CISOs forced to use worst-case scenarios to gain board attention

News by Mark Mayne

Companies are suffering from security data overload, and a lack of agreed meaningful metrics with CISOs being forced to use worst-case scenarios to gain board attention according to a new report.

A sizeable 40 percent of CISOs have felt forced to use worst-case scenarios to gain the attention of decision makers, despite recognising the damaging side effects of a ‘Project Fear’ style approach rather than stating a precise business case, according to a new Forrester report. The report also found that companies are suffering from security data overload, with many firms having an average of nine different categories of security technologies in place.

The ‘Better Security And Business Outcomes With Security Performance Management’ report  assesses the growth in companies using Security Performance Management (SPM), with 63 percent of CISOs surveyed having adopted security performance metrics to formalise and quantify security investment and benchmark performance. This was found to be partly due to an increased scrutiny on spending, according to 70 percent of companies.

However, Forrester found that the SPM market lacks maturity overall, with four out of five security metrics used in enterprise security performance assessments lacking in context or objectivity. Examples include the number of malware incidents blocked or number of data loss prevention incidents generated (which don’t include the number of incidents which were not blocked). Other metrics in the top five, like the percentage of intrusions blocked by firewalls or the percentage of phishing emails filtered, might benefit from the context of a percentage, but fail on visibility, only covering a limited scope and relying on the analytical skills of the report architect.

Jake Olcott, VP of government affairs at BitSight explained to SC Media UK that context plays a crucial role in delivering valuable metrics: "Benchmarking is crucial to help business find context in the data. Executives and board members care more about relative performance using metrics that measure operational effectiveness. Reporting on the number of intrusions blocked is not just a meaningless metric because it lacks company-specific context (how many intrusions were successful?); it's a meaningless metric because there's no relative comparison to peers, competitors, or sector as a whole."

This lack of meaningful metrics has resulted in a range of disadvantages, but most critically in that companies are simply amassing more data without the ability to effectively analyse it. A significant 63 percent of enterprises have invested in new technology as a way to improve security performance measurement, but this in itself has led to an increasingly complex security ecosystem. Indeed, the Forrester analysts found that companies have an average of nine different categories of security technologies in place.

This fragmented landscape is one of the reasons driving SPM adoption, Olcott continued: "Organisations have been accustomed to making security technology purchases without measuring the effectiveness of those efforts. There are many reasons for this, including the difficulty that organisations have in operationalising their security products. Greater focus on security budgets inside enterprises will drive adoption of security metrics as a way of justifying spend."

There are significant upsides to SPM adoption already recognised in the market, with companies using formal security metrics more likely to have seen a 10 percent or greater increase in their security budget over last year. In addition, nearly three-quarters of C-level respondents said that improved security performance measurement would significantly improve company financial performance, with additional benefits in improved company business continuity (82 percent) and company reputation (81 percent).

The Forrester report: ‘Better Security And Business Outcomes With Security Performance Management’ polled 207 security decision makers about security performance measurement, and was commissioned by BitSight, a security ratings solution vendor. 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews