Corporate information-security executives and managers lack confidence in their company’s ability to fend off cyber-attacks and protect their customer and business data, according to a survey published on June 9 by security firm RSA.
About three-quarters of the 400 companies polled by RSA considered their overall information-security capabilities to be average or below average, the company stated. The survey, which RSA branded as a Cybersecurity Poverty Index, found that about four out of every 10 companies considered their security program to be “functional”—the average rating—rather than “developed” or “advantaged”—the two higher ratings.
Business size did not appreciably impact companies’ ratings of their capabilities, with 83 percent of large companies and 79 percent of small companies considering their overall security to be “average,” “deficient,” or “negligent.”
“Relative to where people think they need to be, they are falling short,” Zully Ramzan, CTO for RSA, told eWEEK. “The goal is, over time, to improve the index and have a baseline in place where people can compare their relative maturities.”
The research used an 18-question survey to gauge whether companies have the capabilities suggested by the Cybersecurity Framework, an effort by the U.S. National Institute of Standards and Technology to create guidelines for cyber-security programs. RSA researchers hoped to measure the relative maturity of information-security programs at a variety of companies and create an overall index to benchmark companies and industries.
The five components of an information-security program include identifying threats, protecting information assets, detecting attacks, responding to incidents and recovering from compromises. Companies typically were most confident in their ability to protect their networks and data, with a third of respondents rating their ability to defend as “developed” or “advantaged.” Organizations were least mature in their ability to respond to incidents, with 72 percent of companies rating their ability to effectively respond as “average” or worse.
Yet the survey results are not clearly measuring maturity. Because the poll relies on self assessment, a corporate manager’s confidence in his or her own company’s ability to protect the network and data, and catch attackers, is a major factor in responses. Some of the industries thought to be most mature—such as financial firms—have only an average maturity level according to the index.
“Ignorance can be bliss when it comes to self assessment,” Ramzan said. “Industries that are ahead of their peers tend to think themselves less ahead, because they understand the challenges.”
Perhaps the most interesting data point is that companies that reported more security incidents were also more likely to have mature information-security capabilities, according to RSA. Of the companies encountering at least 40 incidents in the last year, more than a third had the best two rankings for overall security capabilities. For those that had 10 or fewer incidents, 11 percent considered themselves to have mature information-security programs.