Cybersecurity pros admit to poor security maturity

Nearly three in four cybersecurity professionals admit that their organisations have insufficient levels of security maturity, a global survey from RSA shows.

When given a chance to self-assess the maturity of their cybersecurity programs, nearly 75% self-reported insufficient maturity. This rises to 83% in the case of large organisations.

The survey shows that organisations are most mature in terms of preventive capabilities, despite the common understanding that preventive strategies alone aren’t sufficient tools to cope with advanced cyber threats.

The biggest area of immaturity is in ability to measure, assess and mitigate cybersecurity risk, with 45% of respondents describing their capabilities as either non-existent or ad hoc.

Notably, while the financial services sector is widely considered to be the most mature in terms of security maturity, only a third of respondents from the industry rated themselves as well prepared. Companies in the telecom industry self-reported the highest level of maturity.

Organisations in Asia-Pacific and Japan reported the most mature security strategies, with 39% ranking as developed or advantaged. This compares to just 27% of organisations in EMEA and 24% in the Americas.

“Despite [major investments in cybersecurity], even the biggest organisations still feel unprepared for the threats they are facing,” RSA President Amit Yoran commented.

“We believe this dichotomy is a result of the failure of today’s prevention-based security models to address the advancing threat landscape. We need to change the way we think about security and that starts by acknowledging that prevention alone is a failed strategy and more attention needs to be spent on strategy based on detection and response.”

Image courtesy of Tactical Technology Collective under CC