Security Pros Struggle to Quantify what Success Looks Like
The vast majority of IT security professionals work to a set of KPIs yet struggle to align these metrics with overall business goals, according to a new study by Thycotic.
More than four out of five (84%) respondents have KPIs and an even higher proportion (92%) say they review security in terms of its impact on the business. Even so, nearly half (44%), say their business struggles to align security initiatives with the overall goals while more than a third (35%) aren’t clear what the business goals are.
Following interviews with more than 100 IT security decision makers within the UK, the research shows the most popular performance metric is to count the number of security breaches (56%) followed by time taken to resolve a breach (51%). It appears, however, these criteria may not be that useful. Around two in five (39%) say they have no way of measuring what difference past security initiatives have made to the business. Furthermore, more than a third (36%) agree it’s not a priority for them to measure security success once initiatives have been rolled out.
The lack of clarity around metrics has a knock-on effect when it comes to obtaining budgets to fund further IT security initiatives. When asked what makes the biggest difference to how IT security budget is allocated, nearly half of the respondents (47%) point to evidence of the success and ROI of previous security initiatives. Other strategies include benchmarking levels of security spend against the competition (37%) while talking up the fear factor remains a favourite tactic (38%). Interestingly, more than a quarter (27%) of respondents look to evidence of past success as the most important way to justify security spend.
There is also evidence to suggest security teams’ everyday focus on responding to immediate threats and incidents leads them to become too disconnected from the business. Over a third (36%) have no clear vision of how other departments measure success while 38% agree business goals are not communicated to them. In consequence, security professionals feel removed from the rest of the business. This is reflected in their relatively low opinion of the impact they are making. Asked if security teams are hitting a home run or ‘just par for the course’, less than one fifth (17%) feel their role/team consistently meets expectations.
Commenting on the findings, Joseph Carson, Chief Security Scientist and Advisory CISO at Thycotic says, “The reactive nature of an IT security professional’s work leaves them constantly looking to past achievements to demonstrate their value – a metric that bears no correlation to the organisation’s current situation or success. This disconnect inevitably puts them at disadvantage and leaves them struggling to make a positive impression with the executive board or colleagues in other departments.”
“One way to counter this is to create a companywide cyber security program and culture,” he continues. “Organisations should appoint Cyber Ambassadors who are both technically proficient and skilled communicators to enlist cross-departmental co-operation geared to early warning of any anomalous activity. This will have the twin benefit of putting IT security on a more proactive footing and reduce the potential impact of security issues on the business.”