Over the past few months, I've been engaged in a research project on enterprise security management and operations. As part of some quantitative research, ESG created a segmentation model that divided survey respondent organizations into three sub-segments. The segmentation model broke down as follows:
- Organizations classified as security management and operations "leaders:" 19%
- Organizations classifed as security management and operations "followers:" 49%
- Organizations classified as security management and operations "laggards:" 32%
I worked on a research project last year focused on Advanced Persistent Threats (APTs) where we created a similar segmentation model. The three sub-segments turned out as follows:
- Organizations classifed as most prepared for APTs: 21%
- Organizations classified as somewhat prepared for APTs: 43%
- Organizations classified as poorly prepared for APTs: 36%
There is a consistent and somewhat ominous pattern emerging here that can be summarized using the familiar 80/20 rule. On average, only 20% of large enterprise organizations are adequately prepared for cybersecurity events. The remaining 80% lag behind.
A more specific analysis of this data can be summarized in three areas:
- Risk management. The elite 20% have a much better handle controlling what is deployed on their networks and whether these assets are vulnerable to imminent threats. The lagging 80% can't keep up in areas like configuration management, asset management, change management, vulnerability scanning, patching, or threat intelligence.
- Incident detection. The elite 20% retain strong visibility of people, assets, and network traffic in order to baseline normal behavior and quickly identify anomalous behavior. The lagging 80% have trouble monitoring activity, gathering/analyzing data, spotting suspicious trends, and understanding their ramifications.
- Incident response. Almost all organizations have problems here, but the elite 20% do the best job with formal business and IT policies and processes guiding emergency response as well as internal and external communications. The other 80% respond with disorganized "fire drills" that lead to time-consuming delays and costly mistakes.
It is worth noting that the elite 20% are not resting on their laurels. They are the most active in terms of increasing security headcount, working with third-party service providers, testing the effectiveness of their security controls, and building enterprise-class cybersecurity policies, processes, and technology controls.
When we think about the state of enterprise information security today, we tend to focus on the elite cybersecurity 20% when we should be thinking about the lagging 80%. After all, we depend upon this struggling majority for critical infrastructure services and the protection of our personal data. This alone is a very scary thought.