Grading Cybersecurity Around the Globe

Tenable has released its inaugural Global Cybersecurity Assurance Report Card, with research conducted by the CyberEdge Group. The report takes the responses of over five hundred security professionals from around the world and asks them to grade their organizations’ ability to assess cybersecurity risks and to mitigate threats that can exploit those risks. The results of the survey are pretty interesting and show a wide variety of answers around the world and across industries. Unfortunately the overall global average grade is just 76%, or an unremarkable “C.”

About the report

There are a couple of things to note about this report. First, we surveyed a broad spectrum of security professionals around the world and did not specifically target our customer base. Second, we only looked at data from industry verticals and countries where we received a statistically significant number of responses; in this way, we would not have a small number of responses for a particular area or industry making things look worse or better than they actually were. And third, all of the people we included in the survey data came from organizations with more than five hundred employees, which means that the answers are really enterprise level answers.

Summary results

When you look at the data, a few interesting things emerge regardless of which country or industry you look at. Most respondents ranked their ability to secure both cloud infrastructure (IaaS, PaaS) and cloud applications (SaaS), mobile devices and web apps as weaknesses. But almost everyone ranked their ability to secure endpoints, data centers, dealing with insider threats and communicating to executives as strengths. This could be because end points and data centers have been around longer and we have more experience dealing with them, as opposed to mobile and cloud apps which are comparatively much newer aspects of the cybersecurity landscape.

Results by industry

There are some interesting bits when you break things down by industry. Financial services and telecom score the highest grades, while government and education score the lowest grades. It’s not a huge surprise that financial services and telecom are at the top of the ranking, since these sectors are risking real money and in some cases large amounts of real money.

What is surprising is seeing education and government at the bottom of the list. Education has been a huge target for quite some time, with a rash of college online break-ins in the late ‘90s, targeting student’s personally identifiable information and research intellectual property. However, educational institutions have to deal with large transient populations, and reliance on mobile devices may help explain their low ranking. It is also surprising to see government’s low rankings in the report. (Note that government here doesn’t just apply to the US federal government; this is a global report and also includes state and regional governments from around the world.) Considering the number of attacks suffered by government agencies, we hoped that they would have a higher score.

Technological challenges

The report also asked people to rank the challenges they face in attempting to secure their infrastructure. One very interesting result was that a lack of effective security products came in dead last on the list, meaning that people report being generally happy with the security products that are available to them. And lack of budget only scored in the middle of the list; perhaps people have been able to stretch what little budgets they have for so long that they have gotten used to it, or maybe companies are realizing the importance of spending on cybersecurity and have loosened up those budgets a little bit. But the number-one challenge facing cybersecurity as reported by the respondents was the overwhelming cyber threat environment. There is just too much happening too fast for people to keep up with.

We also asked people how optimistic they were today versus a year ago. A full 90% of respondents said they were the same or more optimistic today. Considering that the number-one challenge was an overwhelming cyber threat environment, it is good to see people keeping a positive outlook.

For more information

I encourage you to download the 2016 Global Cybersecurity Assurance Report Card report and infographic yourself to examine the data in more detail. Or you can watch an on-demand webinar about the report findings for the US and Canada, EMEA, or APAC.

We will be posting more detailed blogs exploring the results in specific industries and technologies.

And keep an eye out next year as we do this research again; you will have the ability to start looking at year-over-year trends within your own industry.