One of the findings of the survey is that enterprises don't share enough intelligence on threats and responses. That may be starting to change, at least in the retail sector. Following numerous high-profile attacks, the retail industry is now looking at ways to effectively share cyber security information, including the establishment of a Merchant and Retail Industry Information Sharing and Analysis Center (ISAC). Essentially, ISACs provide a way to gather and share information about attacks and attack trends that target a particular industry. There are many ISACs already in place, primarily in the critical infrastructures including power, water, financial services and more than a dozen others.
"Working in the financial sector I see the value of ISACs," says Ken Swick, technical information security officer at Citi Group. The types of threats one sector may be worried about can be different from another. By sharing this information between peers it allows for potentially proactive measures that can be taken before more institutions see a threat," Swick says.
While average number of security incidents detected was 135 per organization, this does not account for incidents that go undetected, a potentially significant number given the 3,000 companies mentioned above that were unaware of cyber intrusions until notified by the FBI. Why such a poor showing? Because many enterprises aren't running mature information security programs, many agree.
"Primarily, they are just running compliance programs," says Javvad Malik, security Analyst at The 451 Group.
Bragdon agrees, and says "compliance-based security programs will not deliver effective cybersecurity, particularly in the post-perimeter enterprise, but businesses continue to focus on compliance."
Not surprisingly, organizations that suffered a breach take their security programs more seriously, are also more likely to have an information security department that is in charge of responding to incidents. The study also found that large organizations are more apt to use up-to-date security controls, such as malware analysis, threat subscription services, and threat modeling to address overall cybersecurity risks. Is there room for hope of improvement in the immediate future? Not a lot.
"I am hopeful that the level of awareness driven to the Board and senior management by the likes of Target and the initiatives of the World Economic Forum will lock the concerns of cyber risk into the operating environment of most businesses. But as an old boss of mine was fond of saying, hope is for children,' " Bragdon says.
Sign up for Computerworld eNewsletters.