In any relationship, good communication is key, especially in the world of enterprise IT.
In a new study from the Ponemon Institute, a survey found that among those who rated their organizations as having a low security posture, only six percent said they had effective communication with senior executives about security issues. Forty-two percent said they didn’t. Among those who said they had a high security posture, it was the virtual opposite – 41 percent said their communication with senior executives was highly effective, just 12 percent said it wasn’t.
The study fielded responses from 597 individuals who work in IT, IT security, compliance, risk management and other related fields at Fortune 500 class organizations with 1,000 or more employees. Their answers don’t always paint the prettiest picture.
“Only 13 percent of respondents would rate the security posture of their organization as very strong,” the report noted. “Whereas, 33 percent of respondents say their CEO and Board believes the organization has a very strong security posture. Such a gap reveals the problems the security function acknowledges in accurately communicating the true state of security.”
The reasons for the communication gap appear multifaceted. Sixty-three percent said they only communicate with senior executives when there is a security incident, and 51 percent admit to filtering out negative facts before discussing security issues with higher ups. Another common response was that communication about security issues was typically contained to one department or line of business (60 percent).
The good news is that many of these organizations recognize that metrics should be used to aid this process. However, 69 percent said that their metrics do not always align with business goals. In addition, 62 percent said their current metrics don’t provide enough information about the impact of changes. Fifty-four percent felt that metrics do not help understand the vulnerabilities to criminal attacks.
In IBM’s CISO study last year, just 12 percent said they were feeding business and security metrics into their risk process, and nearly two-thirds said they do not translate metrics into financial results. More than half reported not fully integrating security metrics with business risk measurements.
“What is most concerning is that it would seem security in many organizations is based on perception and ‘gut feel,’ versus hard data,” said Dr. Larry Ponemon, in a statement. “The stakeholders with the highest responsibility seem to be the least informed – a view that is amplified externally. We also found that executive perception of security ‘strength’ had a virtually identical percentage (63 percent) in external partners, and we know that third-party failings also had a hand in the Target breach.”
According to the Ponemon report, some of the metrics that matter and can be measured include: assessment of an organization’s vulnerability to attacks, an assessment of the impact of disruptive technologies on the organization’s security posture, an assessment of technologies used to manage change to the security function and an assessment of risks caused by the migration to the cloud and changes in the mobile platform.
“The biggest issue is that IT security teams are flying blind,” said Jody Brazil, president and CTO of FireMon, which sponsored the study. “Networks are becoming more complex and expansive, while we freeze or reduce the resources tasked with managing them. The fact that the study shows 60 percent performing manual auditing or none at all is alarming. In a threat environment that is ‘always on’ and aggressive, teams must have the ability to automate and continuously monitor and assess dynamic network environments, and be equipped with proactive tools to provide predictive and prioritized intelligence on an ever-shifting risk profile.”
