RSA, The Security Division of EMC, has released data demonstrating that organisations that invest in detection and response technologies, rather than perimeter-based solutions, are better poised to defend against cyber incidents.

The second annual RSA Cybersecurity Poverty Index, which compiles survey results from 878 respondents across 81 countries and more than 24 industries, attracted more than double the number of respondents as last year, and gave participants the chance to self-assess the maturity of their cyber security programmes, leveraging the NIST Cybersecurity Framework (CSF) as the measuring stick.

The report found, for the second year in a row, 75% of survey respondents have a significant cyber security risk exposure. Incident response (IR) capabilities are particularly underdeveloped. Nearly half of organisations characterised essential IR capabilities as "ad hoc" or "non-existent", but organisations are more likely to accelerate programmes to shore up cyber security capabilities once they have experienced a security incident that impacted the business. The survey also showed that most organisations continue to struggle to improve cyber security because they don't understand how cyber risk can impact their operations.

There has been plenty of anecdotal evidence that companies tend to delay investments in cyber security until they experience the pain first-hand. In addition, companies that primarily rely on a perimeter defence philosophy are at a greater disadvantage of finding malicious activity, and risk public exposure of critical business assets.

The results of the RSA Cybersecurity Poverty Index solidified this concept, reporting the organisations that detect and experience frequent security incidents are 65% more likely to have developed or advantaged capabilities. This shows that organisations that regularly deal with security incidents accelerate moves to shore up security programmes and end up with more mature capabilities. Businesses must focus on executing preventative strategies and make improving this a priority over other capabilities, which are growing in importance, such as detection and response.

One of the most significant changes from the 2015 survey was the increase in the number of organisations with mature cyber security programmes. The percentage of companies reporting advantaged capabilities – the highest category – increased by more than half over the prior Index, from 4.9% to 7.4%. But their overall perception of their cyber security preparedness continued to lag. The number of respondents reporting significant cyber security risk exposure stayed steady at nearly 75%, reflecting a growing disparity between the "haves and have nots" in security preparedness.

The survey also showed that organisations continue to struggle with their ability to take proactive steps to improve their cyber security and risk posture. Overall, 45% of those surveyed described their ability to catalogue, assess and mitigate cyber risk as "non-existent" or "ad hoc", and only 24% reported they are mature in this domain. The inability to quantify their cyber risk appetite – the risks they face and the potential impacts on their organisations – makes it difficult to prioritise mitigation and investment, a foundational activity for any organisation looking to improve their security and risk posture.

For the second year, the survey results highlight how critical infrastructure operators, the original target audience for the CSF, need to make significant steps forward in their current levels of maturity. Government and energy organisations ranked lowest across industries in the survey, with only 18% of respondents ranking as developed or advantaged. Organisations in the aerospace and defence industry reported by far the highest level of maturity, with 39% of respondents having developed or advantaged capabilities. Financial services firms, a sector often cited as industry-leading due to the large volume of cyber attacks it faces, placed in between, with 26% rating their firms as well prepared – down from 33% a year ago.

The reported maturity of organisations in the Americas continued to rank behind both EMEA and APJ. Companies in EMEA reported the most mature security strategies, with 29% ranked as developed or advantaged in overall maturity, while only 26% of organisations in APJ and 23% of organisations in the Americas rated as developed or advantaged. EMEA overtook APJ for the top ranking, moving up three percentage points, while APJ dropped 13 points.

"The research shows that victim demographics range far and wide, and when it comes to having your data compromised, no country, industry or business is bulletproof," says Anton Jacobsz, MD at Networks Unlimited, the value-added distributor, which distributes RSA solutions across 23 countries in Africa. "Organisations need to be proactive when it comes to establishing their detection and response security strategy – waiting for a breach to first happen means you have been outmanoeuvred, and the damage could be irreparable."

Methodology

To evaluate cyber security maturity, respondents self-assessed their capabilities against the CSF. The CSF was used to provide guidance based on existing standards, guidelines and practices for reducing cyber risks, and was created through collaboration between industry and government. While the CSF was initially developed in the United States with the aim of helping to reduce cyber risks to critical infrastructure, organisations worldwide have found it to be a prioritised, flexible, repeatable and cost-effective approach for managing cyber risk. Thus, it serves as an excellent baseline to assess any company's core cyber security and cyber risk management capabilities.

Businesses rated their own capabilities in the five key functions outlined by the CSF: identify, protect, detect, respond, and recover. Ratings used a five-point scale, with one signifying the organisation had no capability in a given area, and five indicating it had highly mature practices in the area.