Security professionals struggle to measure success within the business
Although most security professionals use key performance indicators to measure their efforts they struggle to reconcile these with business goals, according to a new report from Thycotic.
It finds that while 84 percent of respondents have KPIs, and an even higher proportion (92 percent) say they review security in terms of its impact on the business, nearly half (44 percent) say their organization struggles to align security initiatives with the business’s overall goals, while more 35 percent aren't clear what the business goals are.
The most commonly used metric is to count the number of security breaches (56 percent) followed by the time taken to resolve a breach (51 percent). It appears, however, that these criteria may not be terribly useful. Around two in five (39 percent) say they have no way of measuring what difference past security initiatives have made to the business. In addition 36 percent agree it’s not a priority for them to measure security success once initiatives have been rolled out.
Focus on dealing with immediate threats can lead to disconnection with the rest of the business, 36 percent have no clear vision of how other departments measure success while 38 percent agree business goals are not communicated to them.
Lack of clarity around metrics has a knock-on effect when it comes to CISOs obtaining budgets to fund further IT security initiatives too. When asked what makes the biggest difference to how IT security budget is allocated, 47 percent point to evidence of the success and ROI of previous security initiatives. Other strategies include benchmarking levels of security spend against the competition (37 percent) while talking up the fear factor remains a favorite tactic (38 percent). Interestingly, 27 percent of respondents look to evidence of past success as the most important way to justify security spend.
"We need to change the negative perception of information security and show that this is something like fire alarms -- when you don't hear them ringing then they are doing their job," says Joseph Carson, chief security scientist and advisory CISO at Thycotic. "Businesses need to recognize the security team is working hard in the background in order for everyone else to keep doing their job. When something bad happens you're so happy that you did invest in it."
You can find out more on the Thycotic blog.