Does size matter when it comes to cybersecurity?

RSA released its inaugural Cybersecurity Poverty Index that compiled survey results from more than 400 security professionals across 61 countries. The survey allowed participants to self-assess the maturity of their cybersecurity programs leveraging the NIST Cybersecurity Framework (CSF) as the measuring stick.

While larger organizations are typically thought of as having the resources to mount a more substantive cyber defense, the results of the survey indicate that size is not a determinant of strong cybersecurity maturity and nearly 75% of all respondents self-reported insufficient levels of security maturity.


The lack of overall maturity is not surprising as many organizations surveyed reported security incidents that resulted in loss or damage to their operations over the past 12 months. The most mature capability revealed in the research was the area of Protection. Organizations’ most mature area of their cybersecurity program and capabilities are in preventative solutions despite the common understanding that preventative strategies and solutions alone are insufficient in the face of more advanced attacks.

“Our industry and the people in it have been pushing to balance detection and response with cybersecurity’s natural bias toward prevention,” according to Trey Ford, global security strategist at Rapid7. “We know it isn’t if but when an incident will happen. – they will happen The question that matters is where it happens and how long it takes to identify the incident, contain and eradicate what follows – dwell time is a critical stat executives should be tracking,” Ford added.

“Teams that are actively looking for issues in their environments will more often than not find them, and as a result, will be able to better inform preventative measures and have a better handle on how resilient the organization is to an attack. Those security teams will have a more grounded, and probably humble, perspective on their program maturity — and they may find better funding or executive-level support as a result,” according to Ford.

The greatest weakness of the organizations surveyed is the ability to measure, assess and mitigate cybersecurity risk with 45% of those surveyed describing their capabilities in this area as “non-existent,” or “ad hoc,” and only 21% reporting that they are mature in this domain. This shortfall makes it difficult or impossible to prioritize security activity and investment, a foundational activity for any organization looking to improve their security capabilities today.

Brian Honan, Special Advisor on Internet Security to Europol’s EC3, believes that years of under-investment by the defenders mean many are unable to prevent, detect, or deal with a security incident.


Counter to expectations, the research indicates that the size of an organization is not an indicator of maturity. In fact, 83% of organizations surveyed with more than 10,000+ employees rated their capabilities as less than “developed” in overall maturity.

This result suggests that large organizations’ overall experience and visibility into advanced threats dictate the need for greater maturity than their current standing. Large organizations’ weak self-assessed maturity ratings indicate their understanding of the need to move to detect and response solutions and strategies for a more robust and mature security.

Despite conventional wisdom, the Financial Services organizations surveyed did not rank themselves as the most mature industry, with only one third rating as well-prepared. Critical infrastructure operators, the original target audience for the CSF, will need to make significant steps forward in their current levels of maturity.

Organizations in the Telecommunications industry reported the highest level of maturity with 50% of respondents having developed or advantaged capabilities, while Government ranked last across industries in the survey, with only 18% of respondents ranking as developed or advantaged. The lower self-assessments of maturity in otherwise notably mature industries suggest a greater understanding of the advanced threat landscape and their need to build more mature capabilities to match it.


Despite the fact that the CSF was developed in the United States, the reported maturity of organizations in the Americas ranked behind both APJ and EMEA, which is one of the greatest surprises of this report, according to Anton Chuvakin, Research Vice President at Gartner. Organizations in APJ reported the most mature security strategies with 39% ranked as developed or advantaged in overall maturity while only 26% of organizations in EMEA and 24% of organizations in the Americas rated as developed or advantaged.

Rob Sadowski, Director of Technology Solutions at RSA, told Help Net Security how the Cybersecurity Poverty Index allows us to understand the state of cybersecurity maturity across the industry. “The results clearly demonstrate that when it comes to security capabilities, organizations still emphasize protection over detection and response, despite the fact that protection alone is fundamentally incapable of stopping today’s greatest cyber threats.”

More about

Don't miss