Survey Reveals Security Metrics are Executive Priority
RESTON, Virg. -- Intellitactics announced the results of a recent survey of top information security and IT decision makers regarding the use of business-driven metrics for measuring security effectiveness and value. The survey, conducted by San Antonio, Texas-based Frost & Sullivan using an online instrument, polled more than 80 senior executives on their interest in measuring security value, the use of metrics to quantify security effectiveness, and current practices for generating and communicating with metrics.

“Some of the issues that Intellitactics wanted to explore in this survey was the interplay between top management’s increased interest in information security, the need to manage risk, and the use of business-centric metrics to measure security effectiveness and communicate results,” states Randall K. Davis, CEO and president of Intellitactics. “The findings confirm our view that security has matured as a management discipline. This maturation has created an increased awareness by security professionals that in order to advance their strategy, they need to measure value and communicate it clearly to other executives and stakeholders across the business. The level of investment in compliance and security risk management warrants measurement, and metrics provide the proof that investments are resulting in continuous improvement.”

Key survey findings emphasize that the ability to measure value requires a centralized reporting capability, presentation of information in context, and automated processes for dynamically generating the metrics.

To accurately portray the security posture of the organization, it is essential to have a centralized repository of information that can be used to compute metrics. Results show that 89.5% of the organizations surveyed use metrics to describe the current security posture. Almost half, 46%, use metrics to measure security value, with 42.5% planning to take action within the year. About 60% of those already taking steps to measure security performance do so to justify spending; and almost 80% reported that demonstrating IT security effectiveness to other functional managers helps IT to justify action and budgets.

Without context, technical reports on alerts and incidents aren’t effective performance indicators. Conversely, both comparative and trend metrics are valuable in assessing or measuring the effectiveness of security programs and technology. More than 50% of companies surveyed realize the importance of trending – the ability to show improvement over time, and over two-thirds of respondents have either implemented or plan to implement forms of trending data within the coming year.

Metrics need to be presented in a context that makes the information relevant and usable for making decision and understanding actions. The overall look of the instrument and the frequency of distribution has an impact on the receivers’ perception of the usefulness of the measurement. Survey results show that 25% of executives are dissatisfied with the value they get from their current reports. Fifty-two percent of respondents are still delivering reports on paper, with a slightly larger percentage, 56%, sharing reports via email.

<< Previous Page