Study Highlights the Need for Security Performance Management

It seems like we hear about a new data breach or cyber incident almost daily. According to a new Forrester Research study commissioned by BitSight, in fact, 80 percent of companies surveyed experienced a cybersecurity incident in the past year, the most common being a malware attack.

The study’s key findings implicate the strong need for businesses worldwide to invest in a robust security performance management program. Indeed, results from this study showed that companies using formal security metrics are more likely to have seen a 10 percent or greater increase in their security budget in the past year. Ultimately, this investment allows organizations to leverage security metrics information to win business.

In this commissioned study, Forrester conducted an online survey with 207 security decision-makers with responsibilities over risk, compliance, and/or communications with boards to explore the topic of managing internal cybersecurity performance.

It’s clear that companies increasingly realize that a strong security posture is critical to earning customer trust, safeguarding intellectual property, and protecting their brand identity. Customers want to do business with secure organizations—and since empowered customers can easily move their business elsewhere if they feel vulnerable, security decision-makers must seek to understand and quantify their program’s effectiveness, and measure its impact on business objectives. They need to be on the lookout for indications of failure that will harm the business most. Survey respondents confirmed this by stating that they are more likely to do business with companies with good security, as they know their data and intellectual property are protected.

The Need for Metrics

One significant finding from this study emphasizes the need for quantifiable metrics, including security ratings, when managing cybersecurity performance. When surveyed, respondents said that better security measurement would greatly or significantly improve company financial performance and reduce risk. In fact, more than half of companies overall say improving metrics would reduce overall risk.

According to the survey results, other ways that security leaders measure security performance are as follows:

• 50 percent use the number of malware incidents blocked
• 50 percent use the percentage of intrusions blocked by firewall/network security
• 45 percent use cybersecurity risk ratings
• 45 percent use the percentage of phishing/malicious emails filtered
• 40 percent use the number of data loss prevention (DLP) incidents generated

Overall, metrics are needed that meaningfully communicate exposure or performance to executives, regulators, business partners, and customers. However, one encouraging point

of comparison is that 63 percent of companies using cybersecurity ratings also report them to the board, and since these ratings are more risk-focused, objective, and outcome-based, they are appropriate for board-level discussions.

Cybersecurity is evolving into a business discipline, and so it is being treated like one: 70 percent of decision-makers agree that scrutiny of security spending efficiency is increasing. And like other business disciplines, formal metrics have emerged as the key method to justify investments (an approach at 63 percent of companies surveyed). In fact, 49 percent of decision-makers said that cybersecurity risk ratings are in their top 5 preferred metrics for financial planning.

When thinking about more advanced metrics they wish to use, survey respondents answered in the following way:

• 24 percent wish to use the number of currently open customer security issues
  • Example of an advanced tactical metric—target measurement: customer support
• 23 percent wish to use the number of failed user logins
  • Example of an advanced operational metric—target measurement: customer usability
• 22 percent wish to use the number of high-value financial transactions blocked by security
  • Example of an advanced operational metrics—target measurement: business enablement
• 22 percent wish to use the number of reported breaches among peer organizations
  • Example of an advanced tactical metric—target measurement: industry incidents
• 19 percent wish to use the number of unique visits to the company’s online privacy policy
  • Example of an advanced strategic metric—target measurement: customer concerns
• 18 percent wish to use retention rates of employees with access to intellectual property
  • Example of an advanced strategic metric—target measurement: employee retention risks

In addition to reducing overall risk for the business, improving security measurement can have a direct impact on its financial performance, as validated by these study results. Nearly three-quarters of C-level respondents confirmed this. First and foremost, you can’t manage what you can’t measure. Quantifiable security metrics are becoming critical to planning budgets and allocating resources, but the maturity of managing security as a business is still relatively low.

Today, 45 percent of security and risk leaders use security ratings to measure the performance of their cybersecurity programs. At BitSight, our customers use security ratings to align investments and actions with the highest measurable impact over time, efficiently allocate limited resources to the most critical areas of cyber risk within their organizations, and facilitate data-driven conversations around cybersecurity among key stakeholders.

By leveraging security ratings, organizations can be confident they are measuring themselves on the same scale that the majority of their key stakeholders are measuring them on as well—be it their partners, regulators, investors, executives, or board members.

Jake Olcott is vice president of Strategic Partnerships at BitSight.