“There’s a strong correlation between security products and metrics,” noted Tim Erlin, director of IT and risk strategy for Tripwire, which sponsored the survey. “Organizations most often build security metrics programs from the data up, rather than the business down, resulting in metrics supported by available security products, rather than focusing on those metrics that are meaningful to the business.”
For example, among threat management metrics, the percentage of endpoints free of malware and viruses led with 38% of security managers citing it as a key indicator. About 31% consider reduction in the number of data breach incidents an effective key metric, with another 30% noting that reduction in the number of known vulnerabilities is an important evaluator. However, only 17% use the mean time-to-detect security incidents as a metric, and only 13% using mean time to resolve security incidents.
“In light of the maturity curve in deployment of risk-based security management, it’s not surprising that the majority of organizations are not using metrics oriented towards higher order outcomes,” said Larry Ponemon, chairman and founder of the Ponemon Institute, in a statement. “Respondents are still focused primarily on operational aspects. And, while many executives are focused on more visible outcomes, like reduction in data breaches, very few organizations are tracking more proactive metrics.”
In the compliance arena, leading metrics included mean time-to-patch (51%); reduction in audit findings and repeat findings (25%); and policy violations (21%). The study also found that only 16% of respondents viewed the number of records or files detected as compliance infractions, and only 21% identified reduction in expired certificates – including SSL and SSH keys – as an effective metric.
Key metrics for cost containment included reduction in the cost of security management activities (46%) and reduction in unplanned system downtime (35%). Only 12% of respondents use the length of time to contain security breaches and security exploits.
Staff and employee key metrics included the number of end users receiving appropriate training, which 40% of respondents named as useful in this arena. Thirty-four percent of respondents named the reduction in the number of access and authentication violations a key metric. The study also found that only 6% of security managers employ user performance on security retention awareness tests as a means of measuring security effectiveness.
Spending relative to total budget is used as a key metric for security efficiency by 44% of respondents. Thirty-four percent use reduction in total cost of ownership as a metric, and 33% of security managers use return on security technology investments as a means of measuring security efficiency.