Senior executives are struggling to take security metrics into account for their risk based security programmes, a report has said.
Most organisations rely on taking security metrics into account to improve operations, but non-technical business executives struggle to understand the value. IT professionals find it tough to communicate properly with senior execs, because metrics are difficult to properly explain to people with non-technical backgrounds.
A Ponemon Institute and Tripwire survey said 35 percent of IT staff find it takes too much time and resources to properly prepare and report these metrics to senior executives, and worryingly, 13 percent thought the management was simply not interested in the information. Other more pressing problems are often the priority.
Chief Information Security Officers, or CISOs, do often talk up the importance of using these metrics in line with business goals and building risk management best practice, but it is difficult to produce meaningful metrics, while those that are used rarely match business strategy, Tripwire’s Rekha Shenoy said.
A large majority of respondents with risk management background do agree that studying and using these metrics are important for a risk-based approach to security. But half of respondents said they are unsure that these metrics are used in line with business objectives.
Meanwhile, 49 percent of respondents didn’t believe or were unsure the metrics “adequately convey the effectiveness of security risk management” to senior execs.
The report concludes the onus is on IT security and risk professionals to improve the ways they communicate security metrics, if there is to be broader adoption of risk based security.
“Even though most organizations rely on metrics for operational improvement in IT,” Larry Ponemon, Ponemon’s chairman, said, “more than half of IT professionals appear to be concerned about their ability to use metrics to communicate effectively with senior executives about security”.