NewsNew SecureTrust Report Assesses Process Maturity Across Major Industries for Continual Security Improvement
New SecureTrust Report Assesses Process Maturity Across Major Industries for Continual Security Improvement
Comprehensive Analysis Based on 400 Organizations Depicts Stark Shortcomings on Processes and Procedures Needed for Keeping Data and Users Protected
CHICAGO — October 28, 2019 — SecureTrust, a division of Trustwave, today released the 2019 Global Compliance Intelligence Report, which reveals maturity ratings by industry for critical security processes from its Global Compliance and Risk Services assessments from July 2018 to June 2019.
The report examined the maturity of security processes of over 400 organizations in industries ranging from e-commerce, retail and payment processor to telecommunications, petroleum and more. Organizations were given a maturity score from zero to five (with 3.5 or above recommended) derived from the SecureTrust Compliance Intelligence model which leverages the Payment Card Industry Data Security Standard (PCI DSS) baseline of technical and operational requirements for protecting data.
The SecureTrust Compliance Intelligence model looks at eight key organizational control areas including: boundary defense, asset management, application software development and security, user management, data protection, facility controls, security testing and monitoring and training. The model is designed to provide a framework for organizations to chart progression for improving performance, capabilities and critical business processes.
Findings illustrate an overall failure in process maturity by control area in the industries analyzed. The lack of periodic reviews to ensure successful management of key processes and to verify those processes continue to satisfy organizational objectives was a major contributing factor.
Key findings from the 2019 SecureTrust Global Compliance Intelligence Report include:
- E-Commerce ranks highest overall — E-Commerce at 3.01 has the highest overall maturity rating as an industry and has the top maturity score for each of the eight control areas, however, still falling short of the 3.5 recommended minimum. Telecommunications ranks second at 2.84 followed by Service Provider at 2.75. Hosting Providers scored lowest overall at 2.14.
- Maturity by control area needs to improve — No single control area scored a maturity rating at or above 3.0 which characterized them as an unpredictable and poorly controlled approach to carrying out a repeatable process. Data Protection scored highest at 2.73 followed by Application Software Security at 2.67, Training at 2.66, Boundary Defense at 2.65, User Management at 2.65, Asset Management 2.63 and Security Testing and Monitoring at 2.58.
- Boundary defense lacks operational effectiveness — Breaching boundary defenses is a primary objective for threat actors looking to gain access to databases and workstations. As boundary lines fade between internal and external networks as organizations push digital transformation initiatives, SecureTrust findings show weakness in initial policy design and operational execution in every industry analyzed. E-Commerce scored highest at 3.02 with Service Providers second at 2.86. Telecommunications came in third at 2.82 and Retail surprisingly followed at 2.77. Coming in last was Hosting Providers at a low 1.96.
- Lack of asset visibility adding significant risk — End of life operating systems, unpatched devices, corrupted websites and files are all avenues for compromise. Without proper visibility and control of assets deployed in an organization, improving process maturity is a futile endeavor. SecureTrust found configure management issues and patch management failures in all industries assessed with none achieving a score of three or better. E-Commerce scored highest at 2.96 followed by Service Providers at 2.85, Telecommunications at 2.81 and Retail coming in fourth at 2.69. Petroleum and Hosting Providers scored lowest at 2.60 and 1.90.
- Management of users and data protection falls short — Adversaries are capitalizing on poor user management and shortcomings around data protection. SecureTrust found flaws in password and authentication controls and around administrative access consistently across industries observed. E-Commerce performed highest in terms of user management at 3.03 along with Service Providers and Telecommunications at 2.85 and 2.80. Additionally, weak encryption algorithms were found to be widely used along with improper network segregation and isolation of sensitive data. E-Commerce scored best for data protection at 3.05 and Hosting Providers scored worst at 2.32.
“Our 2019 findings coincide closely with the continuous stream of breaches and privacy violations frequently in the headlines,” said Michael Petitti, president at SecureTrust. “We are seeing organizations in all industries putting the cart before the horse by incorporating security technologies without first gaining a clear picture of the controls and policies needed to achieve process maturity goals. As the attack surface continues to widen and businesses accelerate digital transformation initiatives, it will be even more imperative for assets, policies, controls and protection to align.”
Download a complimentary copy of the 2019 SecureTrust Global Compliance Intelligence Report
SecureTrust will host a live webinar on October 30th, 2019 at 1:00pm CDT to discuss report findings and dive deep into the state of global security maturity in key industries. Please click here to register.
About SecureTrust
SecureTrust™, a Trustwave division, leads the industry in innovation and processes for achieving and maintaining compliance and security. SecureTrust delivers world-class consulting, compliance and risk assessment services and solutions for the enterprise market as well as tailored merchant risk management programs and solutions for merchant program sponsors around the globe.