Big companies no better at cybersecurity than small ones, CSOs admit

Large organisations aren't necessarily any better at cybersecurity than small ones, according to a new survey of CSOs that found Asia-Pacific organisations consider themselves the most-prepared in the world – even though fully three-quarters of respondents believe their organisation lacks the maturity to address cybersecurity risks.

Asked to rank their cybersecurity maturity on a five-stage scale against the NIST Cybersecurity Framework (CSF), the more than 400 security professionals participating in RSA's first Cybersecurity Poverty Index – spread across organisations of all size in 61 countries – admitted they were still failing to measure up.

Fully 83 percent of respondents from large companies – those with more than 10,000 employees – said they were below 'developed' in maturity, while nearly 45 percent categorised their ability measure, assess, and mitigate cybersecurity risks as being 'non-existent' or 'ad-hoc'; by contrast, only 21 percent of respondents rated themselves as being 'mature' in this area.

Smaller companies were actually more positive about their cybersecurity preparedness, with 27 percent saying they had 'developed' capabilities as against just 17 percent in larger organisations.

“This research demonstrates that enterprises continue to pour vast amounts of money into next generation firewalls, anti-virus, and advanced malware protection in the hopes of stopping advanced threats,” RSA president Amit Yoran said in a statement. “Despite investment in these areas, however, even the biggest organisations still feel unprepared for the threats they are facing.”

Contrary to popular wisdom about the progressive security posture of banks and insurance companies, only one-third of respondents from financial-services companies ranked themselves as being well-prepared to deal with cybersecurity threats.

Telecommunications providers had the highest self-reported preparedness, with 50 percent having 'developed' or 'advantaged' capabilities, while government was the worst-ranked with just 18 percent of respondents rating themselves as 'developed' or 'advantaged'.

Asia-Pacific and Japan (APJ) organisations rated themselves as having the most mature security strategies, with 39 percent ranked as 'developed' or 'advantaged'. This was well ahead of the percentage in the EMEA (26 percent) and Americas (24 percent) region.

The broad range of maturity ratings is, Yoran said, “a result of the failure of today’s prevention-based security models to address the advancing threat landscape. We need to change the way we think about security and that starts by acknowledging that prevention alone is a failed strategy and more attention needs to be spent on strategy based on detection and response.”

Read more: Appointment of two Australians to ISACA board reflects regional security expertise: director

The CSF aligns organisations' security policy-building process along five key axes including Identify, Protect, Detect, Respond, and Recover. It is one of a growing number of frameworks designed to direct the cybersecurity efforts of organisations of all sizes; another is Australia's Protective Security Policy Framework (PSPF), which outlines 36 different areas to be addressed as part of a security framework.

The low showing for government organisations reflects the immense task ahead of Australian government organisations, which were recently given until September by the newly-formed Digital Transformation Office (DTO) to produce a formal plan for ensuring their compliance with PSPF guidelines.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Feeling social? Follow us on Twitter and LinkedIn Now!

Read more: ISACA guides skills-challenged SMBs towards security governance

Tags rsaNISTCSO AustraliaProtective Security Policy Framework (PSPF)Amit Yorancybersecurity risksbig companiesAsia-Pacific and Japan (APJ)Cybersecurity Framework (CSF)cybersecurity threatssmall companies

Show Comments