How prepared are companies to deal with cybersecurity risk? That’s the question EMC asked in their first annual Cybersecurity Poverty Index, which measured the results of a risk maturity self-assessment completed by organizations against the NIST Cybersecurity Framework. More than 400 security professionals across 61 countries responded to the survey, and the message was clear: 75 percent say they lack the maturity to address emerging cybersecurity risks.
Why the dismal outlook? Misallocation of resources may be to blame.
Five Keys to Limit Cybersecurity Risk
The NIST framework covers five key functions of cybersecurity: identify, protect, detect, respond and recover. As noted by Infosecurity Magazine, nearly two-thirds of respondents ranked themselves as “inadequate” across all five areas. More worrisome is the fact that 45 percent said their ability to measure, assess and mitigate cybersecurity risk is either “nonexistent” or “ad hoc,” and just 21 percent considered themselves “mature” in this area. According to ITWeb, the EMC research also found that the assumed link between large organizations and improved IT security may actually be false since 83 percent of enterprises with 10,000 or more employees ranked themselves below the “developed” threshold on the Cybersecurity Poverty Index.
So why all this negativity? Part of the problem stems from the rash of recent data breaches across multiple industries — companies of all shapes and sizes now feel vulnerable, and in many cases, they are unsure that existing protection strategies are effective. And this fear has roots in reality: The survey discovered that for 75 percent of respondents, security resources may not be optimally distributed.
Holding the Line
Where do companies excel? Not surprisingly, the NIST protect category is where most of those asked said they were mature. But SC Magazine pointed out a critical flaw in this resource allotment: Preventative measures are simply not capable of stopping new cyber threats. Rob Sadowski, director of technology solutions at RSA, told SC Magazine that companies are still “following the doctrine of ‘I can prevent attackers from getting that initial foothold’ on their networks.”
But in a corporate landscape filled with evolving bring-your-own-device (BYOD) programs, the accessibility of cloud and unsupported third-party app and continuously evolving malware tools, it becomes impossible for companies to stop attackers at the gate. “We’re living in a world where compromise is inevitable,” Sadowski said, emphasizing that breaching the walls is just the beginning for an attacker. As a result, companies need to spend more on detection and response to cybersecurity risk since big budgets for prevention aren’t actually effective.
Simply put, true cybersecurity maturity comes from the realization that a firewall-based “fortress” model is impossible. Instead, threat containment and agile response are the keys to understanding and combating new malware threats. The NIST standards and EMC’s research reveal a common theme: Companies aren’t confident in their ability to handle risk. A cultural shift, combined with redistribution of resources, could go a long way toward empowering cybersecurity response.