The Information Security 80/20 Rule

Over the past few months, I’ve been engaged in a research project on enterprise security management and operations. As part of some quantitative research, ESG created a segmentation model that divided survey respondent organizations into three sub-segments. The segmentation model broke down as follows: 

• Organizations classified as security management and operations “leaders”:  19%
• Organizations classifed as security management and operations “followers”:  49%
• Organizations classified as security management and operations “laggards”:  32%

I worked on a research project last year focused on Advanced Persistent Threats (APTs) where we created a similar segmentation model. The three sub-segments turned out as follows:

• Organizations classifed as most prepared for APTs:  21%
• Organizations classified as somewhat prepared for APTs:  43%
• Organizations classified as poorly prepared for APTs:  36%

There is a consistent and somewhat ominous pattern emerging here that can be summarized using the familiar 80/20 rule. On average, only 20% of large enterprise organizations are adequately prepared for cybersecurity events. The remaining 80% lag behind.  

A more specific analysis of this data can be summarized in three areas:

1. Risk management. The elite 20% have a much better handle controlling what is deployed on their networks and whether these assets are vulnerable to imminent threats. The lagging 80% can’t keep up in areas like configuration management, asset management, change management, vulnerability scanning, patching, or threat intelligence.   
2. Incident detection. The elite 20% retain strong visibility of people, assets, and network traffic in order to baseline normal behavior and quickly identify anomalous behavior. The lagging 80% have trouble monitoring activity, gathering/analyzing data, spotting suspicious trends, and understanding their ramifications.
3. Incident response. Almost all organizations have problems here, but the elite 20% do the best job with formal business and IT policies and processes guiding emergency response as well as internal and external communications. The other 80% respond with disorganized “fire drills” that lead to time-consuming delays and costly mistakes.

It is worth noting that the elite 20% are not resting on their laurels. They are the most active in terms of increasing security headcount, working with third-party service providers, testing the effectiveness of their security controls, and building enterprise-class cybersecurity policies, processes, and technology controls.

When we think about the state of enterprise information security today, we tend to focus on the elite cybersecurity 20% when we should be thinking about the lagging 80%. After all, we depend upon this struggling majority for critical infrastructure services and the protection of our personal data. This alone is a very scary thought.