Cybersecurity: How Mature Are Large Organizations?

• The maturity of large organizations remains insufficient (46% of global maturity)
  
  
• Cyber budgets account for only 6.1% of the overall IT budget across all industry sectors
  
  
• There is less than one person assigned to cybersecurity for every 1,500 employees!
  
  
• 30% of large organizations continue to be highly vulnerable to the risks of ransomware
  
  
• The ability to reconstruct in the wake of an attack remains the most complex issue to address (only 40% maturity)
  

As the number of cyber attacks increase (crime, hacktivism, state-sponsored) – even more so in a shaken geopolitical context – organizations must speed up their digital transformation efforts. They must ask, “What is the current state of security within the various sectors?” and “What are the strengths and weaknesses of large organizations when it comes to cybersecurity?”

To answer such questions, Wavestone has conducted a detailed benchmark based on a field assessment of more than 180 security measures – relative to the requirements of the international NIST CSF Framework and ISO 27001/2 standards.

Over the past three years, data from over 75 organizations, accounting for over three million users, has been aggregated and analyzed. The results demonstrate that large organizations still have a long way to go, with an overall maturity score of only 46%.

At 46%, the cyber maturity of large organizations is below average

Although an overall level of maturity of only 46%, the study still reveals significant disparities between sectors. The finance sector stands out, with 54.4% maturity. This can be explained by the substantial and historic investments made in cybersecurity, stimulated by a high propensity of regulations. The energy sector is second (51.8%), followed by the industrial/manufacturing sector (44.8%) which is lagging behind, as it undertakes digital transformation initiatives. This is followed by services (42.5%) and lastly the public sector (36.9%). The latter, although well aware of cyber risks, is struggling to secure necessary funding to improve. Organizations covered by critical infrastructure security regulations (NIS/LPM) stand out as generally more mature (55.4% VS 43.3%).

Faced with the risks of a ransomware attack, 30% of organizations are at risk

Thanks to its CERT-Wavestone incident response team, Wavestone manages numerous cyber-attacks on behalf of its clients. In this study, the main vulnerabilities exploited by cybercriminals have been mapped and a specific maturity assessment was conducted on this basis. From this, it appears that:

• 30% of organizations continue to be highly prone to the risk of ransomware attacks. This phenomenon mostly affects services and the public sectors, although certain financial or industrial players are clearly not immune.
  
  
• Extremely large organizations (Fortune 100-type) are more difficult targets, as they display a higher level of maturity (55%).

Shortage of talent remains the issue…

As on a global scale, cybersecurity is faced with a constant shortage of talent: 10,000+ positions are open at any given time. Large organizations are attempting to reverse the curve by increasingly strengthening their teams. It is to be noted that there are large differences depending on the sectors’ digital maturity.

As far as headcount is concerned, organizations display less than one person dedicated to cybersecurity for every 1,500 employees(!). This scant figure is insufficient to face the current challenges and highlights the disparities between sectors.

…as well as dedicated financial investments

Of the overall IT budget of organizations, only 6.1% is dedicated to security. At first glance, this number may seem insufficient, but we notice a steep rise to 13% when organizations were faced with a cyber incident; hence, increased proactivity should be the order of the day.

Gérôme Billois, Partner in charge of Wavestone’s cybersecurity activity adds that “the realization of a crisis enables a high degree of mobilization from senior executives and activates the mechanisms for higher levels of investment.”

From a sectoral point of view, those who invest the most of their IT budget are the industrial/manufacturing sector (7%) and public services (6.6%). In contrast, the finance (5.8%), energy (5.5%), and services (4%) sectors remain lower. However, it should be mentioned that finance has invested heavily in previous years, so previous, consistent investment can explain some of this; and finance generally has higher IT budgets unrivaled by other business sectors.

Many other cybersecurity challenges for companies

• Regarding the strategic axes of cybersecurity, maturity of detection and response to attacks has matched the level of effort put on protection (with 46%, 45%, and 47% respectively). This is due to massive investments in these areas in recent years. However, the ability to reconstruct in the wake of an attack remains a complex issue to address (40% of maturity).
  
  
• Regarding protection technologies, the majority of organizations have succeeded in widely deploying the most effective solutions: EDRs (advanced computer and server protection tools) and multi-factor authentication (MFA). On average, 51% of organizations have an EDR tool deployed at 67% enterprise effectiveness; and 61% of organizations have deployed an MFA at 63% of authentication effectiveness. But much more remains to be done on Active Directory security (only 24% of cyber teams analyze incidents at their cyber center) and resilience (only 17% of organizations have fully tested their IT disaster recovery plan.)
  
  
• For the industrial/manufacturing sector, the biggest issue still consists of securing industrial information systems (35% of maturity). Legacy systems were generally conceived without by-default security and are now becoming increasingly open and interconnected. As such, initial efforts have been made. For instance, setting up governance (50%) and engaging security isolation processes (66%), but these are often difficult to complete. In addition, these perimeters are still barely monitored (22%).
  
  
• Due to the volume of assets involved, the most difficult challenges of today remain in application and data security, and surprisingly, cloud security; where, poor practices are still the norm pertaining to application and data security. For instance, more than 42% of the organizations allow administrators access to the cloud with a simple login/password.

Methodology

Maturity levels were measured against international standards (NIST CSF and ISO 27001/2) during assignments carried out by Wavestone consultants, mostly in the form of declarative interviews with security managers of evaluated organizations. The sample, dated March 1, 2021, includes more than 75 organizations (two-thirds of which have more than 10,000 employees and 15 Fortune 100 groups). It represents more than three million employees. The data from these individual assessments was consolidated and analyzed by Wavestone’s teams of specialists.