Regardless of size, nearly three-quarters of companies lack the maturity to address cyber security risks, according to the inaugural “Cybersecurity Poverty Index” released by RSA, The Security Division of EMC.

The index compiled survey results from more than 400 security professionals across 61 countries. Participants self-assessed the maturity of their cyber security programs against the NIST Cybersecurity Framework, and the results pointed to insufficient maturity across the board.

Of the organizations surveyed with more than 10,000 employees, 83 percent rated their capabilities as less than “developed” in overall maturity, suggesting that they see room for significant growth.

The area where companies felt they were strongest was in “protection,” while the weakest area was in “response.”

“This research demonstrates that enterprises continue to pour vast amounts of money into next generation firewalls, anti-virus, and advanced malware protection in the hopes of stopping advanced threats,” Amit Yoran, president of RSA, said in a statement. “Despite investment in these areas, however, even the biggest organizations still feel unprepared for the threats they are facing. We believe this dichotomy is a result of the failure of today’s prevention-based security models to address the advancing threat landscape. We need to change the way we think about security and that starts by acknowledging that prevention alone is a failed strategy and more attention needs to be spent on strategy based on detection and response.”

For more on the survey and to see the results, click here: Cybersecurity Poverty Index