Tenable Network Security Finds 89 Percent of UK Infosec Professionals Fail to Connect Cyber Success with Strategic Business Objectives

Twelve percent of survey respondents at Infosecurity Europe 2016 said they do nothing to measure and communicate security assurance within their organisations

A survey conducted by Tenable Network Security, Inc., a global leader transforming security technology for the business needs of tomorrow, has found that a large majority of responding security professionals fail to measure and communicate security assurance within their organisations, and are therefore unable to connect a successful cyber security program to achieving strategic business objectives for board members and senior executives.

Survey data from 250 IT security professionals collected during Infosecurity Europe 2016 revealed that 89 percent of respondents fail to use security metrics to prove the value of cyber security to the organisation.

“Organisations are allocating extensive budgets and resources to cyber security defences at present, but protecting customer data is just one of many returns that this investment can deliver,” said Gavin Millard, EMEA technical director, Tenable Network Security. “Security teams need to collect, but more importantly share, SMART (Specific, Measureable, Actionable, Relevant, and Timely) security metrics, to guide the organisation’s decision-making process and drive actions. Businesses invest in what they understand, clear and concise data on the security posture is a “must do” to ensure the security budget is available to protect organisations sufficiently.”

Thirty-one percent of security professionals surveyed said they do some measurement of security assurance, but admitted to sharing metrics only within the IT department. More than 12 percent of respondents confessed to not using any security metrics at all.

“Security professionals are delivering great results for their organisations day in and day out,” said Millard. “Every malware infection identified and eradicated, every policy violation corrected, every critical patch deployed in a timely manner, all demonstrate how effective the teams are, yet business leaders are not being informed. Security pros surely get their fair share of blame when things go wrong, so it’s to their advantage to also communicate success and improvements about their organisation’s security posture to the C-Suite.”

For those interested in doing more to communicate organisational security status and demonstrate the strategic business value of cyber security, Millard suggested starting with four fundamental operational metrics.

1. Compliance: The percentage of in-scope systems with less than 70 percent adherence to requirements

2. Visibility: The percentage of critical assets scanned at least every seven days for weaknesses

3. Remediation: The percentage of internet-facing assets that get major vulnerabilities patched in less than seven days

4. Prevention: The percentage of systems with up to date anti-virus technology

Tenable recently asked security experts how they communicate security program effectiveness to business executives and the board. To read more about the collected recommendations and best practices, check out the Using Security Metrics to Drive Action ebook.

For more information about how Tenable enables Chief Information Security Officers (CISOs) and other security professionals to effectively and easily communicate security metrics to the decision-makers and business leaders within their organization, download the Measuring Security Assurance: Turn Technical Data into Metrics Executives Can Understand white paper.

To find out more about how comprehensive solutions from Tenable give organizations the continuous visibility and critical context needed to protect their networks, visit tenable.com/solutions/security-assurance.