A greater reliance on metrics to measure success combined with enhancing skills across security teams can help organizations boost their cybersecurity effectiveness, according to a new report from CompTIA.
The use of security metrics to measure success and inform investment decisions is an area that’s taking on greater importance, according to the “2018 Trends in Cybersecurity: Building Effective Security Teams” report.
“Though just one in five organizations makes heavy use of metrics within their security function, a full 50 percent of firms are moderate users of these measurements,” said Seth Robinson, senior director for technology analysis at CompTIA.
“The use of metrics in the cybersecurity realm provides an excellent opportunity to bring together many parts of the business,” he continued. “From the board level through layers of management down to the people executing security activities, all have a vested interest in setting the proper metrics and reviewing progress against goals.”
Robinson advised that the most important guideline for establishing security metrics is to make sure that all aspects of security are covered. This should include:
- Technical metrics, such as the percent of network traffic flagged as anomalous.
- Compliance metrics, such as the number of successful audits.
- Workforce metrics, such as the percentage of employees completing security training.
- Partner metrics, such as the number of external agreements with security language.
Upskilling security teams
The use of security metrics and the formation of security teams should be viewed as complementary activities, though for many organizations some upskilling will be necessary.
“Foundational skills such as network security, endpoint security and threat awareness still form the bedrock of a strong team,” Robinson said. “But as the cloud and mobility have become ingrained into IT operations, other skills have taken on equal or greater importance.”
In the report organizations said improvement is needed across a broad set of skills, led by vulnerability assessment, knowledge of threats, compliance and operational security, access control and identity, and incident detection and response.
To close their skills gaps companies are primarily looking to train current employees or expand their use of third-party security expertise. New headcount and new partnerships are secondary considerations. Industry certifications may also play a role.
When it comes to the use of external resources, 78 percent of companies rely on outside partners for some or all of their security needs. Many firms rely on more than one partner, another indicator of the complexity of cybersecurity.
Just over half of firms surveyed (51 percent) use a general IT solution provider; while 38 percent use a general security firm, one that might manage both physical and IT security. About 35 percent of companies are engaged with a focused IT security firm, such as a managed security services provider; and 29 percent use a firm that provides technical business services, such as digital marketing or content management.