ABSTRACT: As the scale and volume of cyberattacks continues to rise, application environments become more dispersed, which increases businesses’ risk of exposure to these attacks. As a result, cyber resiliency must be an essential requirement for any business. Given the ever-increasing threat to data and IT servers, businesses must invest in cyber-resiliency strategies to reduce operational risk. New research from ESG, however, finds that cyber-resiliency investments are even more valuable than previously thought: In addition to minimizing risk, they improve a business’s ability to innovate.
Research Overview
Improved cyber-resilency capabilties help to reduce risk. But does an organization’s level of cyber-resiliency maturity also help foster innovation and deliver greater business success?
To answer this question, ESG surveyed 750 IT decision makers and then segmented the respondents into cyber-resiliency stages (see graphic on right). This classification was driven by how respondents answered four questions about their organization. Each of these questions represents a characteristic of a Prepared organization (i.e., an attribute of a highly resilient organization) in terms of the teams in place to protect it, the funding for technologies to mitigate risk, or the organization’s focus on minimizing third-party risk.
Key Questions:
- How would you describe the level of staffing in your cybersecurity team?
- How would you describe the level of skills in your organization’s cybersecurity team?
- How would you characterize your organization’s investment in products and services to secure its systems, applications, and data?
- Does your organization audit or inspect the security of its partners/IT vendors?
Only organizations reporting that they have no open positions they are looking to fill on their security team, that their security team has no problematic skills gaps, that their organization funds security technologies at an optimal level, and that their organization formally and rigorously audits third-party risk were considered Prepared. Those with 2 or 3 of these attributes were considered Vulnerable, while those with 0 or 1 these attributes were considered Exposed.
According to the data, only 10% of organizations represented were classified as Prepared organizations with the highest level of cyber-resiliency maturity.
In comparing technology and business performance both quantitatively and qualitatively across these cohorts, the research validated that greater cyber resiliency correlates to improved IT service uptime, faster incident discovery and response, improved IT service uptime, higher end-user satisfaction, more agile organizational innovation, and a more positive business outlook. The research also provides an empirical roadmap for organizations to follow to improve their own capabilities and results. This research summary paper focuses on the practices organizations should consider for their on-premises data storage environment to improve their cyber-resiliency maturity.
Prepared organizations are 7.1x more likely than Exposed organizations to report their storage environment is ready to support their innovation initiatives.
Characteristics of Prepared, Cyber-resilient Organizations
ESG found several key differences between Prepared organizations and organizations with lower levels of cyber-resiliency maturity specific to their on-premises data storage environments. Specifically, ESG found that:
- Prepared organizations have invested heavily in storage solutions with intrinsic data protection capabilities, reducing both outages and data loss that can be attributed to their storage environments.
- Prepared organizations have reduced their risk from outages and data loss due to investments in intrinsic data protection features.