Over the past few months, I've been engaged in a research project on enterprise security management and operations. As part of some quantitative research, ESG created a segmentation model that divided survey respondent organizations into three sub-segments. The segmentation model broke down as follows:
I worked on a research project last year focused on Advanced Persistent Threats (APTs) where we created a similar segmentation model. The three sub-segments turned out as follows:
There is a consistent and somewhat ominous pattern emerging here that can be summarized using the familiar 80/20 rule. On average, only 20% of large enterprise organizations are adequately prepared for cybersecurity events. The remaining 80% lag behind.
A more specific analysis of this data can be summarized in three areas:
It is worth noting that the elite 20% are not resting on their laurels. They are the most active in terms of increasing security headcount, working with third-party service providers, testing the effectiveness of their security controls, and building enterprise-class cybersecurity policies, processes, and technology controls.
When we think about the state of enterprise information security today, we tend to focus on the elite cybersecurity 20% when we should be thinking about the lagging 80%. After all, we depend upon this struggling majority for critical infrastructure services and the protection of our personal data. This alone is a very scary thought.