The businesses rank themselves high when asked about their closeness to the ideal cybersecurity organisation. The sector is indeed very mature within the area, but do they paint too positive a picture?
What does the survey show?
In the survey, we asked the respondents to envision an ideal organisation where cybersecurity is deeply rooted; cyber and information security resources are adequate; and thorough threat assessments and contingency plans are in place. The respondents were then asked to indicate how close their organisation is to this ideal on a scale from 0 to 10 (10 being the ideal organisation).
The average self-evaluation is just about 7. Seventy-two percent of the respondents rate themselves 7 or higher. Seven percent rate themselves as 5 or below.
Q: Imagine an ideal organisation where cybersecurity is deeply rooted, the organisation’s cyber resources are sufficient and there is a clear threat assessment and contingency plan. How close do you believe your organisation is to that ideal?
The businesses in the financial sector have a quite positive self-image when it comes to how close they are to being an ideal cybersecurity organisation. While the average for the businesses in the financial sector is just around 7, the average for all four sectors in Deloitte’s Cyber Surveys (consumer sector, public sector and energy, resources and industrials sector) is around 6.
The financial sector is a bit more mature than the other sectors when it comes to cybersecurity. However, generally speaking – and in our experience – self-evaluations tend to paint too positive a picture. This could also be the case with the surveyed businesses. While it is good to see that the businesses aspire to be at the high cyber maturity levels, we strongly recommend testing these assumptions and maturity levels independently and closing any gaps between the self-evaluations and the independent assessments.
To some extent, the positive self-evaluation also stands in contrast to the fact that less than one out of ten businesses in the financial sector have fully implemented baseline cybersecurity measures (response plans, self-defence plans, cyber awareness training and cyber hygiene) – as asked about elsewhere in the survey.
The bigger picture
It can be challenging to conduct a self-evaluation without painting too positive a picture of what reality looks like. Nevertheless, a correct understanding of your own starting point is crucial to recognising in what areas you need to improve and where you need to prioritise your budget, and to establishing a strategic direction for the future. Therefore, we urge every organisation to obtain an independent assessment of their cybersecurity maturity. For example, security testing is a good practice that we highly recommend to further test these evaluations conducted internally or by external parties.