June 15, 2015 By Douglas Bonderud 2 min read

How prepared are companies to deal with cybersecurity risk? That’s the question EMC asked in their first annual Cybersecurity Poverty Index, which measured the results of a risk maturity self-assessment completed by organizations against the NIST Cybersecurity Framework. More than 400 security professionals across 61 countries responded to the survey, and the message was clear: 75 percent say they lack the maturity to address emerging cybersecurity risks.

Why the dismal outlook? Misallocation of resources may be to blame.

Five Keys to Limit Cybersecurity Risk

The NIST framework covers five key functions of cybersecurity: identify, protect, detect, respond and recover. As noted by Infosecurity Magazine, nearly two-thirds of respondents ranked themselves as “inadequate” across all five areas. More worrisome is the fact that 45 percent said their ability to measure, assess and mitigate cybersecurity risk is either “nonexistent” or “ad hoc,” and just 21 percent considered themselves “mature” in this area. According to ITWeb, the EMC research also found that the assumed link between large organizations and improved IT security may actually be false since 83 percent of enterprises with 10,000 or more employees ranked themselves below the “developed” threshold on the Cybersecurity Poverty Index.

So why all this negativity? Part of the problem stems from the rash of recent data breaches across multiple industries — companies of all shapes and sizes now feel vulnerable, and in many cases, they are unsure that existing protection strategies are effective. And this fear has roots in reality: The survey discovered that for 75 percent of respondents, security resources may not be optimally distributed.

Holding the Line

Where do companies excel? Not surprisingly, the NIST protect category is where most of those asked said they were mature. But SC Magazine pointed out a critical flaw in this resource allotment: Preventative measures are simply not capable of stopping new cyber threats. Rob Sadowski, director of technology solutions at RSA, told SC Magazine that companies are still “following the doctrine of ‘I can prevent attackers from getting that initial foothold’ on their networks.”

But in a corporate landscape filled with evolving bring-your-own-device (BYOD) programs, the accessibility of cloud and unsupported third-party app and continuously evolving malware tools, it becomes impossible for companies to stop attackers at the gate. “We’re living in a world where compromise is inevitable,” Sadowski said, emphasizing that breaching the walls is just the beginning for an attacker. As a result, companies need to spend more on detection and response to cybersecurity risk since big budgets for prevention aren’t actually effective.

Simply put, true cybersecurity maturity comes from the realization that a firewall-based “fortress” model is impossible. Instead, threat containment and agile response are the keys to understanding and combating new malware threats. The NIST standards and EMC’s research reveal a common theme: Companies aren’t confident in their ability to handle risk. A cultural shift, combined with redistribution of resources, could go a long way toward empowering cybersecurity response.

More from

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today