BitSight, the Standard in Security Ratings, today announced the availability of a new study that evaluates how executives understand and effectively measure their cybersecurity performance and adequately communicate it to the board, senior executives, customers, and critical stakeholders. The September 2019commissioned study conducted by Forrester Consulting on behalf of BitSight titled, “Better Security And Business Outcomes With Security Performance Management” indicates that cybersecurity performance is critical to achieving commercial success. Among the study’s most interesting findings is that nearly two in five (38 percent) of enterprises admit that they have lost business due to either a real or perceived lack of security performance within their organization.
“Financial success, brand perception, business continuity and company reputation now all hinge on security performance,” said Tom Turner, CEO, BitSight. “But in order to effectively manage performance, you have to measure it. We think this study should serve as a wakeup call for security leaders and their executives and boards to take a close look at their strategies for security performance measurement and reporting – after all, their businesses are now on the line.”
Based on a survey of 207 security decision makers with responsibility for risk, compliance, and/or communications with boards of directors, the study explores the organizational misalignment and technological complexities that commonly prevent organizations from realizing effective security performance management (SPM). Additional noteworthy findings include:
- Effective security performance management drives business wins and better security outcomes. Nearly three-quarters of C-level respondents say that improved security performance measurement would greatly or significantly improve company financial performance, while the majority of respondents overall agree that improved measurement would improve company business continuity (82 percent) and company reputation (81 percent). Additionally, companies that have formal security performance metrics are more likely to successfully manage security: they are nearly two times more likely to develop security policies, update security technology and perform security trainings. Their investment decisions and strategies are also better trusted by executives and board members: using formal security metrics means security leaders are likely to see a 10 percent or greater year-over-year increase in security budget.
- Commercial success is at risk due to missteps in effectively measuring security performance and communicating it to external stakeholders. Seventy-nine percent of security decision makers surveyed say customer and partner demands for cybersecurity reporting have intensified, but decision makers also say customers and partners receive some of the least accurate reporting of any security stakeholder. Additionally, 82 percent agree that customer and partner perception of security is increasingly important to the way their firm makes decisions.
- Metrics are critical to understanding and improving communication around security performance, but there is vast room for improvement in current methods. Sixty-three percent of respondents have introduced formal security performance metrics, but four of the five top reported measurements lack context and paint an incomplete picture of security performance and can leave companies blind to potential risk. These metrics include: the number of malware incidents blocked (used by 50 percent of respondents); the number of intrusions blocked by a firewall/network security (50 percent); the percentage of filtered phishing/malicious emails (45 percent); and the number of data loss prevention incidents (40 percent).
- Cybersecurity risk ratings emerge as an early security metric bright spot. Forty-five percent of respondents report using cybersecurity ratings, making it the third-most common metric overall. Forty-nine percent of respondents say that security ratings are their top preferred metric. Derived from objective, verifiable information, security ratings provide a strategic and contextualized measurement of security performance. Forty-three percent of companies using cybersecurity ratings report them out to customers and partners, and 63 percent report them up to the board, indicating that security ratings are emerging as a top method for security performance communication across key company stakeholders.