Are you ready for the new era of cyberthreats?

Benchmark your preparedness against 1,200 security leaders worldwide

Take our cyber threat assessment to rank your preparedness against 1,200 cybersecurity execs.

Cybersecurity is no longer just an IT issue. It’s a strategic imperative for business and government and a core area of risk. Yet many cybersecurity programs aren’t keeping pace with digital transformation, and their budgets aren’t growing as fast as the threats they face.

How much progress has your company made in implementing basic cybersecurity methods, such as the five pillars—Identify, Protect, Detect, Respond, Recover—recommended by the U.S. National Institute of Standards and Technology (NIST) in its cybersecurity framework? Grade yourself from level 1 to 5 in terms of preparation and ongoing vigilance.

Scoring key:

  • 1 Undefined: Starting to think about this. No plans in place.
  • 2 Ad hoc: Beginning to put plans and processes in place. Taking action but not consistently.
  • 3 Defined and repeatable: Using defined processes and plans, and making progress but not yet fully aligned with the business.
  • 4 Managed: Continuously monitoring with metrics in place, and seeing considerable benefits.
  • 5 Optimized: Fully acted on this activity, ahead of most of our peers, and seeing significant benefits.


How far along is your organization in the following areas?

Identifying cybersecurity risks, including setting up governance procedures and assessing potential vulnerabilities:
Protecting against cybersecurity risks using protective technology, identity access controls, and staff training:
Detecting cybersecurity risks, including continuous security monitoring and the use of advanced detection processes and technologies:
Responding to cybersecurity risks, including ability to mitigate the impact of an attack and processes around response plans:
Recovering from cybersecurity risks, including steps to restore systems, manage public relations fallout, and incorporate lessons into future plans and processes:

Your score:
You’re an early implementer

How you compare

You’ve got work to do! You’re among the 7% of our survey respondents who are also early implementers, while 59% are mid-implementers, and 34% are advanced.

Perhaps your organization recently started thinking about how to address cybersecurity concerns. Maybe you’re at the planning stage. Or maybe you have a cybersecurity plan in place but haven’t yet implemented it consistently across the enterprise. You probably haven’t seen much benefit from your efforts so far. This makes it hard to request additional funding to help you prepare for attacks.

Here’s the good news: the most serious risks can be addressed just by talking. That’s because one-third of all breaches are still caused by human error. Hackers commonly break into organizations via phishing emails and other forms of social engineering. Solution: Provide adequate training to help employees deal with these intrusions and give them simple tools to report suspicious activities.

You aren’t alone. Most organizations need to pay closer attention to detection, a critical tool in the cybersecurity arsenal. Our survey found that it takes organizations 128 days on average to detect a breach. These delays can be damaging and expensive.

Cyber incidents are inevitable in today’s world. That’s why detection, response planning, mitigation, and communications have become essential. Many organizations aren’t doing enough. It’s time to change that.

Your score:
You’re a mid-implementer

How you compare

You’re busy and planning, but not done yet. Almost 60% of respondents in our survey are mid-implementers, while 34% are advanced and 7% are early implementers.

Perhaps various teams or departments in your organization are planning and defining processes inconsistently. You aren’t seeing much benefit yet from your investments, which makes it harder to request additional funds to ramp up investment as threats grow more pronounced and dangerous.

While almost 6 in 10 organizations surveyed report being in the managed or optimized stage for detection, it takes organizations 128 days on average to detect a breach. These delays can be extremely damaging and costly.

While companies like yours are progressing, many struggle with continuous security monitoring, particularly around anomalies and detected events. Planning for recovery after a cyber incident is crucial, and most organizations are making progress. However, they often neglect to make needed improvements after a breach, which is a crucial activity in the recovery phase.

Your score:
You’re an advanced implementer

How you compare

Congratulations! You’re well on your way to building an effective cybersecurity program. Thirty-four percent of respondents in our survey are advanced implementers like you, while 59% are mid-implementers and 7% are early in the process.

Advanced implementers are ahead in all areas of cybersecurity. They excel in managing supply chain risk, a huge concern in the wake of disruptions caused by the pandemic and the war in Ukraine.

Advanced organizations like yours have made significant progress in all areas, especially those where fundamental cyber hygiene is vital, such as maintenance and information protection processes. However, maintenance is a weak point for all organizations in our survey, even the advanced implementers.

One hallmark of advanced implementers is their ability to detect breaches faster, which enables them to fix problems sooner. They similarly report shorter times to respond to a breach. Speedier response times can spell the difference between a major or a minor breach.

Advanced organizations like yours also outperform others on the number of server clients using multifactor authentication, a growing best practice as identity theft rises. Advanced implementers likewise report shorter times for patching external-facing systems—an important metric given the expanded networks needed to meet the needs of customers, vendors, and remote-working staff. Advanced entities also do better on the number of times that they conduct scans and the time to eliminate employee access to the corporate network after they leave the organization.

Most importantly, advanced organizations see fewer incidents and material breaches. In 2021, they recorded 22.9 incidents on average versus 25.8 for all others, and 0.76 material breaches versus 0.81 for others. Due to the growing financial and reputational costs of material breaches, these percentage differences can have outsized impacts. Our research reveals that organizations that are in advanced stages of supply chain maturity under the NIST framework can detect, respond to, and mitigate breaches faster.