• United States



Contributing Writer

The Information Security 80/20 Rule

Jun 07, 20122 mins
Advanced Persistent ThreatsCisco SystemsData and Information Security

Majority of large organizations have numerous vulnerabilities

Over the past few months, I’ve been engaged in a research project on enterprise security management and operations. As part of some quantitative research, ESG created a segmentation model that divided survey respondent organizations into three sub-segments. The segmentation model broke down as follows: 

  • Organizations classified as security management and operations “leaders”:  19%
  • Organizations classifed as security management and operations “followers”:  49%
  • Organizations classified as security management and operations “laggards”:  32%

I worked on a research project last year focused on Advanced Persistent Threats (APTs) where we created a similar segmentation model. The three sub-segments turned out as follows:

  • Organizations classifed as most prepared for APTs:  21%
  • Organizations classified as somewhat prepared for APTs:  43%
  • Organizations classified as poorly prepared for APTs:  36%

There is a consistent and somewhat ominous pattern emerging here that can be summarized using the familiar 80/20 rule. On average, only 20% of large enterprise organizations are adequately prepared for cybersecurity events. The remaining 80% lag behind.  

A more specific analysis of this data can be summarized in three areas:

  1. Risk management. The elite 20% have a much better handle controlling what is deployed on their networks and whether these assets are vulnerable to imminent threats. The lagging 80% can’t keep up in areas like configuration management, asset management, change management, vulnerability scanning, patching, or threat intelligence.   
  2. Incident detection. The elite 20% retain strong visibility of people, assets, and network traffic in order to baseline normal behavior and quickly identify anomalous behavior. The lagging 80% have trouble monitoring activity, gathering/analyzing data, spotting suspicious trends, and understanding their ramifications.
  3. Incident response. Almost all organizations have problems here, but the elite 20% do the best job with formal business and IT policies and processes guiding emergency response as well as internal and external communications. The other 80% respond with disorganized “fire drills” that lead to time-consuming delays and costly mistakes.

It is worth noting that the elite 20% are not resting on their laurels. They are the most active in terms of increasing security headcount, working with third-party service providers, testing the effectiveness of their security controls, and building enterprise-class cybersecurity policies, processes, and technology controls.

When we think about the state of enterprise information security today, we tend to focus on the elite cybersecurity 20% when we should be thinking about the lagging 80%. After all, we depend upon this struggling majority for critical infrastructure services and the protection of our personal data. This alone is a very scary thought.    

Contributing Writer

Jon Oltsik is a distinguished analyst, fellow, and the founder of the ESG’s cybersecurity service. With over 35 years of technology industry experience, Jon is widely recognized as an expert in all aspects of cybersecurity and is often called upon to help customers understand a CISO's perspective and strategies. Jon focuses on areas such as cyber-risk management, security operations, and all things related to CISOs.

More from this author