Executive confidence in their enterprises’ security posture is lacking. Less than one-third (31%) in a recent survey said that they’re are confident in their security posture, and only slightly more than a quarter (28%) feel that their communications on security metrics and posture to senior management is effective.
The survey, from Raytheon|Websense, revealed that the overwhelming majority of executives (65%) are only "somewhat confident," that they’re well-positioned for attack.
To dig a bit deeper into the issue, the survey probed executives on the metrics they use to communicate their security posture. Only just over a quarter (28%) of executives surveyed said that they felt the security metrics they used were "completely effective."
A full 65% felt the metrics they used were only "somewhat effective."
There’s little wonder that insecurity about security abounds. In the past year, nearly nine in 10 organizations have had at least one breach, and one in five had three to five breaches that resulted in a loss or compromise of data.
Raytheon|Websense pointed out that counting alerts and incidents does little to shed light on the real security posture of an organization—although the number of breaches or incidents is certainly not an insignificant metric.
For example, an organization might have 400 breaches one year and 300 the next. It looks like a 25% reduction, and in simple terms it is. But if the organization had even one breach among the 300 that resulted in a loss or compromise of data, then the number of breaches is really an unreliable metric for communicating an organization’s security posture.
“We know threats are going to get in, so if we want to be more confident, we need to shift our thinking to qualitative metrics such as dwell time, which is the elapsed time from initial breach to containment," said Ed Hammersla, president of Raytheon|Websense. "Reducing the time a threat is in your network reduces damage and helps strengthen your overall security posture."
The survey found that a third (33%) use dwell time alongside other metrics, such as cost of incidents (39%) and reduction in vulnerabilities (39%).