A benchmark report exploring
the impact of cybersecurity
maturity on business
outcomes
Exploring the correlation between cybersecurity and positive business and security outcomes
In March 2020, AT&T Cybersecurity and Enterprise Strategy Group (ESG) completed a benchmark survey to better understand what a mature cybersecurity program looks like and how that maturity influences security and business outcomes.
Results from the 500 security professionals surveyed on their processes, policies, and controls were mapped into the NIST Cybersecurity Framework’s (CSF) five foundational cybersecurity functions: Identify, Protect, Detect, Respond, and Recover.
The goal of this unique research was to validate if — and to what degree — organizations, in better alignment with best practices prescribed by the NIST CSF, can operate highly secure environments and better enable their businesses. This was accomplished through creation of a data-driven model that segments respondents into three levels of cybersecurity maturity: emerging organizations, following organizations, and leading organizations. By comparing survey results across these levels, the model allows us to use data to quantify the differences in security and business outcomes that exist as maturity level improves.
The results showed that organizations fall into three categories:
- Emerging (40%)
- Following (40%)
- Leading (20%)
Read our seminal report of the research findings, which takes a deep dive on the results and highlights.
Online self-assessment
Measure your maturity
From a security perspective, a large part of risk management starts with understanding security maturity, where gaps exist, and what can be done to improve that posture. In addition to our research, AT&T Cybersecurity and ESG have developed a free self-assessment tool that enables organizations to measure their security maturity, based on the survey’s benchmark data and the NIST cybersecurity framework.
Simply complete the short questionnaire to get a custom report that will help you understand which “emerging, following, or leading” category your organization is in and how you compare to your peers. The custom report also provides guidelines to help improve your security posture, based on your organization’s unique circumstances and maturity identified in the assessment.