Companies failing to measure cybersecurity effectiveness and performance

Security Measurement Index benchmark survey shows nearly a third blindly making cybersecurity investments.

  • 7 years ago Posted in
Thycotic has released its first annual 2017 State of Cybersecurity Metrics Report which analyzes key findings from a Security Measurement Index (SMI) benchmark Survey of more than 400 global business and security executives around the world. Based on internationally accepted standards for security embodied in ISO 27001, as well as best practices from industry experts and professional associations, the Security Measurement Index benchmark survey provides a comprehensive way to define how well an organization is measuring the effectiveness of its IT security.
 
According to the findings, more than half of the 400 respondents in the survey, 58 percent, scored an “F” or “D” grade when evaluating their efforts to measure their cybersecurity investments and performance against best practices. 
 
“It’s really astonishing to have the results come in and see just how many people are failing at measuring the effectiveness of their cybersecurity and performance against best practices,” said Joe Carson, Chief Security Scientist at Thycotic. “This report needed to be conducted to bring to light the reality of what is truly taking place so that companies can remedy their errors and protect their businesses.”
 
With global companies and governments spending more than $100 billion a year on cybersecurity defenses, a substantial number, 32 percent, of companies are making business decisions and purchasing cyber security technology blindly. Even more disturbing, more than 80 percent of respondents fail to include business users in making cyber security purchase decisions, nor have they established a steering committee to evaluate the business impact and risks associated with cybersecurity investments.
 
Additional key findings from the report include:
  • One in three companies invest in cybersecurity technologies without any way to measure their value or effectiveness.
  • Four out of five companies don’t know where their sensitive data is located, and how to secure it.
  • Four out of five fail to communicate effectively with business stakeholders and include them in cybersecurity investment decisions.
  • Two out of three companies don’t fully measure whether their disaster recovery will work as planned.
  • Four out of five never measure the success of security training investments.
  • While 80 percent of breaches involve stolen or weak credentials, 60 percent of companies still do not adequately protect privileged accounts---their keys to the kingdom.
  • Small businesses are targeted in two out of three cyberattacks.
  • Sixty percent of small businesses go out of business six months after a breach.
 
“We put out this report not only to show the errors that are being made, but also to educate those who need it on how to improve in each of the areas that are lacking,” added Carson. “Our report provides recommendations associated with better ways to educate, protect, monitor and measure so that improvements can be implemented.”
Research shows ‘game needs to be changed,’ with security innovation years behind that of the...
73% of organizations lack automated patch management, and 62% experienced incidents involving...
Quest Software has signed a definitive agreement with Clearlake Capital Group, L.P. (together with...
Dell EMC PowerProtect Cyber Recovery for AWS provides a fast, easy-to-deploy public cloud vault to...
Aqua’s cloud native application protection platform becomes the only solution that protects cloud...
54% of organisations working on a security transformation project now or in the next 12 months.
Node4 has released its Mid-Market IT Priorities Report 2021. The independent report reveals that...
Zscaler Zero Trust exchange cloud-based architecture enables superior green security capabilities...