Survey finds 89% of UK Infosec professionals fail to measure security assurance

A survey conducted by Tenable Network Security, Inc., a global leader transforming security technology for the business needs of tomorrow, has found that a large majority of responding security professionals fail to measure and communicate security assurance within their organisations, and are therefore unable to connect a successful cyber security program to achieving strategic business objectives for board members and senior executives.
Survey data from 250 IT security professionals collected during Infosecurity Europe 2016 revealed that 89% of respondents fail to use security metrics to prove the value of cyber security to the organisation.
“Organisations are allocating extensive budgets and resources to cyber security defences at present, but protecting customer data is just one of many returns that this investment can deliver,” said Gavin Millard, EMEA Technical Director, Tenable Network Security. “Security teams need to collect, but more importantly share, SMART (Specific, Measureable, Actionable, Relevant, and Timely) security metrics, to guide the organisation’s decision-making process and drive actions. Businesses invest in what they understand, clear and concise data on the security posture is a ‘must do’ to ensure the security budget is available to protect organisations sufficiently.”
31% of security professionals surveyed said they do some measurement of security assurance, but admitted to sharing metrics only within the IT department. More than 12% of respondents confessed to not using any security metrics at all.
“Security professionals are delivering great results for their organisations day in and day out,” said Millard. “Every malware infection identified and eradicated, every policy violation corrected, every critical patch deployed in a timely manner, all demonstrate how effective the teams are, yet business leaders are not being informed. Security pros surely get their fair share of blame when things go wrong, so it’s to their advantage to also communicate success and improvements about their organisation’s security posture to the C-Suite.”