Compliance Management, Incident Response, Network Security, TDR

Report: 10% of large companies do not use any cybersecurity framework

A survey of IT and security professionals found that 16% of organizations do not use any cybersecurity framework. The report, published by Dimensional Research and Tenable Network Security, surveyed 338 IT and security professionals in the U.S.

Even among larger organizations, framework adoption varies. Among larger organizations (companies with more than 10,000 employees), 10% do not use any security framework.

Many of the professionals surveyed said their companies plan to adopt a new or additional framework in the next 12 months: 14% of respondents said their company plans to implement the NIST Framework within that period.

Tenable strategist Cris Thomas attributed the high percentage of companies planning to implement the NIST Framework to its user friendly implementation. In speaking with, he observed that the framework “is very well geared to as companies that have no security posture whatever.”

Another 12% of the survey participants said their organization plans to implement the Critical Security Controls framework and 9% said their organization plans to implement the ISO 27001/27002 framework within the next 12 month period.

“The defense in depth model that we have relied on in previous years is outdated,” said Thomas. The guidelines can “bridge the gap between believing you're secure and knowing you're secure.”

“Standardization is a very good starting point, said Cymmetria CEO Gadi Evron, speaking with, but he noted that standards are “not necessarily the only way to do security.”

Of the individuals surveyed who have implemented the NIST Framework, 70% said they adopted the framework because they see it as a best practice, rather than because business partners or contracts required it.

Many organizations use multiple frameworks, and 13% of those surveyed said that they planned to discontinue using any existing frameworks.

“Every single standard can do done correctly or can be implemented as a checkbox, to varying degrees,” Evron said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.