Although most security professionals use key performance indicators to measure their efforts they struggle to reconcile these with business goals, according to a new report from Thycotic.
It finds that while 84 percent of respondents have KPIs, and an even higher proportion (92 percent) say they review security in terms of its impact on the business, nearly half (44 percent) say their organization struggles to align security initiatives with the business’s overall goals, while more 35 percent aren't clear what the business goals are.
The most commonly used metric is to count the number of security breaches (56 percent) followed by the time taken to resolve a breach (51 percent). It appears, however, that these criteria may not be terribly useful. Around two in five (39 percent) say they have no way of measuring what difference past security initiatives have made to the business. In addition 36 percent agree it’s not a priority for them to measure security success once initiatives have been rolled out.
Focus on dealing with immediate threats can lead to disconnection with the rest of the business, 36 percent have no clear vision of how other departments measure success while 38 percent agree business goals are not communicated to them.
Lack of clarity around metrics has a knock-on effect when it comes to CISOs obtaining budgets to fund further IT security initiatives too. When asked what makes the biggest difference to how IT security budget is allocated, 47 percent point to evidence of the success and ROI of previous security initiatives. Other strategies include benchmarking levels of security spend against the competition (37 percent) while talking up the fear factor remains a favorite tactic (38 percent). Interestingly, 27 percent of respondents look to evidence of past succ ..
Support the originator by clicking the read the rest link below.
