Security Pros Struggle to Quantify what Success Looks Like
Announcement posted by emt Distribution 09 Oct 2019
IT Security Professionals in US, UK, Germany, Australia and New Zealand have KPIs but Employers are not Acknowledging their Bearing on Business Success, New Research from Thycotic Reveals
Adelaide, October 9, 2019 – The vast majority of IT security professionals work to a set of Key Performance Indicators (KPIs) yet struggle to align these metrics with overall business goals, according to a new global survey by Thycotic, a provider of privileged access management (PAM) solutions for more than 10,000 organisations worldwide.
Thycotic revealed the research results from a global survey in a report entitled, “Cyber Security Team's Guide to Success: How to Measure Results, Secure Budget, and Avoid Stress.” The survey reveals insiders’ perspective into how cyber security executives and their teams are managing the unique demands of their jobs. Results were gathered in August from more than 550 IT decision-makers across the globe — including the US, UK, Germany, Australia and New Zealand.
More than four out of five (89%) respondents have KPIs and a similar proportion (87%) say they review security in terms of its impact on the business. Even so, more than half (52%), say their organisation struggles to align security initiatives with the business’s overall goals while more than two-fifths (43%) aren’t clear what the business goals are.
The research shows the most popular performance metric is to count the number of security breaches (49%) followed by number of reported incidents (46%). It appears, however, these criteria may not be that useful. More than two in five (45%) say they have no way of measuring what difference past security initiatives have made to the business. Furthermore, almost two-fifths (39%) agree it’s not a priority for them to measure security success once initiatives have been rolled out.
Opening the Purse Strings
Lack of clarity around metrics has a knock-on effect when it comes to obtaining budgets to fund further IT security initiatives. When asked what makes the biggest difference to how IT security budget is allocated, nearly half of the respondents (48%) point to evidence of the success and ROI of previous security initiatives. Other favoured strategies include using data to demonstrate improvements in things like staff productivity or new services roll-out times (44%), citing the compliance needs and the risk of fines (40%) and suggesting commitment to protecting customer data be used as a differentiator (40%). Interestingly, more than a fifth (21%) of respondents look to evidence of past success as the most important way to justify security spend.
Disconnected from the Business
There is evidence to suggest security teams’ everyday focus on responding to immediate threats and incidents leads them to become too disconnected from the business. Approaching one half (44%) have no clear vision of how other departments measure success while 43% agree business goals are not communicated to them. In consequence, security professionals feel removed from the rest of the business. This is reflected in their relatively low opinion of the impact they are making. Asked if security teams are hitting a home run or ‘just par for the course’, little more than one fifth (21%) feel their role/team consistently meets expectations.
Commenting on the findings, Joseph Carson, Chief Security Scientist and Advisory CISO at Thycotic says, “The reactive nature of an IT security professional’s work leaves them constantly looking to past achievements to demonstrate their value – a metric that bears no correlation to the organisation’s current situation or success. This disconnect inevitably puts them at disadvantage and leaves them struggling to make a positive impression with the executive board or colleagues in other departments.”
“One way to counter this is to create a companywide cyber security program and culture,” he continues. “Organisations should appoint Cyber Ambassadors who are both technically proficient and skilled communicators to enlist cross-departmental co-operation geared to early warning of any anomalous activity. This will have the twin benefit of putting IT security on a more proactive footing and reduce the potential impact of security issues on the business.”
A free copy of the report is available at https://thycotic.com/resources/ciso-global-cyber-security-metrics-report/
Research Methodology
Thycotic commissioned independent market research specialist Sapio Research to undertake the survey among IT decision makers employing 500+ employees in the following countries: US (203), UK (102), Germany (100), Australia (100) and New Zealand (50). At an overall level results are accurate to ± 4.2% at 95% confidence limits assuming a result of 50%. Interviews were conducted online using a rigorous multi-level screening process to ensure that only suitable candidates were given the opportunity to participate.
About Thycotic
The easiest to manage and most readily adopted privilege management solutions are powered by Thycotic. Thycotic’s security tools empower over 10,000 organisations, from small businesses to the Fortune 500, to limit privileged account risk, implement least privilege policies, control applications, and demonstrate compliance. Thycotic makes enterprise-level privilege management accessible for everyone by eliminating dependency on overly complex security tools and prioritising productivity, flexibility and control. Headquartered in Washington, DC, Thycotic operates worldwide with offices in the UK and Australia. For more information, please visit www.thycotic.com.
