RSA Cybersecurity Poverty Index™ 2015
From the overview:
Welcome to RSA’s inaugural Cybersecurity Poverty Index™.
The Cybersecurity Poverty Index is the result of an annual maturity self-assessment completed by organizations of all sizes, industries, and geographies across the globe. The assessment was created using the NIST Cybersecurity Framework (CSF). The 2015 assessment was completed by more than 400 security professionals across 61 countries.
Our goal in creating and conducting this global research initiative is two-fold. First, we want to provide a measure of the risk management and information security capabilities of the global population. As an industry leader and authority, we are often asked “why do damaging security incidents continue to occur?” We believe that a fundamental gap in capability is a major contributor, and hope that this research can illuminate and quantify that gap. Second, we wish to give organizations a way to benchmark their capabilities against peers and provide a globally recognized practical standard, with an eye towards identifying areas for improvement.
…
You are unlikely to find anything you don’t already “know” or at least suspect in this report. Still, I think it is worth reading in order to understand the depth of the cybersecurity problem.
As far as the “why do damaging security incidents continue to occur?” question, the “fundamental gap in capacity” is a symptom, but not an answer.
You need only read between the lines of the reports of the recent, catastrophic hack on OPM, to realize that off-the-shelf techniques were used to breach security that was known and publicly reported to be faulty. The gap in that case wasn’t “capacity” but the lack of an organizational imperative to take cybersecurity seriously and to allocate resources accordingly.
As long as cybersecurity remains a non-priority, as evidenced by its resourcing in corporate and government budgets, hackers will remain ten or more years ahead those trying to secure data.