Examining security process maturity in 400 organizations

There’s an overall failure in maturity of security processes of over 400 organizations in industries ranging from e-commerce, retail and payment processor to telecommunications, petroleum and more, a SecureTrust report reveals.

Organizations were given a maturity score from zero to five (with 3.5 or above recommended) derived from the SecureTrust Compliance Intelligence model which leverages the Payment Card Industry Data Security Standard (PCI DSS) baseline of technical and operational requirements for protecting data.

E-commerce ranks highest overall

E-commerce at 3.01 has the highest overall maturity rating as an industry and has the top maturity score for each of the eight control areas, however, still falling short of the 3.5 recommended minimum. Telecommunications ranks second at 2.84 followed by Service Provider at 2.75. Hosting Providers scored lowest overall at 2.14.

Maturity by control area needs to improve

No single control area scored a maturity rating at or above 3.0 which characterized them as an unpredictable and poorly controlled approach to carrying out a repeatable process.

Data Protection scored highest at 2.73 followed by Application Software Security at 2.67, Training at 2.66, Boundary Defense at 2.65, User Management at 2.65, Asset Management 2.63 and Security Testing and Monitoring at 2.58.

Boundary defense lacks operational effectiveness

Breaching boundary defenses is a primary objective for threat actors looking to gain access to databases and workstations. As boundary lines fade between internal and external networks as organizations push digital transformation initiatives, SecureTrust findings show weakness in initial policy design and operational execution in every industry analyzed.

E-commerce scored highest at 3.02 with Service Providers second at 2.86. Telecommunications came in third at 2.82 and Retail surprisingly followed at 2.77. Coming in last was Hosting Providers at a low 1.96.

Lack of asset visibility adding significant risk

End of life operating systems, unpatched devices, corrupted websites and files are all avenues for compromise. Without proper visibility and control of assets deployed in an organization, improving process maturity is a futile endeavor.

SecureTrust found configure management issues and patch management failures in all industries assessed with none achieving a score of three or better. E-commerce scored highest at 2.96 followed by Service Providers at 2.85, Telecommunications at 2.81 and Retail coming in fourth at 2.69. Petroleum and Hosting Providers scored lowest at 2.60 and 1.90.

Management of users and data protection falls short

Adversaries are capitalizing on poor user management and shortcomings around data protection. SecureTrust found flaws in password and authentication controls and around administrative access consistently across industries observed.

E-commerce performed highest in terms of user management at 3.03 along with Service Providers and Telecommunications at 2.85 and 2.80. Additionally, weak encryption algorithms were found to be widely used along with improper network segregation and isolation of sensitive data.

E-commerce scored best for data protection at 3.05 and Hosting Providers scored worst at 2.32.

“Our 2019 findings coincide closely with the continuous stream of breaches and privacy violations frequently in the headlines,” said Michael Petitti, president at SecureTrust.

“We are seeing organizations in all industries putting the cart before the horse by incorporating security technologies without first gaining a clear picture of the controls and policies needed to achieve process maturity goals.

“As the attack surface continues to widen and businesses accelerate digital transformation initiatives, it will be even more imperative for assets, policies, controls and protection to align.”