Cybersecurity prowess requires defense in depth, and few enterprises meet that need.
The difference between high, medium and low cyber maturity levels comes down to three sets of practices — planning, activities and board engagement, according to Deloitte.
The most sophisticated and highest performing enterprises plan for defense and cyberthreat response, actively assess risks and meet industry benchmarks and regularly address cyber-related issues at the board level.
”While no organization is completely immune to a cyberattack, an organization’s cyber maturity with built-in resilience, allowing them to adapt and pivot with their dynamic security posture, may enable quicker recovery after a breach,” Deborah Golden, Deloitte’s U.S. cyber and strategic risk leader, said via email.
Among the 1,110 large organizations Deloitte assessed for its Global Future of Cyber Survey, just 1 in 5 adhere to most or all of the standards set by Deloitte for a high cyber maturity grade.
Among the remaining 80%, there’s a near-even split between organizations graded at the medium and low cyber maturity level.
“All three of the segments (low, medium and high) spanned industries as well as organization size and revenue — indicating that maturity level may not be significantly dependent on a company’s industry or size,” the report said.
Deloitte’s research was based on a survey of cybersecurity decision makers at the director level or higher. Respondents represent organizations across 20 countries with at least 1,000 employees and $500 million in annual revenue.
CISOs play a critical role for cyber maturity, but many of the most mature organizations meet planning, activities and board involvement standards through enterprise wide efforts, according to Deloitte.
“Viewing cyber as an enterprise wide matter is important,” Golden said. “Taking a unified approach with cyber initiatives can help better position organizations to confidently operate in today’s complex threat environment.”
High-maturity organizations distribute cyber responsibilities throughout the organization by establishing governing bodies, companywide or board level incident-response simulations, annual cyber awareness training and providing regular updates to the board to secure funding.
Organizations in technology, media, telecom, government, energy, resources and industrials implement more of cyber activities than the overall average. Meanwhile, businesses in financial services, life sciences, healthcare, energy, resources and industrials are ahead of the curve on cyber planning strategies, according to Deloitte.
Some of these efforts can deliver a high impact on security at a relatively low cost. This includes more than 40% of the 37 minimum cybersecurity performance goals outlined in October by the Cybersecurity and Infrastructure Security Agency.
Enterprises that meet higher maturity levels aren’t just recognizing benefits typically associated with cybersecurity, such as greater resiliency, risk prevention and detection. More than half of the organizations with high cyber maturity reported a higher confidence to try new things and positive impacts on trust and efficiency, the report said.
Other commonly cited benefits from cyber initiatives include improved brand reputation, operational stability, customer trust, long-term sustainability, talent recruitment and increased revenue. The highest performers, according to Deloitte, get more of that subsequent value across every strategy measure.