More than half of global businesses in a recent analysis scored an F or D grade when evaluating their efforts to measure their cybersecurity investments and performance against best practices.
The inaugural 2017 State of Cybersecurity Metrics Report from Thycotic analyzed the results of a Security Measurement Index (SMI) benchmark survey of more than 400 security executives around the world, based on internationally accepted standards for security embodied in ISO 27001. It found that 58% are falling down on the job.
“It’s really astonishing to have the results come in and see just how many people are failing at measuring the effectiveness of their cybersecurity and performance against best practices,” said Joseph Carson, chief security scientist at Thycotic. “This report needed to be conducted to bring to light the reality of what is truly taking place so that companies can remedy their errors and protect their businesses.”
With global companies and governments spending more than $100 billion a year on cybersecurity defenses, a substantial number, 32%, of companies are making business decisions and purchasing cybersecurity technology blindly, the report found—without any way to measure their value or effectiveness. Even more disturbing, more than 80% of respondents fail to communicate effectively with business stakeholders and include them in cybersecurity investment decisions, nor have they established a steering committee to evaluate the business impact and risks associated with cybersecurity investments.
The report uncovered an array of other poor practices as well. For instance, four out of five companies don’t know where their sensitive data is located, or how to secure it. Two out of three companies don’t fully measure whether their disaster recovery will work as planned. Four out of five never measure the success of security training investments. And, while 80% of breaches involve stolen or weak credentials, 60% of companies still do not adequately protect privileged accounts—their keys to the kingdom.
“We put out this report not only to show the errors that are being made, but also to educate those who need it on how to improve in each of the areas that are lacking,” added Carson. “Our report provides recommendations associated with better ways to educate, protect, monitor and measure so that improvements can be implemented.”