HOW FAR
CAN A POOR
CYBERSECURITY
APPROACH
DETERMINE A
COMPANY’S
REPUTATION?
B
itSight, a leading
security ratings
company, has
announced the
availability of
a new study
that evaluates
how executives
understand and effectively measure
their cybersecurity performance and
adequately communicate it to the board,
senior executives, customers and
critical stakeholders. The September
2019 commissioned study conducted
by Forrester Consulting on behalf of
BitSight titled, Better Security And
Business Outcomes With Security
Performance Management, indicates
that cybersecurity performance is
critical to achieving commercial
success. Among the study’s most
interesting findings is that nearly two in
five (38%) enterprises admit they have
lost business due to either a real or
perceived lack of security performance
within their organisation.
“Financial success, brand perception,
business continuity and company
reputation now all hinge on security
performance,” said Tom Turner, CEO,
BitSight. “But in order to effectively
manage performance, you have to
measure it. We think this study should
serve as a wakeup call for security
leaders and their executives and boards
to take a close look at their strategies for
security performance measurement and
reporting – after all, their businesses are
now on the line.”
Based on a survey of 207 security
decision makers with responsibility for
risk, compliance and/or communications
with boards of directors, the study
explores the organisational misalignment
and technological complexities that
commonly prevent organisations from
realising effective security performance
management (SPM). Additional
noteworthy findings include:
www.intelligentciso.com
|
Issue 19
• Effective security performance
management drives business wins
and better security outcomes.
Nearly three-quarters of C-level
respondents say that improved
security performance measurement
would greatly or significantly improve
company financial performance,
while the majority of respondents
overall agree that improved
measurement would improve
company business continuity (82%)
and company reputation (81%).
Additionally, companies that have
formal security performance metrics
are more likely to successfully
manage security: they are nearly two
times more likely to develop security
policies, update security technology
and perform security training.
• Commercial success is at risk
due to missteps in effectively
measuring security performance
and communicating it to external
stakeholders. Seventy-nine percent
of security decision makers surveyed
say customer and partner demands
for cybersecurity reporting have
intensified, but decision makers also
say customers and partners receive
some of the least accurate reporting
of any security stakeholder.
• Metrics are critical to
understanding and improving
communication around security
performance, but there is vast
room for improvement in current
methods. Sixty-three percent of
respondents have introduced formal
security performance metrics,
but four of the five top reported
measurements lack context and
paint an incomplete picture of
security performance and can leave
companies blind to potential risk.
These metrics include: the number
of malware incidents blocked; the
number of intrusions blocked by
a firewall/network security (50%);
the percentage of filtered phishing/
malicious emails (45%); and the
number of data loss prevention
incidents (40%).
27