Earlier this year, SecureWorks sponsored the IDC IT Security MaturityScape Benchmark for Asia Pacific report in order to help business leaders understand and address the challenges of IT security, particularly in an age of digital transformation.
The benchmark study provides a comprehensive look at how organizations can assess and strengthen their security posture. I am going to focus on specific themes that proliferate throughout the report. The themes that are worth thorough examination include a risk-based approach to security and the role of security within the organization.
Eighty four percent of Asia Pacific organizations were categorized at the bottom of the security maturity curve, either applying only basic operational security measures on an ad-hoc basis or follow a fundamentally compliance-based security program
Evaluation Criteria for a Mature Security Program
IDC, a global provider of market intelligence, advisory services, and events for the information technology, telecommunications, and consumer technology markets, identified five dimensions that it considers critical to security maturity:
- Risk Management
- Security Technologies
Evaluating performance using these criteria, IDC placed the organizations surveyed into five different categories based on their security maturity. These categories, rated from least to most mature, are Ad Hoc, Opportunistic, Repeatable, Managed, and Optimized.
Eighty four percent of the Asia Pacific organizations evaluated fell into the bottom two categories, where organizations either applied only basic operational security measures on an ad-hoc basis (Ad Hoc) or followed a fundamentally compliance-based security program (Opportunistic).
During the study, organizations were also asked to self-assess their approach to each of the security maturity dimensions in the context of how they were able to leverage their security programs. Based on these assessments, IDC segmented organizations into two categories – “Survivors” and “Thrivers.”
What Does It Take To Thrive?
Survivors may be going through the motions in a security sense, such as implementing firewalls and adding anti-virus software, but a significant knowledge gap remains when seeing the value security plays in terms of strategic business decisions. As you might expect, Survivors tend to cluster around the lower end of the maturity scale, with the largest number falling into the Ad Hoc category.
By focusing their security programs and resources on reactive tactics instead of taking a more deliberate, methodical approach, they are unwittingly accepting large risks on behalf of their organizations that leave them extremely vulnerable to common and new threats.
When organizations focus on compliance, they may be successfully acting in accordance with security standards, but this approach still presents challenges.
A compliance-based approach traditionally does not focus on the bigger picture needed to optimize a security posture. It is likely security budgets are prioritizing compliance tactics that may not be the most efficient use of resources. Unfortunately, Survivors often fall behind when it comes to vision.
As an organization’s security maturity advances, their ability to adapt increases, and they move more towards thriving.
Maturation not only means enhanced capabilities – organizations that progress through the maturity model have a strong understanding of the importance of risk management and are constantly and proactively on the lookout for the maximum risk reduced per unit cost.
This is often accomplished by focusing on executive buy-in, developing a risk based model for a strong security framework, building their business with security in mind, and ensuring that their security framework is scalable.
- Next page