RSA CYBERSECURITY POVERTY INDEX 2015

Transcription

1 RSA CYBERSECURITY POVERTY INDEX 2015

2 OVERVIEW Welcome to RSA s inaugural Cybersecurity Poverty Index. The Cybersecurity Poverty Index is the result of an annual maturity self-assessment completed by organizations of all sizes, industries, and geographies across the globe. The assessment was created using the NIST Cybersecurity Framework (CSF). The 2015 assessment was completed by more than 400 security professionals across 61 countries. Our goal in creating and conducting this global research initiative is two-fold. First, we want to provide a measure of the risk management and information security capabilities of the global population. As an industry leader and authority, we are often asked why do damaging security incidents continue to occur? We believe that a fundamental gap in capability is a major contributor, and hope that this research can illuminate and quantify that gap. Second, we wish to give organizations a way to benchmark their capabilities against peers and provide a globally recognized practical standard, with an eye towards identifying areas for improvement. 2

3 METHODOLOGY Organizations rated their own capabilities by responding to 18 questions that covered the five key functions outlined by the CSF: Identify, Protect, Detect, Respond, and Recover. Ratings used a 5 point scale, with 1 signifying that the organization had no capability in a given area, and 5 indicating that they had highly mature practices in the area. Negligent - Falling well short of best security practices and thus neglecting its responsibility to properly protect its IT assets Deficient - Providing inadequate security protection and thus falling short in its responsibility to protect its IT assets. Functional - Has generally implemented some security best practices and thus making progress in providing sufficient protection for its IT assets. Developed - Has a well-developed security program and is well positioned to further improve its effectiveness. Advantaged - Has a superior security program and is extremely well positioned to defend its IT assets against advanced threats. 3

4 OVERALL The overall survey results found that nearly 75% of respondents have significant cybersecurity risk exposure (with overall capabilities falling below the Developed category). Only a quarter of respondents surveyed indicated that they have mature security strategies (Developed or above) and just 5% have Advantaged capabilities. 20% Mature Security Strategies 5% Advantaged Capabilities 75% Significant Cybersecurity Risk Exposure 4

5 BY TYPE OF CAPABILITY Not surprisingly, the strongest reported maturity levels were in the area of Protection - this function forms the basis of conventional security doctrine that is proving less and less effective over time in the face of more advanced cyber attacks and attack campaigns. Response, the function which, along with Detection, forms the backbone of today s effective security strategies ranked last in maturity. Average Ranking For Capability % of respondents with inadequate levels of capability 66% 71% 71% 72% 72% Almost two thirds of respondents rated themselves as inadequate (below Developed ) in every category (Identify, Protect, Detect, Respond, and Recover). Identify Protect Detect Respond Recover 5

6 BY SIZE OF ORGANIZATION Surprisingly, the results indicate that the size of an organization is not a clear indication of its security maturity. 100% 90% 83% of organizations surveyed with more than 10,000+ employees are not well prepared for today s threats (ranking below Developed in overall maturity). 80% 70% 60% 50% 40% 30% 79% 68% 83% 20% 10% 0% Under 1,000 1,000-10,000 Over 10,000 6

7 BY NUMBER OF INCIDENTS Two thirds of respondents had incidents that negatively impacted their business operations in the last 12 months, but only 22% of those were considered mature in their security strategy. This inidicates an inability of organizations to meaningfully improve maturity to reduce risk, and confirms the continued capability of adversaries to exploit gaps in conventional defense strategies. 66% Negatively Impacted 22% Considered Mature 7

8 BY NUMBER OF INCIDENTS 36% 40 or More Security Incidents in the Last 12 Months 2.5x more likely to have Developed or Advantaged capabilities 11% 1-10 Security Incidents in the Last 12 Months Organizations that deal with security incidents more regularly are significantly more mature than their peers. Organizations who reported 40 or more security incidents in the last 12 months are 2.5x more likely to have Developed or Advantaged overall capabilities than those reporting 1-10 incidents. Despite this level of battle testedness or hardening, 63% of organizations with more than 40 incidents in the survey still reported an inadequate level of maturity. 8

