A new survey focusing on cybersecurity, released by RSA, the Security Division of EMC, has revealed a number of interesting and alarming findings with regards to the security landscape and how it impacts on businesses.

The first eyebrow raising result is that the second annual RSA Cybersecurity Poverty Index, which compiled survey results from 878 respondents across 81 countries and more than 24 industries, attracted more than double the number of respondents as last year. From this, it is not difficult to infer that security has become a growing concern, or at least is being taken even more seriously.

The next interesting finding to emerge is that organisations which invest in detection and response technologies, rather than perimeter-based solutions, are better poised to defend against cyber incidents.

While providing participants with the chance to self-assess the maturity of their cybersecurity programs leveraging the NIST (National Institute of Standards and Technology) Cybersecurity Framework (CSF) as the measuring stick, the survey revealed a startling result: 75% of survey respondents have a significant cybersecurity risk exposure for the second year running.

Dark clouds

The outlook for companies, from a security point of view, only becomes grimmer from there. The report noted that even as Incident Response (IR) capabilities are particularly underdeveloped, nearly half of the organisations surveyed characterised essential IR capabilities as “ad hoc” or “non-existent.”

And yet, it appears that organisations are more likely to accelerate programs to shore up cybersecurity capabilities once they have experienced a security incident that impacted the business. Furthermore, the survey also showed that most businesses continue to struggle to improve cybersecurity because they don’t understand how cyber risk can impact their operations.

Amit Yoran, president RSA

Once bitten, twice shy

According to RSA, there has been plenty of anecdotal evidence that companies tend to delay investments in cybersecurity until they experience the pain first hand. In addition, companies which primarily rely on a perimeter defense philosophy are disadvantaged in finding malicious activity, and risk public exposure of critical business assets.

The results of the RSA Cybersecurity Poverty Index solidified this concept, reporting that those which detect and experience frequent security incidents are 65% more likely to have developed or advantaged capabilities. This, it elaborated, indicated that organisations that regularly deal with security incidents accelerate moves to shore up security programs and end up with more mature capabilities.

However, it advised that organisations should focus on executing preventative strategies and make improving these a priority.

Looking back to look ahead

One of the most significant changes from the 2015 survey was the increase in the number of organisations with mature cybersecurity programs. The percentage of those reporting advantaged capabilities – the highest category – increased by more than half over the prior Index, from 4.9% to 7.4%.

But organisations’ overall perception of their cybersecurity preparedness continued to lag. The number of respondents reporting significant cybersecurity risk exposure stayed steady at nearly 75%, reflecting a growing disparity between the “haves and have-nots” in security preparedness.  

The survey also showed that organisations continue to struggle with their ability to take proactive steps to improve their cybersecurity and risk posture. Overall, 45% of those surveyed described their ability to catalog, assess and mitigate cyber risk as “non-existent,” or “ad hoc” and only 24% reported that they are mature in this domain.

The inability to quantify their Cyber Risk Appetite (the risks they face and the potential impacts on their organisations) makes it difficult to prioritize mitigation and investment, a foundational activity for any business aiming to improve its security and risk posture.

Winners and losers

For the second year, the survey results highlighted how critical infrastructure operators, the original target audience for the CSF, need to make significant steps forward in their current levels of maturity. Government and energy organisations ranked lowest across industries in the survey, with only 18% of respondents ranking as developed or advantaged.

Somewhat more comforting is that organisations in the aerospace and defense industry reported by far the highest level of maturity with 39% of respondents having developed or advantaged capabilities. On the downside, financial services organisations, a sector often cited as industry-leading due to the large volume of cyberattacks it faces, placed in between with 26% rating their firms as well prepared – down from 33% a year ago.

In a nutshell

“This second round of cybersecurity research provides tangible evidence that organisations of all sizes, in all industries and from all geographies feel unprepared for the threats they are facing,” commented Amit Yoran, president, RSA.

“We need to change the way we are thinking about security, to focus on more than just prevention – to develop a strategy that emphasizes detection and response. Organisations need to set their agendas early, build comprehensive strategies and not wait for a breach to force them into action,” he concluded.