75% of organisations have revealed that they have insufficient levels of security maturity after self-assessing their cyber security programmes.
The figures were revealed in the Cybersecurity Poverty Index by RSA, a security division of EMC, which polled opinion of more than 400 security professionals across 61 countries.
83% of the large organisations ranked themselves as below "developed" in maturity when they self-assessed the maturity of their cyber security programmes, leveraging the NIST Cybersecurity Framework (CSF) as the measuring stick.
The CSF is designed to provide guidance based on existing standards, guidelines, and practices for reducing cyber risks.
Nearly 45% of the respondents claimed that they were incapable of measuring, assessing and mitigating cyber security risks, while 21% said that they were mature in this domain.
The survey also showed that 83% of larger organisations with more than 10,000 employees considered their overall maturity level as less than "developed", concluding that size of the organisation does not matter in case of security maturity.
Even financial services organisations, that are considered one of the most advanced in terms of security maturity also failed to rank themselves as mature organisations in terms of cyber security.
However, organisations in the telecommunication sector have the highest level of maturity with 50% of respondents claiming to have advanced capabilities.
Only 18% of the Government sector was ranked as advanced in regards to security maturity.
Nearly 26% of organisations belonging to EMEA and 24% of companies in the Americas were rated as developed.
RSA president Amit Yoran said: "This research demonstrates that enterprises continue to pour vast amounts of money into next generation firewalls, anti-virus, and advanced malware protection in the hopes of stopping advanced threats.
"Despite investment in these areas, however, even the biggest organizations still feel unprepared for the threats they are facing.
"We need to change the way we think about security and that starts by acknowledging that prevention alone is a failed strategy and more attention needs to be spent on strategy based on detection and response."
