Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Report Depicts Shameful State of Cybersecurity Metrics

For years, Security has sought the ear of the Board and claimed it was not offered. Today the Board is listening; but all too often Security talks in a language that Business does not understand. There is a solution, but it is not yet maximized. That solution is Metrics, a language spoken and understood by both Business and Security; but not widely or effectively used.

For years, Security has sought the ear of the Board and claimed it was not offered. Today the Board is listening; but all too often Security talks in a language that Business does not understand. There is a solution, but it is not yet maximized. That solution is Metrics, a language spoken and understood by both Business and Security; but not widely or effectively used.

The size of the task can be seen in just two statistics from Thycotic’s 2017 State of Cybersecurity Metrics Annual Report (PDF). Firstly, 1 in 3 companies invest in cybersecurity technologies without any way to measure their value or effectiveness. Since the global market for cybersecurity products currently stands at around $100+ billion, this means that more than $33 billion dollars is spent every year without any current way to evaluate the ROI.

The second statistic is that four out of every five companies fail to include business stakeholders in cybersecurity investment decisions. The result, in combination, is that through no direct fault of its own, Business doesn’t understand what Security is doing, and has no way of knowing whether it is effective.

The onus is on Security to more efficiently include Business in its work. Metrics is the key, but 4 out of 5 companies worldwide are not fully satisfied with their cybersecurity metrics. More worryingly, more than half of respondents (58%) to a Thycotic survey scored a failing grade when evaluating their efforts to measure their cybersecurity investments and performance against best practices.

These conclusions come from a benchmark survey devised and conducted by Thycotic and including responses from more than 400 companies — mostly from North America, but with Europe, Russia, India, Central and South America also represented.

Using metrics to demonstrate the overall efficiency or lack of efficiency in a company’s cybersecurity posture is difficult but not impossible. At the moment, however, companies are not making use of, or even collecting, the statistics that are readily available. For example, four out of five companies never measure the success of security training investments. 

Two out of three companies don’t fully measure whether their disaster recovery will work as planned. And while 80% of breaches involve stolen or weak credentials (from Verizon’s DBIR), 60% of companies still do not adequately protect privileged accounts.

The result is what Thycotic describes as ‘the shameful state of cybersecurity metrics’. It sees two areas that Security needs to improve: the failure in planning and the failure in performance. In planning, Security is failing to measure the value of cybersecurity investments; not understanding what information to protect; and not engaging with Business stakeholders. In performance, Security is not measuring expected outcomes; not measuring security awareness; and not measuring compliance with policies or regulations.

Advertisement. Scroll to continue reading.

The survey and report is the first of new annual reports designed to highlight the state of companies’ ability to measure their own security performance. To gather the information, Thycotic has developed a Security Measurement Index (SMI) benchmark based on ISO 27001 standards combined with best practices from experts and professional bodies.

The benchmark returns gradings A, B C, D and F. Fifty percent of companies scored F, while only 18% ranked A. 

“It’s really astonishing to have the results come in and see just how many people are failing at measuring the effectiveness of their cybersecurity and performance against best practices,” said Joseph Carson, chief security scientist at Thycotic. “This report needed to be conducted to bring to light the reality of what is truly taking place so that companies can remedy their errors and protect their businesses.”

Thycotic proposes a four-point plan to improve the situation: educate, protect, monitor and measure; and the report gives advice on how each of these should be enacted. Combining this program with Thycotic’s Security Measurement Index benchmark should not only improve companies’ metrics; but provide the metrics to demonstrate and measure that improvement.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem