The Good, The Bad and The Ugly: Analyzing Cisco’s Cybersecurity Readiness Index

Those of us working in Cybersecurity likely saw that Cisco recently released the world’s first cybersecurity readiness index. In this mammoth study, Cisco surveyed 6,700 private sector cybersecurity leaders in 27 countries across North & South America, Europe, Africa, the Middle East and Asia-Pacific. Their aim? To assess and compare how ready private companies are against cybersecurity threats across different geographical contexts. Let’s summarize the most interesting points from the survey, alongside some analysis that questions Cisco’s understanding of ‘mature’ cyber readiness (their ranking progresses from beginner, progressive, formative to mature).

A breach is expected, but most unprepared

Firstly, the headline; 82% of businesses expect to experience a cybersecurity incident in the next 2 years yet only 15% have the ‘Mature’ level of preparedness against these attacks.

Now this is surprising, but perhaps not in the way you think.

We’ve known for years that a preposterously minute percentage of companies are adequately protected. Nonetheless, our ears perked up at hearing that as much as 15% of companies are actually considered cybersecure. More on that later.

Moreover, 60% of companies have experienced a cybersecurity incident in the last 12 months, with 71% of incidents costing $100,000 USD and 41% costing $500,000 or more. Counterintuitively, Cisco argues that companies in more economically developed countries are less prepared for cybersecurity incidents compared to those in developing countries. This results from organizations in emerging markets adopting the most recent tech for cybersecurity, while established organizations rely on outdated defenses.

Developing economies using the latest kit, so better prepared

In the Americas, Brazil’s private sector is most capable of defending against cyber attacks with 26% of companies being considered ‘mature’. Comparatively, more developed countries like Canada (9%) and the US (13%) lag behind. Similarly in Asia-Pacific, Indonesia (39%), The Philippines (27%) and Thailand (27%) are top performers. Meanwhile, Japan (5%), South Korea (7%) and Australia (11%) are at serious risk. This distinction, however, is absent in Europe, where all except the UK and Germany achieved a score below 10%.

Interesting findings indeed. We thank Cisco for undertaking this effort toward exposing how our cybersecurity defenses are stuck in the middle ages; somewhere between the medical equivalent of beating holes in peoples heads to ‘let the harmful spirits out’ and bloodletting. However, there are issues to problematize here, specifically with how Cisco defines and determines a ‘mature’ level of cybersecurity defense.

The factors measure to determine cyber 'maturity'

Let’s take a look at the 5 most weighted factors Cisco used to determine if a company was ‘mature’.

1.??????Integrated IAM solution

2.??????End-point protection platform

3.??????Network segmentation policies based on identity

4.??????End-point protection capabilities

5.??????Secure data backup and recovery

The gaping hole in 'real' maturity measurement criteria = Trust

To be clear, these are not bad things to have. The truth is that the problem with ascribing importance to these defenses is that they ignore why attacks occur and how they can be limited.

By weighting the above list as the most important defenses, Cisco disregards the fact that 82% of successful cyber attacks result from the hand of the defenders.

A dodgy email here or erroneous download there and suddenly one mistake turns into a catastrophic breach. No matter how thick and tall the walls are to your kingdom, the moment someone on the inside mistakenly hands an attacker the key, it’s all over.

The reality is, when the expected baseline to maintain security relies on executives not falling for phishing traps, and developers to not have bugs in their code, we’ll never actually prevent breaches. That’s because designing systems on trust is our greatest mistake. Humans are, well, human. We will always make mistakes, so we have to design a system that recognizes that.

This is why decentralized access rights and authentication is essential to winning the cyberwar. Tide combines decentralized authentication mechanisms with multi-party computation to generate/operate keys to digital assets broken up across a network of nodes – meaning no one server, company or individual needs to be trusted when it comes to a system performing sensitive operations, like authenticating a user, decrypting sensitive data, or authorizing access to sensitive resources. Thus, access to assets like identity data is “trustless”, with no one holding the keys that could lead to abuse of access to those keys.

To use a metaphor, the employee that holds the keys to a company vault, with all their customer data, is an Achilles Heel at serious risk of misuse or abuse.

However, we can now secure those assets by ensuring that customer data/assets are locked in a vault that no one holds the keys to. With this system, we can ensure that any breach that occurs doesn’t result in a catastrophic loss of data and consequential lawsuits, fines and recovery costs.

This isn’t just about what Tide provides, it’s about the importance of moving toward Zero Trust across the global defense chain. Right now, the current paradigm threatens national sovereignty, business viability and the lives of everyday citizens. Until we change how we approach security, there will be victims at every level of society.

The switch to Zero Trust cybersecurity is happening, albeit slowly, and we are certainly proud to be a part of that change.