Tags

, , , ,

With over 400 global business and security executives participating in a benchmark survey called The 2017 State Of Cybersecurity Metrics Annual Report, more than half of respondents scored an “F” or “D” grade when evaluating their efforts to measure their cybersecurity investments and performance against best practices.

Based on internationally accepted standards for security embodied in ISO 27001, as well as best practices from industry experts and professional associations, the Security Measurement Index benchmark survey provides a comprehensive way to define how well an organization is measuring the effectiveness of its IT security.

Findings from this Cyber Security Metrics survey include:

Failures in planning

  • 1 in 3 companies invests in cybersecurity technologies without any way to measure their value or effectiveness.
  • 4 out of 5 fail to include business stakeholders in cybersecurity investment decisions.
  • 4 out 5 companies don’t know where their sensitive data is located, and how to secure it.

Failures in performance

  • 2 out of 3 companies don’t fully measure whether their disaster recovery will work as planned.
  • 4 out of 5 never measure the success of security training investments.
  • While 80% of breaches involve stolen or weak credentials 60% of companies still do not adequately protect privileged accounts—their keys to the kingdom.

In general:

  • 58 percent of companies are failing in their efforts to measure the effectiveness of their cybersecurity investments and performance against best practices.
  • 4 out of 5 companies worldwide are not fully satisfied with their cybersecurity metrics.

Most survey respondents do not feel confident about how they are measuring the value of their cybersecurity investments, and 80% stated that they are not fully satisfied with the metrics available.

You may think your business doesn’t need a formal, documented IT security policy based on cogent cybersecurity metrics. After all, documentation and worrying about information security is just for big unwieldy mega-corporations, right?

Cyber Security