The war against cyber attackers isn’t going well, as daily reports of breaches around the world attest. Another measure emerged this week from an RSA survey of infosec pros suggesting those who work in the trenches don’t have much much confident in their own efforts.
For the second year in a row three-quarters of survey respondents asked to rate the maturity of their cyber security programs scored themselves as still having a significant cybersecurity risk exposure.
Incident Response (IR) capabilities are particularly underdeveloped, with nearly half of organizations characterized essential IR capabilities as “ad hoc” or “non-existent.”
This isn’t the bad news. The bad news, according to an RSA press release, is respondents said their organizations were more likely to accelerate programs to shore up cybersecurity capabilities after suffering a security incident that impacted the business. This sounds like closing the barn door after the horse is gone.
RSA said the survey also showed that most organizations continue to struggle to improve cybersecurity because they don’t understand how cyber risk can impact their operations.
“There has been plenty of anecdotal evidence that companies tend to delay investments in cybersecurity until they experience the pain first hand,” RSA said in a release. “In addition, companies which primarily rely on a perimeter defense philosophy are disadvantaged in finding malicious activity, and risk public exposure of critical business assets.” Survey results “solidified this concept, reporting that the organizations that detect and experience frequent security incidents are 65 per cent more likely to have developed or advantaged capabilities. This shows that organizations that regularly deal with security incidents accelerate moves to shore up security programs and end up with more mature capabilities.
“Organizations must focus on executing preventative strategies and make improving this a priority over other capabilities which are growing in importance such as detection and response.”
The survey, which RSA calls the Cybersecurity Poverty Index, has to be considered carefully. Only 878 respondents from 81 countries, half of them from the Americas, participated. Respondents rated their cybersecurity programs by answering 18 questions based on the NIST Cybersecurity Framework (CSF) on their ability to identify, detect and respond to threats, protect data and recover from attacks.
Respondents could rate their organizations as mastered, mature, progressing, ad hoc or not currently done for each of the five functions. Their totals gave an overall score, with Negligent being the worst, Deficient, Functional, Developed and Advantaged (has a superior security program and is
extremely well positioned to defend its IT assets against advanced threats).
Only seven per cent described their organization as Advantaged. Eighteen per cent had Developed capabilities, leaving the remaining 75 per cent scoring Developed (have some best practices), Functional or Deficient. For RSA it means that group still has significant cyber risks.
But RSA also said responses show organizations that invest in detection and response technologies, rather than perimeter-based solutions, are better poised to defend against cyber incidents.