IDC, in collaboration with FireEye and DXC, conducted a survey of 500 senior IT and security decision makers across Western Europe in order to establish a picture of cyber security maturity in the region. The first key finding of our study is that there is considerable variation across the region, depending on factors such as company size, vertical industry and nationality. It is also clear that best practice is rare.
For starters, the distribution of maturity reflects a typical "bell curve", with a small number of respondents at the two extremes (the low end and the high end of the scale), and the majority sitting somewhere in the middle. Perhaps it comes as no surprise, but it is clear that larger organisations tend to have a higher level of cyber maturity, linked to their larger budget and scale with which to consider security implications. When it comes to the geographical distribution of maturity, the larger and more established markets (i.e., the UK, France, Germany) were at the upper end. The smaller markets (i.e., Italy, Spain), with less well embedded traditions for security spending, were mostly at the other end of the scale.
In terms of verticals, it is the more regulated and communication infrastructure orientated industries (e.g., financial services, telecom, IT) that sit at the more mature end of the scale. Interestingly, government is the least mature, despite this being the vertical market where strong defence and in-house cyber security capabilities reside. At first this may appear counterintuitive. However, one must consider the nature of the public sector market. While defence, intelligence and security agencies do exist within this market, these represent just a small fraction of the sector in terms of the number of government organisations. Rather, it is local government bodies and – to a lesser extent – "civil" central government departments that make up the lion's share, shaping the maturity profile of the sector.
Besides these insights into the make-up and profile of the Western European security market, our survey led us to draw six further key conclusions as to the state of maturity in the region:
- Security is not being brought into projects early enough. IDC's survey investigated the stage at which respondents involved security in new business projects. While an encouraging 44 percent of respondents do so right from the beginning, this is spread unevenly across the maturity levels. At the lower levels, barely a quarter of respondents do so. In fact, just as many respondents leave the involvement of security until something goes wrong.
- Good cyber risk management helps to deliver agility. There is a clear correlation between the level of cyber maturity and the ability to cope with IT change. In fact, IDC argues that the two are linked. Organisations that have a higher security maturity, and that are prepared to enable new business initiatives based on a balanced approach to risk management, tend to be better prepared to cope with challenges such as new application and service requests.
- Effective cyber risk management involves close ties between IT and the business. Effective security relies on close ties between IT, security and the business. At the highest level, the development of a strong corporate security culture will help to enact a consistent approach to any potential compromise. In order to achieve this goal, it is critical that responsibility for security is shared across each of the key stakeholder groups. IDC's survey shows a clear correlation between security collaboration and the level of cyber risk maturity.
- Best-practice enterprises are early adopters. By and large, the higher the cyber risk maturity of an enterprise, the greater the number of security technologies that are in use. This includes "physical" security techniques such as shadowing and man-traps as much as cyber security. However, there are certain tools and techniques that have a particularly strong impact on maturity. The solution with the most marked impact on escalating maturity is AI and heuristic analysis. On one hand this is reflective of the fact that this is more of an emerging solution area, and more likely to be adopted by more mature organisations. However, IDC argues that AI may be a driver of maturity in its own right, allowing enterprises to identify and react to threats more rapidly.
- Best practice involves partnership with external experts. In the search for best practice, is this more likely to exist within a single enterprise or is it more likely to be derived from a security specialist with experience dealing with multiple enterprises and vertical industries? IDC's survey findings are clear: the more mature an enterprise is, the more likely it is to work with third-party specialists. This correlation is particularly clear for discrete, project-based engagements such as testing, consulting and implementation projects. There is a more nuanced picture for managed security services (MSS), whereby the most mature respondents seek a balanced approach to MSS uptake. Rather than outsourcing wholesale, best practice involves an ongoing involvement of in-house resources in order to maintain visibility and control over the security posture.
- Best practice requires a strategic approach to investment. There is another clear correlation between the level of cyber maturity and the management perception of IT. At the lower levels of maturity, IT tends to be viewed as a cost – something to be rationalised in order to reduce the burden on the enterprise. At the other end of the scale, enterprises with the most mature approach to cyber risk view IT as a driver of competitive advantage or differentiation.
To conclude, how does the picture that we have established of cyber maturity in Western Europe compare with other major global regions such as Asia Pacific and North America? Although this was not the subject of IDC's survey, and warrants further investigation, there are some clear trends to be identified.
As with the varying geographic profile within Western Europe, regional markets with the most established traditions for security procurement tend to be the most mature. When comparing Western Europe with North American and Asia Pacific, it clearly sits in the middle of these two regions. North America, driven by the U.S., is the largest and most established security market in the world: defence and intelligence spending is the highest in the world, and this inevitably spills over into civilian markets and common practice. The opposite applies to Asia Pacific, where markets such as India and China show much potential, but are yet to exert the influence on the global marketplace that their potential might warrant.
Complete the IDC Cyber Risk Assessment for help making informed decisions around cyber risk strategy and to understand the benefits associated with increasing your readiness in the face of evolving threats.
Dominic Trott is research manager for IDC's European Security Research team, covering both products and services.