With an ever-evolving cyber threat landscape, it is important for organisations to have a realistic understanding of their underlying cyber vulnerabilities.
A lack of such understanding may cause them to focus on the wrong capabilities and not be able to prioritise limited cyber budgets on the right improvements.
One way to get an initial understanding of whether an organisation’s cyber capabilities match the cyber threat level is by conducting self-evaluations. We asked the surveyed Danish organisations to do so, and the state of their own cybersecurity defences is on average slightly above 6 on a 0-10 scale according to themselves.
What does the survey show?
In our survey, we asked the respondents to envision an ideal organisation where cybersecurity is deeply rooted; cyber and information security resources are adequate; and thorough threat assessments and contingency plans are in place. They would then indicate how close their organisation is to this ideal on a scale from 0 to 10, with 10 being the highest level of maturity.
According to our survey, Danish organisations rank themselves at 6.7 out of 10 on average. 66% of the respondents rank themselves above this average, while 34% rank themselves below.
Sector deep dive
According to this self-evaluation, organisations in the FS and CGS are more mature compared to organisations in the PS and ERS. There is also a large variation in the self-ratings among the organisations, especially in the CGS, PS and ERS compared to the FS.
According to our survey, the average Danish organisation across all sectors ranks itself slightly above the middle of the 0-10 scale. This indicates a cyber maturity level above average for most Danish organisations, but still with some way to go to achieve higher maturity.
The data also yields large variations in self-evaluations across the different sectors. This is especially true in the PS and ERS, where 28% and 30%, respectively, rate themselves as a 5 or below. Meanwhile, we see that close to 30% of organisations in the same sectors rate themselves as 8 or higher. This indicates rather considerable differences in cyber maturity across the sectors.
The outlook is different for the FS. In this sector, only 7% rank themselves as 5 or below, indicating not only higher but also more consistent cybersecurity maturity across the sector.
The average self-evaluation in the CGS and in the FS is around 7, i.e. higher than the average rating in the other two sectors. This is in stark contrast to the rather critical self-evaluations of the FS organisations’ own cyber resiliency. This possibly indicates a higher understanding of the threat landscape rather than low maturity. This could also mean that organisations in the PS and ERS might not be as cyber resilient as they think.
Generally speaking – and in our experience – self-evaluations tend to paint too positive a picture. This could also be the case with the surveyed organisations. While it is positive to see Danish organisations aspire to be at the high cyber maturity levels, we strongly recommend testing these assumptions and maturity levels independently and closing any gaps between the self-evaluations and the independent assessments.
The bigger picture
It can be challenging to conduct a self-evaluation without painting too positive a picture of what reality looks like. Nevertheless, a correct understanding of your own starting point is crucial to recognising in what areas you need to improve and where you need to prioritise your budget, and to establishing a strategic direction for the future. Therefore, we urge every organisation to obtain an independent assessment of their cybersecurity maturity. For example, security testing is a good practice that we highly recommend to further test these evaluations conducted internally or by external parties.