IT's security metrics and reporting problem: A communication failure

What used to be a back room, invisible function of enterprise, IT security has been launched into the limelight with high profile data breaches with Sony as the most recently, and reoccurring, example. Enterprises are rightfully bringing IT security to the forefront of the business process, and IT teams are responsible for showing the improvement and success of security programs that are often a significant line item on the books.

Therein lies a new challenge for IT: to develop security metrics and reporting that effectively communicate the successes, failures and potential risks of a security program to business audiences in the enterprise. Wisegate, a peer-based IT advisory, conducted a member survey of hundreds of senior IT professionals to determine their top concerns in assessing security risks. Earlier this year, we shared those top concerns with CSO readers; lack of security metrics and reporting was high on the list.

Here are our findings regarding security metrics and reporting from that survey.

Security metrics and reporting processes are immature. While 80 percent of respondents said that their top security risks (malware, data breaches and outsider threat) are increasing in the industry, an average of 50 percent don't have reporting procedures in place to measure their existing security programs.

Communications problems are due to a tool-centric rather than risk-centric view of security. IT is taking a risk-based approach to securing the business, but it currently lacks the means to report the risk status to boards and internal business partners. CISOs are measuring tactical things and what metrics that exist are events-driven: how much classified data was blocked from leaving the system; how many malware hits were stopped at the firewall or by the AV software. The problem is that there remains a tool-centric rather than risk-centric view of security, and the tools that are available rarely provide metrics that can be combined into an overall metrics-based company risk report that fully communicates program performance. This leads to a failure of communication between security teams and business, and it's a major challenge for IT security.

The volume of security products in the market make seamless metrics and reporting very difficult. Survey respondents across the board have plans to implement various new security controls within the next three-to-five years. For example, 63 percent of respondents plan to implement endpoint-targeted security control products such as 'information protection' and 'anti-malware' (57 percent). Top mobility/IoT products were 'DLP, tracking masking and encryption' (46 percent). The sheer volume of different products makes communicating strengths and weaknesses in the corporate security profile in relation to business impact a difficult proposition. It results in a failure to communicate program impact in business terms, and a failure for business people to understand security.

Aggregate security products for seamless metrics and better communication. Security metrics and reporting can be improved if IT teams aggregate security point solutions to provide a seamless holistic risk rating; and then create the metrics to demonstrate the impact of security on business. As the move towards adoption of security as a service (SaaS) solutions gathers pace, security teams can start to insist on the provision of usable metrics as part of the partner agreement.

Security has moved to the central business functions--it's no longer just an IT issue. The National Association of Corporate Directors published a handbook to give cyber-risk advice to members. It says, "Discussion of cyber-risks between boards and senior managers should include identification of which risks to avoid, accept, mitigate or transfer through insurance as well as specific plans associated with each approach." This point highlights the need for discussion between security teams and the board. This shows that business leaders are ready to add important security and risk to the heart of other high-level business areas, such as profitability, revenue growth and product innovation.

Elden Nelson is Editor in Chief at Wisegate, an invitation-only, business-social-networking group comprised of CSOs and CISOs.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityCSOsony

More about CSODLPSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Elden Nelson

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts