RSA CYBERSECURITY POVERTY INDEX 2015

Similar documents
Cybersecurity Awareness for Executives

Why you should adopt the NIST Cybersecurity Framework

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

Preempting Business Risk with RSA SIEM and CORE Security Predictive Security Intelligence Solutions

RSA ARCHER OPERATIONAL RISK MANAGEMENT

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015

Utility-Scale Applications of Microgrids: Moving Beyond Pilots Cyber Security

IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE

Why you should adopt the NIST Cybersecurity Framework

Navigating the NIST Cybersecurity Framework

CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY

Managing the Unpredictable Human Element of Cybersecurity

Understanding the NIST Cybersecurity Framework September 30, 2014

future data and infrastructure

National Initiative for Cybersecurity Education

Click to edit Master title style

Mike Smart Cyber Strategist & Enterprise Security Solutions, EMEA. Cyber: The Catalyst to Transform the Security Program

The Geospatial Approach to Cybersecurity: An Executive Overview. An Esri White Paper January 2014

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

FFIEC Cybersecurity Assessment Tool

Defending Against Data Beaches: Internal Controls for Cybersecurity

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

Sempra Energy Utilities response Department of Commerce Inquiry on Cyber Security Incentives APR

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Looking at the SANS 20 Critical Security Controls

CRR Supplemental Resource Guide. Volume 5. Incident Management. Version 1.1

Cybersecurity Delivering Confidence in the Cyber Domain

Best Practices to Improve Breach Readiness

PASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013

Leveraging a Maturity Model to Achieve Proactive Compliance

Cyber Security Management

Utilizing Security Ratings for Enterprise IT Risk Mitigation Date: June 2014 Author: Jon Oltsik, Senior Principal Analyst

UNCLASSIFIED/FOR OFFICIAL USE ONLY. Department of Homeland Security (DHS) Continuous Diagnostics & Mitigation (CDM) CDM Program Briefing

Examining the Evolving Cyber Insurance Marketplace

Business Continuity / Disaster Recovery Context

Threats to Local Governments and What You Can Do to Mitigate the Risks

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Leveraging Network and Vulnerability metrics Using RedSeal

Cybersecurity: What CFO s Need to Know

The NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom. kpmg.bm

Enabling Continuous PCI DSS Compliance. Achieving Consistent PCI Requirement 1 Adherence Using RedSeal

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Which cybersecurity standard is most relevant for a water utility?

integrating cutting-edge security technologies the case for SIEM & PAM

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

Business Case Outsourcing Information Security: The Benefits of a Managed Security Service

An Overview of Large US Military Cybersecurity Organizations

FISMA Compliance: Making the Grade

The Changing Threat Surface in. Embedded Computing. Riley Repko. Vice President, Global Cyber Security Strategy

SECURITY. Risk & Compliance Services

Cloud Infrastructure Security Management

Logging In: Auditing Cybersecurity in an Unsecure World

The Four-Step Guide to Understanding Cyber Risk

Regulatory Compliance Management for Energy and Utilities

The NIST Cybersecurity Framework

Cybersecurity. Are you prepared?

Best Practices for Threat & Vulnerability Management. Don t let vulnerabilities monopolize your organization.

PREPARED DIRECT TESTIMONY OF SCOTT KING ON BEHALF OF SOUTHERN CALIFORNIA GAS COMPANY

Cisco Advanced Services for Network Security

GEARS Cyber-Security Services

Protecting against cyber threats and security breaches

Compliance, Security and Risk Management Relationship Advice. Andrew Hicks, Director Coalfire

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

FINANCIAL FRAUD: THE IMPACT ON CORPORATE SPEND IT SECURITY RISKS SPECIAL REPORT SERIES

Applying IBM Security solutions to the NIST Cybersecurity Framework

The Value of Vulnerability Management*

Cybersecurity Report on Small Business: Study Shows Gap between Needs and Actions

