rsa cybersecurity poverty indextm

RSA CYBERSECURITYPOVERTY INDEX™

2015

Cybersecurity Poverty Index

2

Welcome to RSA’s inaugural Cybersecurity Poverty Index™.

The Cybersecurity Poverty Index is the result of an annual maturity self-assessment completed by organizations of all sizes, industries, and geographies across the globe. The assessment was created using the NIST Cybersecurity Framework (CSF). The 2015 assessment was completed by more than 400 security professionals across 61 countries.

Our goal in creating and conducting this global research initiative is two-fold. First, we want to provide a measure of the risk management and information security capabilities of the global population. As an industry leader and authority, we are often asked “why do damaging security incidents continue to occur?” We believe that a fundamental gap in capability is a major contributor, and hope that this research can illuminate and quantify that gap. Second, we wish to give organizations a way to benchmark their capabilities against peers and provide a globally recognized practical standard, with an eye towards identifying areas for improvement.

OVERVIEW

http://www.nist.gov/cyberframework/cybersecurity-framework-faqs.cfm


3

METHODOLOGYOrganizations rated their own capabilities by responding to 18 questions that covered the five key functions outlined by the CSF: Identify, Protect, Detect, Respond, and Recover.

Ratings used a 5 point scale, with 1 signifying that the organization had no capability in a given area, and 5 indicating that they had highly mature practices in the area.

• Negligent - Falling well short of best security practices and thus neglecting its responsibility to properly protect its IT assets

• Deficient - Providing inadequate security protection and thus falling short in its responsibility to protect its IT assets.

• Functional - Has generally implemented some security best practices and thus making progress in providing sufficient protection for its IT assets.

• Developed - Has a well-developed security program and is well positioned to further improve its effectiveness.

• Advantaged - Has a superior security program and is extremely well positioned to defend its IT assets against advanced threats.


4

OVERALL

The overall survey results found that nearly 75% of respondents have significant cybersecurity risk exposure (with overall capabilities falling below the Developed category).

Only a quarter of respondents surveyed indicated that they have mature security strategies (Developed or above) and just 5% have Advantaged capabilities.

75% Significant

Cybersecurity Risk Exposure

5% Advantaged Capabilities20%

Mature Security

Strategies


5

BY TYPE OF CAPABILITYNot surprisingly, the strongest reported maturity levels were in the area of Protection - this function forms the basis of conventional security doctrine that is proving less and less effective over time in the face of more advanced cyber attacks and attack campaigns. Response, the function which, along with Detection, forms the backbone of today’s effective security strategies ranked last in maturity.

Almost two thirds of respondents rated themselves as inadequate (below “Developed”) in every category (Identify, Protect, Detect, Respond, and Recover).

Identify Protect Detect Respond Recover

71% 71% 72% 72%66%

% of respondents with inadequate levels of capability

Average Ranking For Capability


6

BY SIZE OF ORGANIZATIONSurprisingly, the results indicate that the size of an organization is not a clear indication of its security maturity.

83% of organizations surveyed with more than 10,000+ employees are

not well prepared for today’s threats (ranking

below Developed in overall maturity).

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Under 1,000 1,000 - 10,000 Over 10,000

79%68%

83%

6


7

BY NUMBER OF INCIDENTS

Two thirds of respondents had incidents that negatively impacted their business operations in the last 12 months, but only 22% of those were considered mature in their security strategy.This inidicates an inability of organizations to meaningfully improve maturity to reduce risk, and confirms the continued capability of adversaries to exploit gaps in conventional defense strategies.

66% Negatively

Impacted

22% Considered Mature

7


8

BY NUMBER OF INCIDENTS

Organizations that deal with security incidents more regularly are significantly more mature than their peers.

Organizations who reported 40 or more security incidents in the last 12 months are 2.5x more likely to have “Developed” or “Advantaged” overall capabilities than those reporting 1-10 incidents.

Despite this level of “battle testedness” or “hardening”, 63% of organizations with more than 40 incidents in the survey still reported an inadequate level of maturity.

