EDITOR’S QUESTION
HOW FAR CAN A POOR
CYBERSECURITY
APPROACH
DETERMINE A
COMPANY’S
REPUTATION?
//////////////////////////////////////////////////////////////////////////////////////////////////////////
B
itSight has announced the availability
of a new study that evaluates how
executives understand and effectively
measure their cybersecurity performance
and adequately communicate it to the
board, senior executives, customers and
critical stakeholders.
The September 2019 commissioned study
conducted by Forrester Consulting on
behalf of BitSight titled, Better Security
And Business Outcomes With Security
Performance Management, indicates that
cybersecurity performance is critical to
achieving commercial success. Among the
study’s most interesting findings is that
nearly two in five (38%) of enterprises admit
they have lost business due to either a real
or perceived lack of security performance
within their organisation.
“Financial success, brand perception,
business continuity and company
reputation now all hinge on security
performance,” said Tom Turner, CEO,
BitSight. “But in order to effectively manage
performance, you have to measure it.
We think this study should serve as a
wakeup call for security leaders and their
executives and boards to take a close look
30
INTELLIGENTCIO
at their strategies for security performance
measurement and reporting – after all, their
businesses are now on the line.”
Based on a survey of 207 security
decision makers with responsibility for risk,
compliance and/or communications with
boards of directors, the study explores
the organisational misalignment and
technological complexities that commonly
prevent organisations from realising effective
security performance management (SPM).
Additional noteworthy findings include:
• Effective security performance
management drives business wins
and better security outcomes. Nearly
three-quarters of C-level respondents
say that improved security performance
measurement would greatly or
significantly improve company financial
performance, while the majority of
respondents overall agree that improved
measurement would improve company
business continuity (82%) and company
reputation (81%). Additionally,
companies that have formal security
performance metrics are more likely
to successfully manage security: they
are nearly two times more likely to
develop security policies, update security
technology and perform security training.
• Commercial success is at risk
due to missteps in effectively
measuring security performance
and communicating it to external
stakeholders. Seventy-nine percent
of security decision makers surveyed
say customer and partner demands for
cybersecurity reporting have intensified,
but decision makers also say customers and
partners receive some of the least accurate
reporting of any security stakeholder
• Metrics are critical to understanding
and improving communication
around security performance, but
there is room for improvement in
current methods. Sixty-three percent
of respondents have introduced formal
security performance metrics, but four of
the five top reported measurements lack
context and paint an incomplete picture
of security performance and can leave
companies blind to risk. These metrics
include: the number of malware incidents
blocked; the number of intrusions blocked
by a firewall/network security (50%); the
percentage of filtered phishing/malicious
emails (45%); and the number of data
loss prevention incidents (40%).
www.intelligentcio.com