For further information, please contact:
Chris Bowes
Bowes Communications
Thycotic@BowesPR.com
+61 2 9387 2332
Thycotic revealed the research results from a global survey in a report entitled, “Cyber Security Team's Guide to Success: How to Measure Results, Secure Budget, and Avoid Stress.” The survey reveals insiders’ perspective into how cyber security executives and their teams are managing the unique demands of their jobs. Results were gathered in August from more than 550 IT decision-makers across the globe — including the US, UK, Germany, Australia and New Zealand.
More than four out of five (89%) respondents have KPIs and a similar proportion (87%) say they review security in terms of its impact on the business. Even so, more than half (52%), say their organisation struggles to align security initiatives with the business’s overall goals while more than two-fifths (43%) aren’t clear what the business goals are.
The research shows the most popular performance metric is to count the number of security breaches (49%) followed by number of reported incidents (46%). It appears, however, these criteria may not be that useful. More than two in five (45%) say they have no way of measuring what difference past security initiatives have made to the business. Furthermore, almost two-fifths (39%) agree it’s not a priority for them to measure security success once initiatives have been rolled out.
Opening the Purse Strings
Lack of clarity around metrics has a knock-on effect when it comes to obtaining budgets to fund further IT security initiatives. When asked what makes the biggest difference to how IT security budget is allocated, nearly half of the respondents (48%) point to evidence of the success and ROI of previous security initiatives. Other favoured strategies include using data to demonstrate improvements in things like staff productivity or new services roll-out times (44%), citing the compliance needs and the risk of fines (40%) and suggesting commitment to protecting customer data be used as a differentiator (40%). Interestingly, more than a fifth (21%) of respondents look to evidence of past success as the most important way to justify security spend.
Disconnected from the Business
There is evidence to suggest security teams’ everyday focus on responding to immediate threats and incidents leads them to become too disconnected from the business. Approaching one half (44%) have no clear vision of how other departments measure success while 43% agree business goals are not communicated to them. In consequence, security professionals feel removed from the rest of the business. This is reflected in their relatively low opinion of the impact they are making. Asked if security teams are hitting a home run or ‘just par for the course’, little more than one fifth (21%) feel their role/team consistently meets expectations.
Commenting on the findings, Joseph Carson, Chief Security Scientist and Advisory CISO at Thycotic says, “The reactive nature of an IT security professional’s work leaves them constantly looking to past achievements to demonstrate their value – a metric that bears no correlation to the organisation’s current situation or success. This disconnect inevitably puts them at disadvantage and leaves them struggling to make a positive impression with the executive board or colleagues in other departments.”
“One way to counter this is to create a companywide cyber security program and culture,” he continues. “Organisations should appoint Cyber Ambassadors who are both technically proficient and skilled communicators to enlist cross-departmental co-operation geared to early warning of any anomalous activity. This will have the twin benefit of putting IT security on a more proactive footing and reduce the potential impact of security issues on the business.”
A free copy of the report is available at https://thycotic.com/resources/ciso-global-cyber-security-metrics-report/
Research Methodology
Thycotic commissioned independent market research specialist Sapio Research to undertake the survey among IT decision makers employing 500+ employees in the following countries: US (203), UK (102), Germany (100), Australia (100) and New Zealand (50). At an overall level results are accurate to ± 4.2% at 95% confidence limits assuming a result of 50%. Interviews were conducted online using a rigorous multi-level screening process to ensure that only suitable candidates were given the opportunity to participate.
About Thycotic
The easiest to manage and most readily adopted privilege management solutions are powered by Thycotic. Thycotic’s security tools empower over 10,000 organisations, from small businesses to the Fortune 500, to limit privileged account risk, implement least privilege policies, control applications, and demonstrate compliance. Thycotic makes enterprise-level privilege management accessible for everyone by eliminating dependency on overly complex security tools and prioritising productivity, flexibility and control. Headquartered in Washington, DC, Thycotic operates worldwide with offices in the UK and Australia. For more information, please visit www.thycotic.com.
For further information, please contact:
Chris Bowes
Bowes Communications
Thycotic@BowesPR.com
+61 2 9387 2332