The 4 levels of cybersecurity readiness

Where does your business land on the readiness scale?

by Jacob Hill, Lead Marketing Manager, Security, AT&T

In today's business world, the words of former Intel CEO Andrew Grove are truer than ever.

“Only the paranoid survive,” Grove once said.

At this moment, no organization is completely secure – a startling premise. Also startling is the thought that new threats emerge daily.

So, how paranoid is your business? Or, how paranoid should it be?

The 4 Levels of Cybersecurity Readiness

In a recent study sponsored by AT&T – Cybersecurity Readiness: How "At Risk" Is Your Organization? – IDC surveyed over 800 C-level IT and line-of-business executives in large and mid-sized companies around the world. Focus groups with CIOs and CISOs supplemented this survey.

Throughout the course of their research, IDC identified four distinct levels of preparedness against cyberattacks.

1. Passive

We all wish cyberthreats would just go away, but Passive organizations actually act as if they have. Merely complying with existing industry and security standards – “checking off the boxes” – is standard procedure.

The C-suite takes a hands-off approach, throwing the responsibility squarely on their IT department. Reviews of policies and procedures are few and far between, as are third-party risk assessments. Because cyberdefenses are unprepared for these businesses, breaches go largely unnoticed.

2. Reactive

In these organizations, the C-suite still delegates cybersecurity responsibility to the IT guys. They may review policies and processes or seek a third-party risk assessment, but only every quarter or so.

While that outside expertise helps in detecting some breaches, those breaches are dealt with on a case-by-case basis, with no attempt to avoid future incidents. As a result, Reactive companies are forever playing catch-up with ever-evolving cyberthreats.

3. Proactive

Rather than simply reacting to current attacks, Proactive companies seek to avoid future ones.

Because their C-level executives understand the real and present dangers out there, reviews of security policies and procedures take place monthly. The IT department focuses on the critical day-to-day operation of the network, with third parties called in to shoulder some of the security responsibilities.

The effort is above-average for these organizations, but the results can still be below par.

4. Progressive

Not surprisingly, Progressive organizations enjoy deep C-suite involvement in the setting, management and review of security measures.

While working to avoid as many future breaches as possible, these businesses realize they’re under constant attack and that some attacks will succeed. To counter that inevitability, they turn to advanced technologies like tokenization, which can reduce (or even eliminate) the value of compromised data.

Meanwhile, reviews and risk assessments are ongoing, with third-party expertise lightening the security workload of the IT team.


Only a small percentage of companies qualify as truly Progressive. For all the details and statistics, plus essential guidelines for strengthening your organization's security stance, view the full report, Cybersecurity Readiness: How "At Risk" Is Your Organization?

AT&T Cybersecurity Insights report

Learn more about protecting your business in AT&T Cybersecurity Insights, Volume 6: "Mind the Gap: Cybersecurity’s Big Disconnect."

In this invaluable report, you'll read about the troubling disconnects that have emerged between today's cybersecurity threats and organizations' countermeasures, as well as what you can do to help strengthen your defenses and reduce risk.