Security leaders are being challenged to create business metrics, but without having total trust in the data they work with.
According to research by Panaseer of over 400 security leaders in financial services organizations, 96% of companies use metrics to measure their cyber-posture, but 36% said their biggest challenge in creating metrics to measure and report on risk is trust in the data.
Other issues included the resources required to produce metrics (21%), the frequency of requests (14%) and confusion over knowing what metric to use (15%). Fewer than half of respondents (47%) could claim to be very confident that they are using the right security metrics to measure cyber-risk.
Nik Whitfield, CEO, Panaseer, said not knowing the accuracy, timeliness or even limitations of a security metric can render it useless – which is simply unacceptable against a backdrop of tightening regulation and an increasing attack surface.
“We must move on from the era of out-of-date inaccurate metrics to one where they are automated and measured on a continuous basis,” he said. “Financial service organizations, in particular, need trusted and timely metrics into an organization’s technology risk, segmented where possible to critical operations. With this information, the board can then have a better understanding of what risks are and aren't acceptable to keep customer data safe.”
The research determined the primary use for security metrics to be risk management (41%), demonstrating the success of security initiatives (28%), supporting security investment business cases (19%) and board and executive reporting (10%).
The research also found that teams are wasting an inordinate amount of time processing metrics, as it can take an average of five days to produce them. Auditors demand data most frequently at every 10.4 days per month, while boards have a need for updated metrics almost twice a month or more.
Commenting, Bob Sibik, vice-president of Fusion Risk Management, said that most CEOs “are starved for metrics and want solid metrics as they use them to prepare for how secure they are.” Talking to Infosecurity, Sibik said CEOS like “internal metrics” to show trends and to be able to compare themselves to their peers.
“We rely heavily [on metrics] and metrics are huge for us, and they come in handy and are crucial for day-to-day operations and to define a future strategy,” said Fusion director of cybersecurity, Safi Raza.
Manual processes were also cited as fueling data mistrust. Over half (59%) of security leaders said that they are still relying on spreadsheets to produce metrics and 52% are using custom scripts. Nearly one in five (18%) admitted to relying exclusively on manual processes to develop their security metrics for risk.