As organisations rapidly adapt to a virtual business model and remote workforce, as a result of COVID-19, it has become even more challenging to identify and mitigate cyber threats. Therefore, the survival of a business, and its wider industry, could depends on its overall cybersecurity maturity and alignment to security best practises.
AT&T Cybersecurity partnered with the Enterprise Strategy Group (ESG) in order to assess organisations’ postures across the five foundational cybersecurity functions of the NIST cybersecurity framework (CSF): to identify, protect, detect, respond and recover; the global standard to identify and mitigate cyber risks which has grown in popularity since its introduction in 2014.
The study surveyed 500 cybersecurity and IT professionals who are involved with their organisation’s cybersecurity operations, controls and strategies and it aimed to see if organisations which are aligned with NIST CSF best practices can operate more secure environments and therefore enable better business.
The study was carried out through the creation of a data-driven model that categorises those responding into three levels of cybersecurity maturity and comparing survey results across the “emerging” “following” and “leading “organisations levels, the model allows data to quantify the differences in security and business outcomes that exist as maturity level improves.
The report revealed that cybersecurity maturity is not directly dependent on company size. Although it might be assumed that the largest organisations, with the most resources, would be able to implement a cybersecurity program sophisticated enough to achieve “leader” status, this research highlights that the median company size is identical across all three maturity levels – “leading”, “following”, and “emerging.”
When surveyed on their cybersecurity risk maturity, 29% of tech companies qualified as a stage 3, ‘leading’ organisation, demonstrating a high degree of maturity, followed by retail and healthcare organisations with 22% each; in the manufacturing industry only 1 in 5, or 20%, of organisations qualified for this top category.
Interestingly, financial services organisations qualified for the ‘leading’ stage 3 maturity level the least, with only 11% making it to this top category and 44% of financial services companies qualified as ‘emerging’, stage 1 when evaluating their cybersecurity risk maturity.
The report highlights the difference in attitudes at different organisations, since security teams are seen as ‘enablers’ by line-of-business stakeholders at 55% of ‘leading’ organisations and in stark contrast, security teams are seen as ‘a necessary inconvenience or roadblock’ by 28% of stakeholders at ‘emerging’ companies.
‘Leading’ organisations have a better grasp on security, but still struggle, despite strong security, ‘leading’ companies are not able to triage, investigate or prioritise all security events/alerts. In fact, only 40% of them can successfully address around 90% of security events/alerts on a monthly basis.
This research also points to a relationship between business success and cybersecurity acumen, likely anchored by trust, communication, and collaboration between people. Over one-quarter (26%) of respondents say that security is viewed as an enabler by line-of-business Despite that, the report demonstrates the relationship between strong security and business achievement and suggests that successful organisations are willing to invest in security to link cybersecurity and business goals.
Companies can assess their own security maturity here.