The technology industry provides much of the infrastructure powering the digital transformation of business and personal life around the globe. As such, the effectiveness of the industry’s cybersecurity programs has consequences that reach far beyond the technology industry itself. To assess the current state and direction of cybersecurity in technology organizations around the world, Protiviti has extracted the responses of 250 software, hardware and telecom executives who participated in The Cybersecurity Imperative, a global online survey on cybersecurity practices.[1] The in-depth interviews with chief information security officers (CISOs) and cybersecurity experts, and input from an executive advisory board, supplement the survey.
In this white paper, we begin by examining how technology firms assess the implementation of their cybersecurity programs against the National Institute of Standards and Technology (NIST) Cybersecurity Framework.[2] We then discuss survey findings regarding threats and countertactics and how cybersecurity is supported internally by policies and organizational structure. The report concludes with recommendations that individual technology firms can use to help strengthen their cybersecurity practices.
The NIST Cybersecurity Framework provides a standard checklist of 23 recommended activities grouped into five functions — Identify, Protect, Detect, Respond and Recover — which organizations can use in developing their cybersecurity strategy. In our survey, we asked respondents to evaluate their progress in each of these activities according to the scale shown at the right.
These self-evaluations reveal that most technology companies have significant work ahead to develop their cybersecurity functions. Very few of the firms represented by the executives we surveyed have reached the advanced level in any of the 23 cybersecurity activities. This finding was echoed in further analysis, in which we aggregated each company’s maturity levels across the entire set of activities and then categorized firms as cybersecurity “beginners,” “intermediates” or “leaders” based on the total of their maturity level scores. Not only does the technology industry lag slightly compared with other industries in the percentage of companies categorized as cybersecurity leaders, but it also has a much higher percentage of cybersecurity beginners.