A Ponemon survey has uncovered that few dispute the worth of setting benchmarks and using metrics to evaluate security success: a full 75% of respondents said that they think metrics are important or very important to a risk-based security program. But half (51%) said that they didn’t believe or are unsure that their organizations’ metrics adequately convey the effectiveness of security risk management efforts to senior executives. In addition, 53% of respondents don’t believe or are unsure that the security metrics used in their organizations are properly aligned with business objectives.
Further, when asked the obvious question of why they didn’t create metrics that could be well-understood by senior executives, 59% of security personnel polled said the information is too technical to be understood by non-technical management in any form, and 35% said it just takes too much time and resources to prepare and report metrics to the non-technical set.
“Even though most organizations rely on metrics for operational improvement in IT, more than half of IT professionals appear to be concerned about their ability to use metrics to communicate effectively with senior executives about security”, said Larry Ponemon, chairman and founder of the Ponemon Institute, in a statement.
Other responses indicate an even worse communication breakdown: 48% said pressing issues take precedence to dealing with making sure they “get” the metrics; 40% said they only communicate with executives when there is an actual security incident; and 18% said senior executives are not interested in the information at all.
“These results correlate with the dozens of conversations we have been having with CISOs across the globe,” said Rekha Shenoy, vice president of marketing and corporate development at Tripwire, which sponsored the study. “CISOs talk about the importance of leveraging metrics as a way to influence business leadership and build a risk management practice within their companies. Unfortunately, they struggle with the bigger challenge of producing meaningful metrics, while those they use are rarely aligned with business goals.”
The study postulates that one potential contributing factor in the disconnect between IT and management is the fact that security professionals have traditionally viewed metrics as valuable operational performance measurements, while executives tend to evaluate security based on cost.
“Neither of these approaches is well adapted to communicating the effectiveness of risk-based security programs,” the report noted. “This disconnect demonstrates the escalating value of communication skills in senior security roles. As business leaders are required to disclose more about their organization’s security risks, those business-oriented security executives with good communication skills will be in even greater demand.”
A June Ponemon study found similar evidence of an understanding gap between technical and non-technical sides of the house. Research found that there is a clear difference between the confidence of executive teams when it comes to business’ cyber-defense strategy, compared with the views of the technicians tasked with maintaining it. Specifically, 32% of executives described their organization’s cybersecurity posture as “excellent”, but only 18% of technicians did.
The bottom line? The communications lines need to be reopened. “Finding meaningful ways to successfully bridge this communication gap is critical to broader adoption of risk-based security programs,” Ponemon noted in the report. “The onus for this effort clearly lies with IT security and risk professionals.”