8

40 or More Security Incidents in the Last 12 Months

1-10 Security Incidents in the Last 12 Months

36%

11%

2.5x more likely to have Developed or Advantaged capabilities


9

BY GEOGRAPHYOrganizations in APJ reported the most mature security strategies with 39% ranked as developed or advantaged vs. the Americas at 24% and EMEA at 26%.

0%

10%

20%

30%

40%

50%

Negligent De�cient Functional Developed Advantaged

AmericasAPJEMEA


10

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Telecommunications Financial Services Government

$

50%

34%

18%

BY VERTICALCritical infrastructure operators, the original target audience of the CSF need to make significant steps forward in their current levels of maturity.

Organizations in the Telecommunications Industry reported the highest level of maturity with 50% of respondents having developed or advantaged capabilities.

Financial Services ranked in-between, with 34% of respondents achieving a rating of developed or advantaged.

Government ranked last across industries in the survey, with only 18% of Government respondents ranking as developed or advantaged.


11

The least developed capability across the survey is an organization’s ability to catalog, assess, and mitigate risk. 45% of those surveyed described their capabilities in this area as non-existent or ad hoc, with only 21% believing that they have mature or mastered capabilities in this domain.

DETAIL ON INDIVIDUAL CAPABILITIES

The inability to assess risk makes it very difficult to prioritize security activity and investment, a foundational activity for any organization looking to improve their security capabilities.

IAM (“managing and governing identities and their access to IT resources”) ranked as the most developed capability, with 38% of respondents rating their capabilities as mature or mastered.

While many organizations recognize that identity is one of their remaining security control points, there is still quite a bit of room for improvement in the population at large. Identity remains one of the leading vectors for advanced attacks.

45%

21%

38%


12

DETAIL ON INDIVIDUAL CAPABILITIES

The ability to detect and respond to attacks is critical for organizations to develop and mature. The inability to effectively respond is a key reason why many incidents result in significant damage or loss.

Capabilities to detect threats – “monitoring network, endpoint, server, and application activity to detect potential security issues” are generally immature and less developed than other capabilities, with 35% of organizations in the survey describing their capabilities as either non-existent or ad hoc.

Capabilities for incident response and recovery were consistently seen as underdeveloped, with an average of 28% of respondents rating their capabilities as mature or mastered across the function.

Coordination of incident response activity was the second least developed capability overall, with 42% of organizations describing their internal and external coordination capabilities as non-existent or ad hoc.

28%

35%

42%


13

CONCLUSIONThe results speak for themselves. There is work to be done to improve risk management and cybersecurity capabilities regardless of company size, geography, or vertical industry.

Two important findings standout from the wealth of data. First, the biggest weakness of surveyed organizations is the ability to measure, assess and mitigate cybersecurity risk, which makes it difficult or impossible to prioritize security activity and investment.

Second, the survey demonstrates that organizations still overemphasize protection over detection and response, despite the fact that protection / preventative capabilities alone are fundamentally incapable of stopping today’s greatest cyber threats. RSA believes that the ability to detect and respond to cyber attacks before they result in damage or loss is the most important capability that organizations must develop and refine.

Awareness of the need to improve is often the catalyst for change, and the evidence provided by the inaugural index provides a powerful incentive for the majority of organizations to develop a focused plan for improvement.

If you completed the survey this year, we thank you for your participation, and look forward to your continued input in future years. If you did not participate, we encourage you to complete the survey and obtain a benchmark that can help plan for advancing your organization’s capabilities.

Take the survey today

http://emc.tool11.webcontentor.com/tools/securityassessmentsurvey.emc

EMC2, EMC, the EMC logo, RSA, and the RSA logo are registered trade marks or trademarks of EMC Corporation in the United States and other countries. © Copyright 2015 EMC Corporation. All rights reserved. Published in the USA. 04/15 eBook H14262


rsa cybersecurity poverty indextm

Documents