9 BY GEOGRAPHY Organizations in APJ reported the most mature security strategies with 39% ranked as developed or advantaged vs. the Americas at 24% and EMEA at 26%. 50% 40% Americas APJ EMEA 30% 20% 10% 0% Negligent Deficient Functional Developed Advantaged 9

10 BY VERTICAL Critical infrastructure operators, the original target audience of the CSF need to make significant steps forward in their current levels of maturity. 100% 90% 80% 70% 60% 50% Organizations in the Telecommunications Industry reported the highest level of maturity with 50% of respondents having developed or advantaged capabilities. 50% Financial Services ranked in-between, with 34% of respondents achieving a rating of developed or advantaged. Government ranked last across industries in the survey, with only 18% of Government respondents ranking as developed or advantaged. 40% 30% 20% 10% 34% $ 18% 0% Telecommunications Financial Services Government 10

11 DETAIL ON INDIVIDUAL CAPABILITIES 21% 45% The least developed capability across the survey is an organization s ability to catalog, assess, and mitigate risk. 45% of those surveyed described their capabilities in this area as non-existent or ad hoc, with only 21% believing that they have mature or mastered capabilities in this domain. The inability to assess risk makes it very difficult to prioritize security activity and investment, a foundational activity for any organization looking to improve their security capabilities. IAM ( managing and governing identities and their access to IT resources ) ranked as the most developed capability, with 38% of respondents rating their capabilities as mature or mastered. 38% While many organizations recognize that identity is one of their remaining security control points, there is still quite a bit of room for improvement in the population at large. Identity remains one of the leading vectors for advanced attacks. 11

12 DETAIL ON INDIVIDUAL CAPABILITIES Capabilities to detect threats monitoring network, endpoint, server, and application activity to detect potential security issues are generally immature and less developed than other capabilities, with 35% of organizations in the survey describing their capabilities as either non-existent or ad hoc. 35% 28% Capabilities for incident response and recovery were consistently seen as underdeveloped, with an average of 28% of respondents rating their capabilities as mature or mastered across the function. Coordination of incident response activity was the second least developed capability overall, with 42% of organizations describing their internal and external coordination capabilities as non-existent or ad hoc. 42% The ability to detect and respond to attacks is critical for organizations to develop and mature. The inability to effectively respond is a key reason why many incidents result in significant damage or loss. 12

13 CONCLUSION The results speak for themselves. There is work to be done to improve risk management and cybersecurity capabilities regardless of company size, geography, or vertical industry. Two important findings standout from the wealth of data. First, the biggest weakness of surveyed organizations is the ability to measure, assess and mitigate cybersecurity risk, which makes it difficult or impossible to prioritize security activity and investment. Second, the survey demonstrates that organizations still overemphasize protection over detection and response, despite the fact that protection / preventative capabilities alone are fundamentally incapable of stopping today s greatest cyber threats. RSA believes that the ability to detect and respond to cyber attacks before they result in damage or loss is the most important capability that organizations must develop and refine. Awareness of the need to improve is often the catalyst for change, and the evidence provided by the inaugural index provides a powerful incentive for the majority of organizations to develop a focused plan for improvement. If you completed the survey this year, we thank you for your participation, and look forward to your continued input in future years. If you did not participate, we encourage you to complete the survey and obtain a benchmark that can help plan for advancing your organization s capabilities. Take the survey today 13

14 EMC 2, EMC, the EMC logo, RSA, and the RSA logo are registered trade marks or trademarks of EMC Corporation in the United States and other countries. Copyright 2015 EMC Corporation. All rights reserved. Published in the USA. 04/15 ebook H14262 Cybersecurity Poverty Index