A Path for Accelerating Progress

Introduction

The technology industry provides much of the infrastructure powering the digital transformation of business and personal life around the globe. As such, the effectiveness of the industry’s cybersecurity programs has consequences that reach far beyond the technology industry itself. To assess the current state and direction of cybersecurity in technology organizations around the world, Protiviti has extracted the responses of 250 software, hardware and telecom executives who participated in The Cybersecurity Imperative, a global online survey on cybersecurity practices.^[1] The in-depth interviews with chief information security officers (CISOs) and cybersecurity experts, and input from an executive advisory board, supplement the survey.

(Click on the image to enlarge)

In this white paper, we begin by examining how technology firms assess the implementation of their cybersecurity programs against the National Institute of Standards and Technology (NIST) Cybersecurity Framework.^[2] We then discuss survey findings regarding threats and countertactics and how cybersecurity is supported internally by policies and organizational structure. The report concludes with recommendations that individual technology firms can use to help strengthen their cybersecurity practices.

Detailed Findings

Functional Maturity and Resource Allocation

The NIST Cybersecurity Framework provides a standard checklist of 23 recommended activities grouped into five functions — Identify, Protect, Detect, Respond and Recover — which organizations can use in developing their cybersecurity strategy. In our survey, we asked respondents to evaluate their progress in each of these activities according to the scale shown at the right.

(Click on the image to enlarge)

These self-evaluations reveal that most technology companies have significant work ahead to develop their cybersecurity functions. Very few of the firms represented by the executives we surveyed have reached the advanced level in any of the 23 cybersecurity activities. This finding was echoed in further analysis, in which we aggregated each company’s maturity levels across the entire set of activities and then categorized firms as cybersecurity “beginners,” “intermediates” or “leaders” based on the total of their maturity level scores. Not only does the technology industry lag slightly compared with other industries in the percentage of companies categorized as cybersecurity leaders, but it also has a much higher percentage of cybersecurity beginners.

1. The Cybersecurity Imperative: Managing Cyber Risks in a World of Rapid Digital Change, a research report from a joint effort of ESI ThoughtLab, WSJ Pro Cybersecurity. Protiviti and a group of prominent organizations to conduct rigorous global research and analysis involving a survey of 1,300 global executives across multiple industries, advisory meetings and interviews with leading experts and practitioners, and analytical tools to benchmark approaches and assess performance impacts. The research is available at http://go.dowjones.com/cybersecurity-imperative.

2. The NIST Cybersecurity Framework offers computer security guidance for private sector organizations in the United States to use when assessing and improving their ability to prevent, detect and respond to cyber attacks. It is available at www.nist.gov/cyberframework.

Download the full report from below to access the detailed survey results.