Big companies no better at cybersecurity than small ones, CSOs admit

Large organisations aren't necessarily any better at cybersecurity than small ones, according to a new survey of CSOs that found Asia-Pacific organisations consider themselves the most-prepared in the world – even though fully three-quarters of respondents believe their organisation lacks the maturity to address cybersecurity risks.

Asked to rank their cybersecurity maturity on a five-stage scale against the NIST Cybersecurity Framework (CSF), the more than 400 security professionals participating in RSA's first Cybersecurity Poverty Index – spread across organisations of all size in 61 countries – admitted they were still failing to measure up.

Fully 83 percent of respondents from large companies – those with more than 10,000 employees – said they were below 'developed' in maturity, while nearly 45 percent categorised their ability measure, assess, and mitigate cybersecurity risks as being 'non-existent' or 'ad-hoc'; by contrast, only 21 percent of respondents rated themselves as being 'mature' in this area.

Smaller companies were actually more positive about their cybersecurity preparedness, with 27 percent saying they had 'developed' capabilities as against just 17 percent in larger organisations.

“This research demonstrates that enterprises continue to pour vast amounts of money into next generation firewalls, anti-virus, and advanced malware protection in the hopes of stopping advanced threats,” RSA president Amit Yoran said in a statement. “Despite investment in these areas, however, even the biggest organisations still feel unprepared for the threats they are facing.”

Contrary to popular wisdom about the progressive security posture of banks and insurance companies, only one-third of respondents from financial-services companies ranked themselves as being well-prepared to deal with cybersecurity threats.

Telecommunications providers had the highest self-reported preparedness, with 50 percent having 'developed' or 'advantaged' capabilities, while government was the worst-ranked with just 18 percent of respondents rating themselves as 'developed' or 'advantaged'.

Asia-Pacific and Japan (APJ) organisations rated themselves as having the most mature security strategies, with 39 percent ranked as 'developed' or 'advantaged'. This was well ahead of the percentage in the EMEA (26 percent) and Americas (24 percent) region.

The broad range of maturity ratings is, Yoran said, “a result of the failure of today’s prevention-based security models to address the advancing threat landscape. We need to change the way we think about security and that starts by acknowledging that prevention alone is a failed strategy and more attention needs to be spent on strategy based on detection and response.”

Read more: ISACA guides skills-challenged SMBs towards security governance

The CSF aligns organisations' security policy-building process along five key axes including Identify, Protect, Detect, Respond, and Recover. It is one of a growing number of frameworks designed to direct the cybersecurity efforts of organisations of all sizes; another is Australia's Protective Security Policy Framework (PSPF), which outlines 36 different areas to be addressed as part of a security framework.

The low showing for government organisations reflects the immense task ahead of Australian government organisations, which were recently given until September by the newly-formed Digital Transformation Office (DTO) to produce a formal plan for ensuring their compliance with PSPF guidelines.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Feeling social? Follow us on Twitter and LinkedIn Now!

Join the CSO newsletter!

Error: Please check your email address.

Tags cybersecurity threatscybersecurityCybersecurity Framework (CSF)NISTcybersecurity riskssmall companiesbig companiesAsia-Pacific and Japan (APJ)Protective Security Policy Framework (PSPF)CSO AustraliarsaAmit Yoran

More about CSOEnex TestLabRSATwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts