Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Over Half of UK Businesses Create IT Security Blind Spots Due to Incorrect Metrics

April 8, 2014

London/München
  • Determining security status is still a challenge for IT management
  • The majority of IT managers identify metrics with no value – 54 percent track volume of malware detected
  • Reports to the board take two days or longer to produce

According to research1 revealed today by Tenable Network Security, Inc., the leader in real-time vulnerability and threat management, 54 percent of companies in the UK are using incorrect metrics when trying to determine their IT security status, providing a false picture of the organisation’s vulnerabilities and risk, driving the wrong behavior.

The results, collected through a survey of IT decision makers at companies with more than 500 employees by market research firm Vanson Bourne on behalf of Tenable Network Security, also indicate that there is a communication gap between the IT department and the boardroom—despite the fact that frequency of reporting between the two is increasing. In addition, the survey uncovers a potential to increase efficiency in IT security actions by reducing the current extensive reporting times.

Measurement: big security, little meaning

Top on the list of tracked key performance indicators (KPIs) in the UK with 57 percent is “quantity of security breaches detected.” This KPI is a strong trailing indicator of detective and preventative controls, but does not necessarily enable proactive prevention of further incidents. However, KPIs that do demonstrate proactive prevention are only tracked by a minority of companies, with 41 percent listing “checking if their systems have the latest version of patches or antivirus patterns” and 30 percent “monitoring if they are equipped with the latest software versions”–these are both indicators that are critical for determining IT security status. .

Because of zero-day exploits, minimising the time to roll out new patches or antivirus patterns is critical–yet the former KPI is only being measured by 32 percent and the latter by 19 percent. Encouragingly, 48 percent of respondents in the UK say that they want to be able to track more KPIs, but claim that lack of manpower and an automated approach is holding them back.

“Transparency around security is key for IT managers who are constantly playing catch-up to the ever-evolving threat landscape,” said Gavin Millard, Technical Director for Tenable Network Security in Europe, Middle East and Africa. “Despite this, 54 percent of IT decision makers are tracking the number of malware detected–which is often viewed as a false flag metric. Measuring the amount of malware detected gives little insight into the efficiency and effectiveness of the control; it merely indicates that it is functioning on some of the systems, some of the time. Strategic decisions based on the wrong data are not only ineffective but can also give a false sense of security.”

Bridging the gap to the boardroom

Over half (52 percent) of IT managers report the company’s security status to their board once per quarter or more frequently. Forty-nine percent confirm that IT security is a high priority for their CEO, with 7 percent saying it is a top priority. Further, 50 percent of IT respondents share half or more of all KPIs tracked with their board, with 26 percent sharing all of them.

“It is not surprising to see security becoming a top priority for CEOs due to the increasing awareness of the cost to businesses of data breaches and compliance issues,” Millard continued. “Therefore, it is encouraging to see how frequently IT is reporting to the boardroom, as some years ago this would have been once a year maximum. However, IT still has a long way to go to secure understanding and buy-in from the board, primarily through better means of communication. The findings showed that although a huge amount of information is being shared there is a danger of drowning management in irrelevant data – this is again reflected in the results which found that only 17 percent reported the data as “highly valuable” by their board. When delivering metrics, they have to be succinct, based on irrefutable fact and demonstrate value to the business.”

Freeing up time for vital tasks

Creating transparency in IT security is a huge task – 39 percent of UK companies have IT security solutions from three or more vendors in place and 53 percent compile all their reports manually, of which 54 percent need to report every quarter or more. In line with these findings 40 percent confirmed that it takes up to two or three days to compile a management-ready report. In view of this, 54 percent consider more resources for monitoring solutions to add additional value to protect their organisation from threats.

“Looking at these results specifically, it becomes painfully clear that IT staff are spending a large portion of their time on reporting,” explained Millard. “This is time that is being taken away from more strategic tasks designed to improve overall IT security of the business. The drain to resources is then compounded by the increasing workload driven by the rise of mobile and cloud—34 percent of survey respondents confirmed they had to add 20 percent or more devices or services to their monitoring efforts within the last twelve months.”

“As long as security blind spots within an organization exist, businesses will not be able to rest easy from the threat of attack. Gaining clarity on the effectiveness of the investments currently made within security and making risk-based, data-driven decisions on what other controls are necessary put businesses on a more secure footing.”

Footnotes

  1. The survey was conducted by Vanson Bourne on behalf of Tenable and interviewed 200 IT decision makers in the UK working in companies with more than 500 employees across March 2014.

Stay up to date!

Subscribe to our email alerts for new press releases.

Subscribe for press release updates

Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.