Close to three-quarters of security researchers said that the volume of data they have to deal with makes it hard to filter, analyze, and assess changes in risk; 46% said that their security tools fail to provide data with metrics to make the information actionable; and 41% said they do not have a real-time view of their security standing.
For the survey, Dimensional Research polled 772 security professional who attended the 2012 RSA Security Conference in San Francisco.
The survey found that 81% of respondents believe security tools with improved metrics would increase overall security effectiveness.
“We are drowning in details; we have mountains of facts but very little useful information”, observed Mike Lloyd, chief technology officer with RedSeal Networks. “People agree that the right way to deal with this is using metrics”, he told Infosecurity.
Lloyd noted that this concern for metrics is shared by commercial and government security professionals. According to a survey that RedSeal sponsored last year, 64% of federal security experts said that security metrics and continuous monitoring will improve overall security, while 43% said that network security device configuration and audit tools will improve security effectiveness and meet federal mandates.
For the federal survey, Dimension Research polled over 200 federal security experts attending the 2011 GFIRST National Conference. The survey also found that only 28% of respondents expect their agency to have in place tools and process to meet the Federal Information Security Management Act (FISMA) mandate to implement continuous monitoring by the end of fiscal year 2012. More than half of respondents said that their agencies will not be ready or they did not know if their agencies would be ready to meet the continuous monitoring deadline.
“What the surveys have in common, in the public space and commercial space, is that there is a distinct hunger out there; even after years of talking about this issue, people are still struggling to find the right metrics solution”, Lloyd observed.
He opined that current security metrics are “busyness metrics, not business metrics….we end up measuring how fast the treadmill is running.”
To address the need for better metrics, RedSeal has come out with a product, RedSeal 5, which provides actionable security performance metrics and proactive intelligence to measure the impact of changes to network security controls on a continuous basis.
RedSeal 5 provides security performance reporting and metrics functionality, such as performance indicators regarding protection of critical business assets; intelligence and visibility into the current state of network security controls, validated remediation efficiency, and ongoing policy compliance; and quantitative verification of existing security controls and processes.
“What we are offering is analytics on data that organizations already have in their silos….We look at all of the data together and say, ‘Where are the weak spots in your defenses?’ We prioritize ideas based on what you can do to improve the defenses”, Lloyd concluded.