual RSA Cybersecurity Poverty Index, which compiles survey results from 878 respondents across 81 countries and more than 24 industries, attracted more than double the number of respondents as last year, and gave participants the chance to self-assess the maturity of their cybersecurity programs leveraging the NIST Cybersecurity Framework (CSF) as the measuring stick. The report found that for the second year in a row, 75% of survey respondents have a significant cybersecurity risk exposure. Incident Response (IR) capabilities are particularly underdeveloped. Nearly half of organizations characterized essential IR capabilities as "ad hoc" or "non-existent", but organizations are more likely to accelerate programs to shore up cybersecurity capabilities once they have experienced a security incident that impacted the business. The survey also showed that most organizations continue to struggle to improve cybersecurity because they don't understand how cyber risk can impact their operations.
There has been plenty of anecdotal evidence that companies tend to delay investments in cybersecurity until they experience the pain first hand. In addition, companies which primarily rely on a perimeter defense philosophy are disadvantaged in finding malicious activity, and risk public exposure of critical business assets. The results of the RSA Cybersecurity Poverty Index solidified this concept, reporting that the organizations that detect and experience frequent security incidents are 65% more likely to have developed or advantaged capabilities. This shows that organizations that regularly deal with security incidents accelerate moves to shore up security programs and end up with more mature capabilities. Organizations must focus on executing preventative strategies and make improving this a priority over other capabilities which are growing in importance such as detection and response.
One of the most significant changes from the 2015 survey was the increase in the number of organizations with mature cybersecurity programs. The percentage of organizations reporting advantaged capabilities – the highest category – increased by more than half over the prior Index, from 4.9% to 7.4%. But organizations' overall perception of their cybersecurity preparedness continued to lag. The number of respondents reporting significant cybersecurity risk exposure stayed steady at nearly 75%, reflecting a growing disparity between the "haves and have-nots" in security preparedness.
The survey also showed that organizations continue to struggle with their ability to take proactive steps to improve their cybersecurity and risk posture. Overall, 45% of those surveyed described their ability to catalog, assess and mitigate cyber risk as "non-existent," or "ad hoc" and only 24% reported that they are mature in this domain. The inability to quantify their Cyber Risk Appetite (the risks they face and the potential impacts on their organizations) makes it difficult to prioritize mitigation and investment, a foundational activity for any organization looking to improve their security and risk posture.
For the second year, the survey results highlight how critical infrastructure operators, the original target audience for the CSF, need to make significant steps forward in their current levels of maturity. Government and energy organizations ranked lowest across industries in the survey, with only 18% of respondents ranking as developed or advantaged. Organizations in the aerospace and defense industry reported by far the highest level of maturity with 39% of respondents having developed or advantaged capabilities. Financial Services organizations, a sector often cited as industry-leading due to the large volume of cyberattacks it faces, placed in between with 26% rating their firms as well prepared – down from 33% `a year ago.
The reported maturity of organizations in the Americas continued to rank behind both EMEA and APJ. Organizations in EMEA reported the most mature security strategies with 29% ranked as developed or advantaged in overall maturity while only 26% of organizations in APJ and 23% of organizations in the Americas rated as developed or advantaged. EMEA overtook APJ for the top ranking, moving up 3 percentage points while APJ dropped 13 points.
To assess cybersecurity maturity, respondents self-assessed their capabilities against the CSF, which designed to provide guidance based on existing standards, guidelines and practices for reducing cyber risks, and was created through collaboration between industry and government. While the CSF was initially developed in the United States with the aim of helping to reduce cyber risks to critical infrastructure, organizations worldwide have found it to be a prioritized, flexible, repeatable and cost-effective approach for managing cyber risk. Thus, it serves as an excellent baseline to assess any organization's core cybersecurity and cyber risk management capabilities.
Organizations rated their own capabilities in the five key functions outlined by the CSF: Identify, Protect, Detect, Respond, and Recover. Ratings used a 5-point scale, with 1 signifying that the organization had no capability in a given area, and 5 indicating that it had highly mature practices in the area.
Amit Yoran, President, RSA, The Security Division of EMC
"This second round of cybersecurity research provides tangible evidence that organizations of all sizes, in all industries and from all geographies feel unprepared for the threats they are facing. We need to change the way we are thinking about security, to focus on more than just prevention – to develop a strategy that emphasizes detection and response. Organizations need to set their agendas early, build comprehensive strategies and not wait for a breach to force them into action."
- Download the RSA Cybersecurity Poverty Index eBook providing valuable insights into organizations' cyber security maturity
- Take the same Cybersecurity Maturity Assessment that was used for the RSA Cybersecurity Poverty Index to determine your own organization's maturity
- View the RSA Cybersecurity Poverty Index Infographic
- Download RSA's Cyber Risk Appetite whitepaper
- Connect with RSA via Twitter, YouTube, LinkedIn and the RSA Speaking of Security Blog
RSA provides more than 30,000 customers around the world with the essential security capabilities to protect their most valuable assets from cyber threats. With RSA's award-winning products, organizations effectively detect, investigate, and respond to advanced attacks; confirm and manage identities; and ultimately, reduce IP theft, fraud, and cybercrime. For more information, go to www.rsa.com.
This release contains "forward-looking statements" as defined under the Federal Securities Laws. Actual results could differ materially from those projected in the forward-looking statements as a result of certain risk factors, including but not limited to: (i) risks associated with the proposed acquisition of EMC by Denali Holdings, Inc., the parent company of Dell, Inc., including, among others, assumptions related to the ability to close the acquisition, the expected closing date and its anticipated costs and benefits; (ii) adverse changes in general economic or market conditions; (iii) delays or reductions in information technology spending; (iv) the relative and varying rates of product price and component cost declines and the volume and mixture of product and services revenues; (v) competitive factors, including but not limited to pricing pressures and new product introductions; (vi) component and product quality and availability; (vii) fluctuations in VMware, Inc.'s operating results and risks associated with trading of VMware stock; (viii) the transition to new products, the uncertainty of customer acceptance of new product offerings and rapid technological and market change; (ix) risks associated with managing the growth of our business, including risks associated with acquisitions and investments and the challenges and costs of integration, restructuring and achieving anticipated synergies; (x) the ability to attract and retain highly qualified employees; (xi) insufficient, excess or obsolete inventory; (xii) fluctuating currency exchange rates; (xiii) threats and other disruptions to our secure data centers or networks; (xiv) our ability to protect our proprietary technology; (xv) war or acts of terrorism; and (xvi) other one-time events and other important factors disclosed previously and from time to time in the filings of EMC, the parent company of RSA, with the U.S. Securities and Exchange Commission. EMC and RSA disclaim any obligation to update any such forward-looking statements after the date of this release.