Survey: Security Metrics Too Complicated

Friday, July 12, 2013 @ 03:07 PM gHale


For a properly run manufacturing enterprise, all ideas and programs have to run in sync with one another to achieve the greatest profitability, but it appears metrics security professionals use to measure risk-based security do not seem aligned with business objectives, a new survey said.

When you look at it, security metrics are the primary tools IT professionals use to communicate security risk and posture to business leaders and executive teams, but questions remain about their effectiveness.

RELATED STORIES
Cyber Report: Attackers on Network
SMBs Need Data Breach Awareness
Breach Discovery: 10 Hours
Security Breach Fantasy Land

Even though security is becoming a hot button along executive row, the survey highlights a communication gap that exists in organizations. While there is broad agreement on the value of a risk-based approach, there is significant disparity when it comes to implementing security metrics that align with business initiatives, according to the study.

The survey, conducted by Ponemon Institute and sponsored by risk-based security provider Tripwire Inc., covers risk-based security metrics and evaluates the attitudes of 1,321 respondents (749 U.S. and 571 U.K.) from IT security, IT operations, IT risk management, business operations, compliance/internal audit and enterprise risk management.

Key findings from the survey show:
• 75 percent of respondents say metrics are ‘important’ or ‘very important’ to a risk-based security program
• 53 percent don’t believe or are unsure security metrics used in their organizations properly align with business objectives
• 51 percent didn’t believe or are unsure their organizations metrics adequately convey the effectiveness of security risk management efforts to senior executives

When asked, “Why don’t you create metrics that are well understood by senior executives?” Respondents answered:
• 59 percent said the information is too technical to be understood by non-technical management
• 48 percent said pressing issues take precedence
• 40 percent said they only communicate with executives when there is an actual security incident
• 35 percent said it takes too much time and resources to prepare and report metrics to senior executives
• 18 percent said senior executives are not interested in the information

“Even though most organizations rely on metrics for operational improvement in IT, more than half of IT professionals appear to be concerned about their ability to use metrics to communicate effectively with senior executives about security,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.

“These results correlate with the dozens of conversations we have been having with CISO’s (chief information security officers) across the globe,” said Rekha Shenoy, vice president of marketing and corporate development at Tripwire. “CISO’s talk about the importance of leveraging metrics as a way to influence business leadership and build a risk management practice within their companies. Unfortunately, they struggle with the bigger challenge of producing meaningful metrics while those they use are rarely aligned with business goals.”

Click here to download the survey.



Leave a Reply

You must be logged in to post a comment.