Report Depicts Shameful State of Cybersecurity Metrics

For years, Security has sought the ear of the Board and claimed it was not offered. Today the Board is listening; but all too often Security talks in a language that Business does not understand. There is a solution, but it is not yet maximized. That solution is Metrics, a language spoken and understood by both Business and Security; but not widely or effectively used.

The size of the task can be seen in just two statistics from Thycotic’s 2017 State of Cybersecurity Metrics Annual Report (PDF). Firstly, 1 in 3 companies invest in cybersecurity technologies without any way to measure their value or effectiveness. Since the global market for cybersecurity products currently stands at around $100+ billion, this means that more than $33 billion dollars is spent every year without any current way to evaluate the ROI.

The second statistic is that four out of every five companies fail to include business stakeholders in cybersecurity investment decisions. The result, in combination, is that through no direct fault of its own, Business doesn’t understand what Security is doing, and has no way of knowing whether it is effective.

The onus is on Security to more efficiently include Business in its work. Metrics is the key, but 4 out of 5 companies worldwide are not fully satisfied with their cybersecurity metrics. More worryingly, more than half of respondents (58%) to a Thycotic survey scored a failing grade when evaluating their efforts to measure their cybersecurity investments and performance against best practices.

These conclusions come from a benchmark survey devised and conducted by Thycotic and including responses from more than 400 companies — mostly from North America, but with Europe, Russia, India, Central and South America also represented.

Using metrics to demonstrate the overall efficiency or lack of efficiency in a company’s cybersecurity posture is difficult but not impossible. At the moment, however, companies are not making use of, or even collecting, the statistics that are readily available. For example, four out of five companies never measure the success of security training investments. 

Two out of three companies don’t fully measure whether their disaster recovery will work as planned. And while 80% of breaches involve stolen or weak credentials (from Verizon’s DBIR), 60% of companies still do not adequately protect privileged accounts.

The result is what Thycotic describes as ‘the shameful state of cybersecurity metrics’. It sees two areas that Security needs to improve: the failure in planning and the failure in performance. In planning, Security is failing to measure the value of cybersecurity investments; not understanding what information to protect; and not engaging with Business stakeholders. In performance, Security is not measuring expected outcomes; not measuring security awareness; and not measuring compliance with policies or regulations.

The survey and report is the first of new annual reports designed to highlight the state of companies’ ability to measure their own security performance. To gather the information, Thycotic has developed a Security Measurement Index (SMI) benchmark based on ISO 27001 standards combined with best practices from experts and professional bodies.

The benchmark returns gradings A, B C, D and F. Fifty percent of companies scored F, while only 18% ranked A. 

“It’s really astonishing to have the results come in and see just how many people are failing at measuring the effectiveness of their cybersecurity and performance against best practices,” said Joseph Carson, chief security scientist at Thycotic. “This report needed to be conducted to bring to light the reality of what is truly taking place so that companies can remedy their errors and protect their businesses.”

Thycotic proposes a four-point plan to improve the situation: educate, protect, monitor and measure; and the report gives advice on how each of these should be enacted. Combining this program with Thycotic’s Security Measurement Index benchmark should not only improve companies’ metrics; but provide the metrics to demonstrate and measure that improvement.

view counter

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Previous Columns by Kevin Townsend:

Tags: