Executives overly reliant on compliance metrics to measure security programme effectiveness

Seventy-nine percent of IT security professionals report to executive management on compliance, yet 59 percent say threat detection metrics are most critical.

  • 9 years ago Posted in
New industry research sponsored by CyberArk (NASDAQ: CYBR) finds that one-third of CEOs and 43 percent of management teams are not regularly briefed on cyber security issues.  Additionally, while 79 percent of IT security professionals are reporting on compliance metrics to demonstrate security programme effectiveness, 59 percent state that threat detection metrics are most important.
An independent survey of global IT security professionals, “The Gap Between Executive Awareness and Enterprise Security,” drills into the types of metrics used to measure security programme effectiveness, frequency of reporting, and other factors such as budget and skills.
The cyber security gap: Executive awareness and responsibility  
The survey shows that 60 percent of respondents believe their organisation can be breached.  As cyber attacks grow in aggression and impact, CEOs and boards are being held accountable for the security posture of their organisation.  A closer look at the perceptions of IT security practitioners regarding executive cyber security leadership provides some clues into what’s driving a lack of alignment:
  • 61 percent believe that CEOs do not know enough about cyber security;
  • 69 percent say cyber security is too technical for their CEO;
  • 53 percent think that CEOs make business decisions without regard to security;
  • 44 percent believe CEOs simply do not grasp the severity of today’s risks.
IT security professionals need to properly educate executives
While IT security professionals are relying on executive-level leadership on security issues, CEOs are increasingly relying on their IT security teams to provide them with the security information that matters.  The survey shows that the cyber security awareness gap may be driven in part by the need for security teams to properly educate CEOs on what’s business critical when it comes to security:
  • One-third of CEOs are still not regularly briefed on cyber security issues and related business risks;
  • Forty-three percent of management teams do not regularly receive security status reports;
  • Fifty-nine percent of respondents emphasised threat detection metrics as the most effective for measuring security programme effectiveness, yet 79 percent still provide compliance and audit findings to their CEOs and executive teams;
  • Executive visibility into security programme effectiveness varies by industry with the highest percentage of respondents in financial services (72 percent) and healthcare (70 percent) saying they regularly provide executives with reports and metrics;
    • 50 percent or less of respondents in manufacturing, hospitality, transportation and non-profit industries said that they regularly provide reports and metrics to their executive teams;
“Compliance does not equal security.  It can lull a CEO into a state of complacency because all it demonstrates is a simple checking of a box without context for responsible levels of information protection,” said John Worrall, chief marketing officer, CyberArk.  “Security professionals are briefing executives on the wrong information. They need to arm their CEOs and executive teams with information that matters such threat detection and risk metrics versus compliance and system availability.”
Is budget a barrier to effective cyber security?
Improving IT security fundamentals is a critical step in improving an organisation’s overall security posture. The survey identified areas for improving organisational security:
  • Seventy-five percent of respondents cited budgeting issues as the primary barrier to improving cyber security;
  • In the face of a growing cyber security skills gap, 53 percent cited the lack of expertise as a primary barrier;
  • Endpoint security and privileged account security were cited as the top two organisational security priorities over the coming year.
“Increasingly it’s CEOs who own the security agenda – whether they want to or not.  One of our goals with this survey was to identify specific gaps between IT security and executive teams and help drive productive conversations that prioritise enterprise security,” continued Worrall.  “By providing greater visibility into how cyber security programmes are performing, and regularly communicating needs around budget and skills, IT security professionals will gain the support of the executive team and in turn help their organisation become more proactive in protecting against advanced threats.”
Research shows ‘game needs to be changed,’ with security innovation years behind that of the...
Node4 has released its Mid-Market IT Priorities Report 2021. The independent report reveals that...
Atos has launched Atos OneCloud Sovereign Shield, a set of solutions, methodologies, and...
New distribution agreement set to bolster Westcon-Comstor’s Zero Trust offering in more markets...
Research from Avast has found that employees in almost a third (31%) of Small and Medium...
This year, over half of MSPs or their end customers have been attacked by ransomware but only 53%...
Trend Micro has published new research revealing that 90% of IT decision makers claim their...
Cyber consultants call on businesses to act now, or risk budgets shrinking further in ‘real...