A survey conducted by Tenable Network Security, Inc. a global provider of security technology, has found that a large majority of security professionals it surveyed fail to measure and communicate security assurance within their organisations.
They are, therefore, unable to connect a successful cyber security programme to achieving strategic business objectives for board members and senior executives.
Survey data from 250 IT security professionals collected during Infosecurity Europe 2016 revealed that 89% of respondents fail to use security metrics to prove the value of cyber security to the organisation.
“Organisations are allocating extensive budgets and resources to cyber security defences at present, but protecting customer data is just one of many returns that this investment can deliver,” said Gavin Millard, EMEA technical director, Tenable Network Security.
“Security teams need to collect, but more importantly share, SMART (Specific, Measureable, Actionable, Relevant, and Timely) security metrics, to guide the organisation’s decision-making process and drive actions. Businesses invest in what they understand, clear and concise data on the security posture is a ‘must do’ to ensure the security budget is available to protect organisations sufficiently.”
31% of security professionals surveyed said they do some measurement of security assurance, but admitted to sharing metrics only within the IT department. More than 12% of respondents confessed to not using any security metrics at all.
“Security professionals are delivering great results for their organisations day in and day out,” said Millard. “Every malware infection identified and eradicated, every policy violation corrected, every critical patch deployed in a timely manner, all demonstrate how effective the teams are, yet business leaders are not being informed. Security pros surely get their fair share of blame when things go wrong, so it’s to their advantage to also communicate success and improvements about their organisation’s security posture to the C-Suite.”
For those interested in doing more to communicate organisational security status and demonstrate the strategic business value of cyber security, Millard suggested starting with four fundamental operational metrics:
- Compliance: The percentage of in-scope systems with less than 70% adherence to requirements
- Visibility: The percentage of critical assets scanned at least every seven days for weaknesses
- Remediation: The percentage of internet-facing assets that get major vulnerabilities patched in less than seven days
- Prevention: The percentage of systems with up to date anti-virus technology
Tenable recently asked security experts how they communicate security program effectiveness to business executives and the board. To read more about the collected recommendations and best practices, check out the Using Security Metrics to Drive Action ebook.
Click here to download the Measuring Security Assurance: Turn Technical Data into Metrics Executives Can Understand white paper.
Comment on this article below or via Twitter: @ VanillaPlus OR @jcvplus
