The Relationship Between Security Maturity and Business Enablement

In March 2020, AT&T Cybersecurity, in partnership with industry analyst firm, the Enterprise Security Group (ESG), completed a research survey of 500 cybersecurity and IT professionals who are directly involved with their organization’s cybersecurity strategies, controls, and operations. Further description of the research methodology and survey demographics are presented in the appendix of this report. This research project was intended to parallel the National Institute of Standards and Technology (NIST) cybersecurity framework (CSF) by assessing organizations’ postures across the five foundational cybersecurity functions of the CSF: Identify, Protect, Detect, Respond, and Recover.

The goal of the research was to validate if, and to what degree, organizations more in alignment with best practices prescribed by the NIST CSF can help to operate more secure environments and better enable their businesses. This was accomplished through the creation of a datadriven model that segments respondents into three levels of cybersecurity maturity: “emerging” organizations, “following” organizations, and “leading” organizations. By comparing survey results across these levels, the model allows us to use data to quantify the differences in security and business outcomes that exist as maturity level improves.

AT&T Cybersecurity’s maturity model used 16 questions from the survey as inputs in the model which determined an organization’s maturity score. These 16 questions measured a broad set of cybersecurity processes, policies, and controls in use by the organization. How formalized is the organization’s cybersecurity program? How frequently does it provide cybersecurity training to users? How diligently does it identify and prioritize threats? How is threat intelligence brought to bear? How extensively are data and assets segmented and encrypted? What technologies are used in event identification and resolution? How often is the organization’s security posture evaluated and revised over time? Based on the answers to these and other questions, respondents’ organizations could earn between 0 and 100 maturity points.

The organizations represented by the lowest scoring 39% of respondents were placed in the least mature “emerging” category, organizations in the middle of the pack were placed in the “following” category, and those that comprised the top 20% of scores were placed in the “leading” category.