Why? Because data shows that in many cases, a sizable portion of enterprises fall short of managing key types of cybersecurity risks. For example:
- About half of enterprises surveyed for IDC’s Cybersecurity Capabilities Assessment Framework don’t systematically scan and monitor a majority of their remote endpoints.
- Barely half of organizations have mobile device management (MDM) strategies in place.
- Well over half of businesses either don’t generate Software Bills of Materials (SBOMs) to track supply chain security risks at all, or they rely on inconsistent, manual approaches to producing SBOMs.
- Most organizations report that it takes them at least a week to discover security active threats.
- Only a minority of organizations have automated compliance tools and processes in place that allow them to scan for and discover risks on a continuous basis.
I could go on, but you get the point: Being in good company on the cybersecurity front doesn’t mean you’re where you want to be. If you want to minimize your exposure to threats, you need to be among the minority of organizations that comprehensively and systematically manage security risks of all types, across all domains – not the majority who fall short in critical areas.
Why it’s hard to do better at cybersecurity
To be fair, it’s hard to blame the typical organization too much for lackluster performance on the cybersecurity front. Implementing a comprehensive cybersecurity program is much easier said than done – due especially to the fact that there’s so much to secure, and that requirements change so quickly.
Because of this complexity, simply deciding how to organize a cybersecurity program can be challenging, given the many different types of risks and threats to manage and the complex ways in which they overlap.
For example, since virtually everything today touches the network in some way, does network security require a distinct set of tools and processes, or do you need to bake network security into other aspects of your security operations? For another example, do mobile devices require their own security strategy? Or should you simply treat them as endpoints – because they are, after all, endpoints at the end of the day.
Struggles to answer questions like these help explain why businesses routinely fall short when it comes to cybersecurity – and why virtually every year over the past decade has set new records for the frequency and cost of attacks. When it’s unclear how to begin approaching cybersecurity and formulating a strategy that covers all key risk areas coherently and efficiently, you’re set up for failure.
A framework for cybersecurity improvement
At IDC, we think organizations can tackle this challenge by devising security strategies that cover seven distinct domains:
- Network security
- Endpoint security
- Identity and digital trust
- Data security
- Application security
- Response, recovery, and resilience
- Governance, risk, and compliance (GRC)
To be sure, this taxonomy isn’t perfect. There is some overlap between these categories, and in some cases, it may not be clear where emerging technologies – like generative AI tools and services, which in some ways resemble applications but in other ways are all about data – fit in. But we believe it’s a useful foundation for identifying what enterprises need to secure, and how they should organize their security strategies.
From there, beating the curve when it comes to cybersecurity means implementing effective defenses in each of the seven domains identified above. Exactly how you do that, of course, depends in large part on factors like which types of IT assets you have to secure, which cybersecurity tools are available to you and how numerous and experienced your cybersecurity staff are. I can’t tell you exactly which cybersecurity practices are best for you.
But I can tell you – based on data like the information we compiled to substantiate the Cybersecurity Assessment Maturity Framework – what organizations that are optimized for security do differently from the average organization, and which cybersecurity practices can set your enterprise apart from the crowd in a good way.
Using that insight, you can make sure your business sits higher up in the tree, away from the low-hanging fruit that threat actors tend to target first.
To be sure, there’s no way to guarantee you’ll be safe from attack. Even if you’re in the one percent of most secure enterprises in the world, threat actors who really want to break into your IT estate can likely find a way to do so, given enough time and resources. But the reality is that most threat actors just want to breach some company, not your company in particular – so, by beating the average when it comes to protecting against cybersecurity risks, you dramatically reduce your risk of attack.
Learn more about the state of enterprise security – and how your business stacks up
Want more insights on exactly where the typical enterprise falls short on the cybersecurity front? And more actionable guidance on mitigating cybersecurity threats across the seven key cybersecurity domains laid out above?
Tune in for our upcoming webinar, “Cybersecurity Norms and Trends: How Does Your Business Stack Up?” on March 13th at 12Pm/ET, where IDC analysts will walk through data detailing the state of enterprise security and offer guidance on overcoming the roadblocks standing between average and best-in-class cybersecurity performance.