Because organizations quickly adapt to the virtual business model and external workstations, COVID-19 makes it even more difficult to detect and monitor cyber threats. Therefore, the survival of the company and its sector as a whole may depend on its overall maturity in cyber security and its compliance with best security practices.
AT&T Cybersecurity works together with the Corporate Strategy Group (CSG) to assess the organizational views on the five core functions of the NIST Cyber Security Framework (CSF): Identification, protection, detection, response and recovery and the global standard for the detection and management of cyber threats that has become popular since its introduction in 2014.
The study brought together 500 cybersecurity and information technology professionals involved in the cybersecurity operations, controls and strategies of their organizations. The aim of the study was to determine whether organizations that adhere to NIST CSF best practices can operate in a safer environment and thus do business better.
The research was carried out by creating a data-based model that classifies respondents into three levels of cybersecurity maturity. Comparing the results of the study with emerging and leading organizational levels provides data to quantify the differences in security and business performance that exist as maturity increases.
The report showed that the level of maturity of cyber security is not directly related to the size of the company. While it can be assumed that the largest organizations with the most resources will be able to implement a cybersecurity program that is difficult enough to achieve leadership status, this study indicates that the median size of the organization is the same at all three levels of maturity – leader, next and rising.
In the Cyber Security Risk Maturity Survey, 29% of technology companies qualified as third-rate organizations with a high degree of maturity, followed by retail and healthcare organizations – 22% each; in the manufacturing sector, only one in five or 20% of organizations qualified in this higher category.
It is interesting to note that financial service providers are the least mature at the third level of maturity, with only 11 percent of them in this highest category and 44 percent of financial service providers ranking first in assessing the maturity of cybersecurity risks.
The report highlights the differences in approach between organisations, with security groups being seen as mediators by stakeholders in 55 percent of leading organisations, while security groups in developing countries are seen as a necessary inconvenience or obstacle by 28 percent of stakeholders.
Leading organizations have a better understanding of security issues, but despite strong security, leading organizations cannot sort, investigate, or prioritize all security events/alarms. In fact, only 40% of them can successfully manage about 90% of security events/monthly notifications.
The study also highlights the link between business success and knowledge of cyber security, which is likely to be based on trust, communication and collaboration between people. More than a quarter (26%) of respondents said that safety is considered a factor in business development. Nevertheless, the report highlights the link between strong security and business success and demonstrates that successful organizations are willing to invest in security to link cyber security to business objectives.
Here companies can assess their own maturity of an impact.