What used to be a back room, invisible function of enterprise, IT security has been launched into the limelight with high profile data breaches with Sony as the most recently, and reoccurring, example. Enterprises are rightfully bringing IT security to the forefront of the business process, and IT teams are responsible for showing the improvement and success of security programs that are often a significant line item on the books.
Therein lies a new challenge for IT: to develop security metrics and reporting that effectively communicate the successes, failures and potential risks of a security program to business audiences in the enterprise. Wisegate, a peer-based IT advisory, conducted a member survey of hundreds of senior IT professionals to determine their top concerns in assessing security risks. Earlier this year, we shared those top concerns with CSO readers; lack of security metrics and reporting was high on the list.
Here are our findings regarding security metrics and reporting from that survey.
Security metrics and reporting processes are immature. While 80 percent of respondents said that their top security risks (malware, data breaches and outsider threat) are increasing in the industry, an average of 50 percent don't have reporting procedures in place to measure their existing security programs.
Communications problems are due to a tool-centric rather than risk-centric view of security. IT is taking a risk-based approach to securing the business, but it currently lacks the means to report the risk status to boards and internal business partners. CISOs are measuring tactical things and what metrics that exist are events-driven: how much classified data was blocked from leaving the system; how many malware hits were stopped at the firewall or by the AV software. The problem is that there remains a tool-centric rather than risk-centric view of security, and the tools that are available rarely provide metrics that can be combined into an overall metrics-based company risk report that fully communicates program performance. This leads to a failure of communication between security teams and business, and it's a major challenge for IT security.
The volume of security products in the market make seamless metrics and reporting very difficult. Survey respondents across the board have plans to implement various new security controls within the next three-to-five years. For example, 63 percent of respondents plan to implement endpoint-targeted security control products such as 'information protection' and 'anti-malware' (57 percent). Top mobility/IoT products were 'DLP, tracking masking and encryption' (46 percent). The sheer volume of different products makes communicating strengths and weaknesses in the corporate security profile in relation to business impact a difficult proposition. It results in a failure to communicate program impact in business terms, and a failure for business people to understand security.