Response - the function which forms the backbone of today's effective security strategies - followed closely by detection, is ranked last in maturity. This is a concern as the ability to detect and respond to attacks is critical for organisations to develop and mature. In fact, the inability to effectively respond is the key reason why many incidents result in significant damage or loss.
Additionally, two-thirds of respondents experienced incidents that negatively impacted their business operations within the last 12 months. Out of this group, only 22 percent were considered mature in their security strategy. This indicates an inability of organisations to meaningfully improve maturity to reduce risk, and confirms the continued capability of adversaries to exploit gaps in conventional defense strategies.
Breaking it down in terms of geography, organisations in APJ were reported to have the most mature security strategies, with 39 percent ranked as Developed or Advantaged, compared to America (24 percent) and EMEA (26 percent).
According to Jeffrey Kok, Technology Consultant Director of RSA Asia Pacific and Japan, the APJ region stood out among its global counterparts because APJ companies are either overconfident, or because there is a lack of data points.
"In the U.S., there is a mandatory disclosure system whereby all listed companies are required to disclose any cyber security incident that affects data privacy. This is the reason why breach cases like Home Depot and Target are being plastered all over the news. These companies have no choice but to disclose - it's a federal offence if they don't," said Kok.
"In contrast, there is no such ruling in Asia. For Singapore, we have the Personal Data Protection Act (PDPA). If you encounter any such incidents, you have to report it to PDPA - the act does not require the company to publicise the incident or require them to inform all affected users. There are simply not enough organisations that are going public which is the reason why we do not have enough data points," he added.
When asked whether he agrees with the idea of public disclosure, Kok said that it is a double-edged sword that has both a positive and negative impact. Despite this, he feels that its advantages overweighs the cons. Going public with these incidents can help to raise awareness of such security mishaps, said Kok. Without this heightened sense of awareness, the public would not realise the severity of the situation and simply disregard the importance of security.
Overall, the biggest weakness derived from the survey is that majority of the organisations are lacking the ability to measure, assess and mitigate cybersecurity risk, which makes it difficult, or even impossible to prioritise security activity and investment. Awareness of the need to improve is often the catalyst for change, and this survey highlights that majority of organisations need to develop a focused plan for improvement.
Sign up for CIO Asia eNewsletters.