Companies around the globe are plagued by compromises to their IT assets despite pouring considerable sums of money into their cybersecurity efforts. It’s clear, then, that naively throwing money at the problem won’t keep the bad guys at bay. Companies need to fundamentally rethink their approach to security.
That is among the more sobering findings in the Cybersecurity Poverty Index, which is a study RSA released this week. More than 400 security executives from organizations of varying sizes, industry verticals, and geographies responded to a series of questions about how mature they felt their cyber defenses were.
Based on NIST’s Cybersecurity Framework, respondents rated themselves on a five-point scale ranging from one (“negligent”) to five (“advantaged”). The resulting data shattered some commonly held myths and assumptions about maturity from a cybersecurity perspective.
Only a third of financial services firms, long believed to be at the bleeding edge of information security due to the billions of currency that flow through their networks, considered themselves well-prepared for an attack.
The results also debunked the notion that big companies (those with 10,000 or more employees) have the most mature defenses to deal with advanced threats. In fact, 83% of them rated their capabilities on the lower end of the maturity scale.
Of the hundreds of firms surveyed, nearly 75% believed that they lacked the maturity to thwart an attack. More so, only five percent felt they had the highest rated capabilities. Five percent!
While one has to examine self-assessments through an appropriate lens, the data corroborates what I’ve already come to believe from talking with information security professionals all over the world: organizations need to fundamentally shift their mindset away from prevention, with its false sense of security, and move toward monitoring and response. Having greater visibility into the IT environment is among the most effective ways to deal with threat actors.
Visibility is about gathering data across all assets – from the end point to the network to the cloud. By gleaning insights afforded by that visibility, organizations can mitigate the risks they face until acceptable levels are reached.
Being able to baseline “normal” behavior simplifies the process of identifying outliers that often are emblematic of malicious behaviors. So, when (not if) an attack occurs, security professionals can trace its origins and then scope the intrusion properly. It’s all about connecting the dots.
Yet, most companies don’t do enough in this area, partly because they still cling to the old ways of the past. That may explain why they gave themselves high marks for protection, a conventional approach that loses its effectiveness as cyber-attacks become more sophisticated.
Until organizations liberate themselves from the hackneyed prevention-centric focus and increase their investment in detection and response, they will fail to keep pace with threats that grow more clever and sinister by the day.