US and Canada lead the world in cybersecurity maturity

08 January 2019 6 min. read

A report from ESI ThoughtLab and The Wall Street Journal – in collaboration with consultancy partners Protiviti and Willis Towers Watson – has found that North America (the US and Canada) leads in regional cybersecurity maturity. Regionally, Latin America scored lowest on a custom cybersec metric developed by ESI. Africa, the Middle East, and Central Asia were not included in the analysis. 

As digitization continues to advance, the damage of cyber attacks and related importance of cybersecurity will likewise balloon. According to research firm Cybersecurity Ventures, cybercrime will cost the world $6 trillion annually by 2021. Today, firms most commonly cite malware, phishing, and ransomware as the most prevalent threats; however, further risks become apparent as businesses adopt open platforms, cloud, the Internet of Things, AI, automation, and a wider swath of tech partners and suppliers. As such, a massive growth in attacks via partners, vendors, and customers can be expected in the short term. 

The key, therefore, is to protect against the expanded avenues of risk (rather than unfeasibly aborting digital evolution). According to the analysis, approximately half of global companies (49%) are in the intermediate stage of cybersecurity maturity, while 31% are beginners, and just 20% are leaders. The findings based on survey results from 1,300 global firms and a custom scoring model developed by ESI ThoughtLab reveal that companies could stand to do significantly more regarding cybersecurity. 

Maturity boosts cybersecurity 

There is a high correlation between digital maturity and cybersecurity maturity. By ESI's metrics, nearly 68% of digital "beginners" also categorized as cybersecurity beginners, while only 3% are cybersecurity "leaders." Likewise, 46% of digital leaders are also cybersecurity leaders, while only 6% of digital leaders are cybersecurity beginners.

Cybersecurity Maturity by Revenue

A large proportion of digital leaders (54%), however, are not cybersecurity leaders, leaving them more vulnerable to cyberattacks due to their higher reliance on digital platforms. To minimize risks, companies should aim to build cybersecurity into each step of their digital transformation process.

“Digital innovation drives complexity and risks,” said Matthew Johnson, chief information security officer for Willis Towers Watson. “A business leader can say, 'Hey, I can use cloud services for everything.' They’re not thinking about the legacy infrastructure or the continuity and backup necessary.”

Maturity also leads to lower financial impact if a successful attack should occur. As cybersecurity systems mature, the probability of costly cyberattacks declines. Cybersecurity beginners have a 23% probability of a cyberattack generating more than $1 million in losses, versus 16.1% for intermediates, and 15.6% for leaders. The average cost of cyberattacks fall with cybersec maturity. For a company with $10 billion in revenue, an attack cost would average $3.9 million if the company were a beginner and $1.2 million as a leader. Furthermore, beginners may be underestimating actual costs due to ineffective detection systems.

Because effective cybersecurity requires the necessary budget (and because large firms also have more data and reputation to lose), the analysis found a correlation between company size and cybersec maturity. Companies with revenues of more than $50 billion had the highest cybersecurity scores while firms with sales of less than $1 billion had the lowest. This suggests small businesses may have more work to do.

Cybersecurity Maturity by Country

US and South Korea lead 

From a regional perspective, cybersecurity maturity is highest in North America, with the US and Canada home to some of the globe’s most digitally advanced companies. The countries have the highest proportion of cybersec leaders (27%) and the top cybersec maturity score (above an average of 100). Countries with the top cybersec maturity scores were the US (107.2), South Korea (104.7), Japan (102.6), France (101.9), and Australia (101.3).

Many of the lowest-scoring firms were based in emerging markets like Mexico, India, and Brazil, although firms in Germany and Switzerland also had relatively low scores. Regionally, Latin America had the lowest share of cybersec leaders (11%) and the lowest cybersec maturity score (89.1). The smaller size and lesser international presence of Latin America–based firms contributes to the region’s low cybersec ranking.

As firms continue to adopt a global outlook, the report advises an internationally minded cyber defense. With attacks easily arising from any part of the world, firms have to step up security to protect their businesses and customer data from a global network of attackers.

“Everything is digitally connected. Whether it’s somebody in Russia, Nigeria, or China, they can carry out attacks quite effectively, from very far away,” said Brian Henesbaugh, partner at Baker McKenzie.

Cybersecurity Maturity by Industry

In terms of industry, "born digital" platform companies are most likely to be leaders (30%) and have the highest cybersecurity maturity score (111), followed by insurance firms (105.1). Technology firms, including smaller startup organizations, had the second lowest score at 97.1, while energy and utility firms came in last, with a score of 96.5. 

The report concludes that overall progress in cybersec maturity is not keeping pace with accelerating digital transformations in the business world. Effective cybersec is a critical element that should not be divorced from digitalization, especially as it opens the door to new and varied cyber risks, the report finds.

“Companies should focus on cybersecurity at the start of the digital transformation process, not at the end,” said Scott Laliberte, managing director for Protiviti. “Rather than a silo approach, cybersecurity should be embedded within the business teams that are driving innovation. At the same time, companies should do more to measure the ROI on their cybersecurity initiatives, taking into account both the direct and indirect costs and the upside from securing their digital futures.”