The Security Division of EMC surveyed 878 respondents across 81 countries and more than 24 industries, and recently issued a report that found that 75% of survey respondents have significant cybersecurity risk exposure.
Incident Response (IR) capabilities are particularly underdeveloped. Nearly half the businesses surveyed characterized essential IR capabilities as “ad hoc” or “non-existent”, and are more likely to accelerate programs to shore up cybersecurity capabilities only after they have experienced a deleterious security incident.
The report shows that businesses that detect and experience frequent security incidents are 65% more likely to have developed advantaged capabilities. In other words, organizations that regularly deal with security incidents accelerate steps to shore up security programs and end up with more mature capabilities.
Overall, 45% of those surveyed described their ability to catalogue, assess and mitigate cyber risk as “non-existent,” or “ad hoc”, and only 24% reported that they are mature in this domain.
The inability to quantify Cyber Risk Appetite (the risks they face and the potential impacts on their organizations) makes it difficult to prioritize mitigation and investment, a fundamental step for improving security and risk posture.
These survey results highlight how critical infrastructure operators, the original target audience, need to make significant steps forward in their current levels of maturity.
Government and energy organizations ranked lowest across industries in the survey, with only 18% of respondents ranking as developed or advantaged.
Organizations in the aerospace and defense industry reported by far the highest level of maturity with 39% of respondents having developed or advantaged capabilities.
Financial services organizations, a sector often cited as industry-leading due to the large volume of cyberattacks it faces, placed in-between with only 26% rating their firms as well prepared .The reported maturity of organizations in the Americas continued to rank behind both EMEA and APJ.
Organizations in EMEA reported the most mature security strategies with 29% ranked as developed or advantaged in overall maturity while only 26% of organizations in APJ and 23% of organizations in the Americas rated as developed or advantaged. EMEA overtook APJ for the top ranking, moving up 3 percentage points while APJ dropped 13 points.
Amit Yoran, president of The Security Division of EMC, says: “This research provides tangible evidence that organizations of all sizes, in all industries and from all geographies feel unprepared for the threats they are facing.
“We need to change the way we are thinking about security, to focus on more than just prevention – to develop a strategy that emphasizes detection and response.
“Organizations need to set their agendas early, build comprehensive strategies and not wait for a breach to force them into action.”
At issue is understanding. Most businesses struggle to improve cybersecurity because they don’t understand how cyber risk can impact their business. Perhaps a focus on education in potential damages would help to accelerate investment in detection and response technologies.