According to research[1] revealed by Tenable Network Security, Inc., the leader in real-time vulnerability and threat management, 54 percent of companies in the UK are using incorrect metrics when trying to determine their IT security status, providing a false picture of the organisation’s vulnerabilities and risk, driving the wrong behavior.
The results, collected through a survey of IT decision makers at companies with more than 500 employees by market research firm Vanson Bourne on behalf of Tenable Network Security, also indicate that there is a communication gap between the IT department and the boardroom—despite the fact that frequency of reporting between the two is increasing. In addition, the survey uncovers a potential to increase efficiency in IT security actions by reducing the current extensive reporting times.
Measurement: big security, little meaning
Top on the list of tracked key performance indicators (KPIs) in the UK with 57 percent is “quantity of security breaches detected.” This KPI is a strong trailing indicator of detective and preventative controls, but does not necessarily enable proactive prevention of further incidents. However, KPIs that do demonstrate proactive prevention are only tracked by a minority of companies, with 41 percent listing “checking if their systems have the latest version of patches or antivirus patterns” and 30 percent “monitoring if they are equipped with the latest software versions”–these are both indicators that are critical for determining IT security status. .
Because of zero-day exploits, minimising the time to roll out new patches or antivirus patterns is critical–yet the former KPI is only being measured by 32 percent and the latter by 19 percent. Encouragingly, 48 percent of respondents in the UK say that they want to be able to track more KPIs, but claim that lack of manpower and an automated approach is holding them back.
“Transparency around security is key for IT managers who are constantly playing catch-up to the ever-evolving threat landscape,” said Gavin Millard, Technical Director for Tenable Network Security in Europe, Middle East and Africa. “Despite this, 54 percent of IT decision makers are tracking the number of malware detected–which is often viewed as a false flag metric. Measuring the amount of malware detected gives little insight into the efficiency and effectiveness of the control; it merely indicates that it is functioning on some of the systems, some of the time. Strategic decisions based on the wrong data are not only ineffective but can also give a false sense of security.”
Bridging the gap to the boardroom
Over half (52 percent) of IT managers report the company’s security status to their board once per quarter or more frequently. Forty-nine percent confirm that IT security is a high priority for their CEO, with 7 percent saying it is a top priority. Further, 50 percent of IT respondents share half or more of all KPIs tracked with their board, with 26 percent sharing all of them.
“It is not surprising to see security becoming a top priority for CEOs due to the increasing awareness of the cost to businesses of data breaches and compliance issues,” Millard continued. “Therefore, it is encouraging to see how frequently IT is reporting to the boardroom, as some years ago this would have been once a year maximum. However, IT still has a long way to go to secure understanding and buy-in from the board, primarily through better means of communication. The findings showed that although a huge amount of information is being shared there is a danger of drowning management in irrelevant data – this is again reflected in the results which found that only 17 percent reported the data as “highly valuable” by their board. When delivering metrics, they have to be succinct, based on irrefutable fact and demonstrate value to the business.”
Freeing up time for vital tasks
Creating transparency in IT security is a huge task – 39 percent of UK companies have IT security solutions from three or more vendors in place and 53 percent compile all their reports manually, of which 54 percent need to report every quarter or more. In line with these findings 40 percent confirmed that it takes up to two or three days to compile a management-ready report. In view of this, 54 percent consider more resources for monitoring solutions to add additional value to protect their organisation from threats.
“Looking at these results specifically, it becomes painfully clear that IT staff are spending a large portion of their time on reporting,” explained Millard. “This is time that is being taken away from more strategic tasks designed to improve overall IT security of the business. The drain to resources is then compounded by the increasing workload driven by the rise of mobile and cloud—34 percent of survey respondents confirmed they had to add 20 percent or more devices or services to their monitoring efforts within the last twelve months.”
“As long as security blind spots within an organisation exist, businesses will not be able to rest easy from the threat of attack. Gaining clarity on the effectiveness of the investments currently made within security and making risk-based, data-driven decisions on what other controls are necessary put businesses on a more secure footing.”
[1] The survey was conducted by Vanson Bourne on behalf of Tenable and interviewed 200 IT decision makers in the UK working in companies with more than 500 employees across March 2014.
About Tenable
Tenable Network Security is relied upon by more than 20,000 organisations, including the entire U.S. Department of Defence and many of the world’s largest companies and governments, to stay ahead of emerging vulnerabilities, threats and compliance-related risks. Its solutions continue to set the standard to identify vulnerabilities, prevent attacks and comply with a multitude of regulatory requirements. For more information, please visit www.tenable.com.
[1] The survey was conducted by Vanson Bourne on behalf of Tenable and interviewed 200 IT decision makers in the UK working in companies with more than 500 employees across March 2014.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.