NIST Cybersecurity Framework What It Means for Energy Companies

Cybersecurity as a Risk Factor in doing business

WRITTEN TESTIMONY OF

idata Improving Defences Against Targeted Attack

Intelligence Driven Security

RSA, The Security Division of EMC. Zamanta Anguiano Sales Manager RSA

FINRA Publishes its 2015 Report on Cybersecurity Practices

Optimizing Network Vulnerability

How To Protect Water Utilities From Cyber Attack

Securing OS Legacy Systems Alexander Rau

January IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director

INSIGHTS AND RESOURCES FOR THE CYBERSECURITY PROFESSIONAL

Ed McMurray, CISA, CISSP, CTGA CoNetrix

Transcription:

RSA CYBERSECURITY POVERTY INDEX 2015

OVERVIEW Welcome to RSA s inaugural Cybersecurity Poverty Index. The Cybersecurity Poverty Index is the result of an annual maturity self-assessment completed by organizations of all sizes, industries, and geographies across the globe. The assessment was created using the NIST Cybersecurity Framework (CSF). The 2015 assessment was completed by more than 400 security professionals across 61 countries. Our goal in creating and conducting this global research initiative is two-fold. First, we want to provide a measure of the risk management and information security capabilities of the global population. As an industry leader and authority, we are often asked why do damaging security incidents continue to occur? We believe that a fundamental gap in capability is a major contributor, and hope that this research can illuminate and quantify that gap. Second, we wish to give organizations a way to benchmark their capabilities against peers and provide a globally recognized practical standard, with an eye towards identifying areas for improvement. 2

METHODOLOGY Organizations rated their own capabilities by responding to 18 questions that covered the five key functions outlined by the CSF: Identify, Protect, Detect, Respond, and Recover. Ratings used a 5 point scale, with 1 signifying that the organization had no capability in a given area, and 5 indicating that they had highly mature practices in the area. Negligent - Falling well short of best security practices and thus neglecting its responsibility to properly protect its IT assets Deficient - Providing inadequate security protection and thus falling short in its responsibility to protect its IT assets. Functional - Has generally implemented some security best practices and thus making progress in providing sufficient protection for its IT assets. Developed - Has a well-developed security program and is well positioned to further improve its effectiveness. Advantaged - Has a superior security program and is extremely well positioned to defend its IT assets against advanced threats. 3

OVERALL The overall survey results found that nearly 75% of respondents have significant cybersecurity risk exposure (with overall capabilities falling below the Developed category). Only a quarter of respondents surveyed indicated that they have mature security strategies (Developed or above) and just 5% have Advantaged capabilities. 20% Mature Security Strategies 5% Advantaged Capabilities 75% Significant Cybersecurity Risk Exposure 4

BY TYPE OF CAPABILITY Not surprisingly, the strongest reported maturity levels were in the area of Protection - this function forms the basis of conventional security doctrine that is proving less and less effective over time in the face of more advanced cyber attacks and attack campaigns. Response, the function which, along with Detection, forms the backbone of today s effective security strategies ranked last in maturity. Average Ranking For Capability % of respondents with inadequate levels of capability 66% 71% 71% 72% 72% Almost two thirds of respondents rated themselves as inadequate (below Developed ) in every category (Identify, Protect, Detect, Respond, and Recover). Identify Protect Detect Respond Recover 5

BY SIZE OF ORGANIZATION Surprisingly, the results indicate that the size of an organization is not a clear indication of its security maturity. 100% 90% 83% of organizations surveyed with more than 10,000+ employees are not well prepared for today s threats (ranking below Developed in overall maturity). 80% 70% 60% 50% 40% 30% 79% 68% 83% 20% 10% 0% Under 1,000 1,000-10,000 Over 10,000 6

BY NUMBER OF INCIDENTS Two thirds of respondents had incidents that negatively impacted their business operations in the last 12 months, but only 22% of those were considered mature in their security strategy. This inidicates an inability of organizations to meaningfully improve maturity to reduce risk, and confirms the continued capability of adversaries to exploit gaps in conventional defense strategies. 66% Negatively Impacted 22% Considered Mature 7

BY NUMBER OF INCIDENTS 36% 40 or More Security Incidents in the Last 12 Months 2.5x more likely to have Developed or Advantaged capabilities 11% 1-10 Security Incidents in the Last 12 Months Organizations that deal with security incidents more regularly are significantly more mature than their peers. Organizations who reported 40 or more security incidents in the last 12 months are 2.5x more likely to have Developed or Advantaged overall capabilities than those reporting 1-10 incidents. Despite this level of battle testedness or hardening, 63% of organizations with more than 40 incidents in the survey still reported an inadequate level of maturity. 8

BY GEOGRAPHY Organizations in APJ reported the most mature security strategies with 39% ranked as developed or advantaged vs. the Americas at 24% and EMEA at 26%. 50% 40% Americas APJ EMEA 30% 20% 10% 0% Negligent Deficient Functional Developed Advantaged 9

BY VERTICAL Critical infrastructure operators, the original target audience of the CSF need to make significant steps forward in their current levels of maturity. 100% 90% 80% 70% 60% 50% Organizations in the Telecommunications Industry reported the highest level of maturity with 50% of respondents having developed or advantaged capabilities. 50% Financial Services ranked in-between, with 34% of respondents achieving a rating of developed or advantaged. Government ranked last across industries in the survey, with only 18% of Government respondents ranking as developed or advantaged. 40% 30% 20% 10% 34% $ 18% 0% Telecommunications Financial Services Government 10

DETAIL ON INDIVIDUAL CAPABILITIES 21% 45% The least developed capability across the survey is an organization s ability to catalog, assess, and mitigate risk. 45% of those surveyed described their capabilities in this area as non-existent or ad hoc, with only 21% believing that they have mature or mastered capabilities in this domain. The inability to assess risk makes it very difficult to prioritize security activity and investment, a foundational activity for any organization looking to improve their security capabilities. IAM ( managing and governing identities and their access to IT resources ) ranked as the most developed capability, with 38% of respondents rating their capabilities as mature or mastered. 38% While many organizations recognize that identity is one of their remaining security control points, there is still quite a bit of room for improvement in the population at large. Identity remains one of the leading vectors for advanced attacks. 11

DETAIL ON INDIVIDUAL CAPABILITIES Capabilities to detect threats monitoring network, endpoint, server, and application activity to detect potential security issues are generally immature and less developed than other capabilities, with 35% of organizations in the survey describing their capabilities as either non-existent or ad hoc. 35% 28% Capabilities for incident response and recovery were consistently seen as underdeveloped, with an average of 28% of respondents rating their capabilities as mature or mastered across the function. Coordination of incident response activity was the second least developed capability overall, with 42% of organizations describing their internal and external coordination capabilities as non-existent or ad hoc. 42% The ability to detect and respond to attacks is critical for organizations to develop and mature. The inability to effectively respond is a key reason why many incidents result in significant damage or loss. 12

CONCLUSION The results speak for themselves. There is work to be done to improve risk management and cybersecurity capabilities regardless of company size, geography, or vertical industry. Two important findings standout from the wealth of data. First, the biggest weakness of surveyed organizations is the ability to measure, assess and mitigate cybersecurity risk, which makes it difficult or impossible to prioritize security activity and investment. Second, the survey demonstrates that organizations still overemphasize protection over detection and response, despite the fact that protection / preventative capabilities alone are fundamentally incapable of stopping today s greatest cyber threats. RSA believes that the ability to detect and respond to cyber attacks before they result in damage or loss is the most important capability that organizations must develop and refine. Awareness of the need to improve is often the catalyst for change, and the evidence provided by the inaugural index provides a powerful incentive for the majority of organizations to develop a focused plan for improvement. If you completed the survey this year, we thank you for your participation, and look forward to your continued input in future years. If you did not participate, we encourage you to complete the survey and obtain a benchmark that can help plan for advancing your organization s capabilities. Take the survey today 13

EMC 2, EMC, the EMC logo, RSA, and the RSA logo are registered trade marks or trademarks of EMC Corporation in the United States and other countries. Copyright 2015 EMC Corporation. All rights reserved. Published in the USA. 04/15 ebook H14262 Cybersecurity Poverty Index

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information