What prevents companies from achieving effective security performance management?

Cybersecurity performance is critical to achieving commercial success, according to a BitSight study.

Among the study’s most interesting findings is that nearly two in five (38 percent) of enterprises admit that they have lost business due to either a real or perceived lack of security performance within their organization.

Based on a survey of 207 security decision makers with responsibility for risk, compliance, and/or communications with boards of directors, the study explores the organizational misalignment and technological complexities that commonly prevent organizations from realizing effective security performance management (SPM).

Additional noteworthy findings

Effective security performance management drives business wins and better security outcomes. Nearly three-quarters of C-level respondents say that improved security performance measurement would greatly or significantly improve company financial performance, while the majority of respondents overall agree that improved measurement would improve company business continuity (82 percent) and company reputation (81 percent).

Additionally, companies that have formal security performance metrics are more likely to successfully manage security: they are nearly two times more likely to develop security policies, update security technology and perform security trainings.

Their investment decisions and strategies are also better trusted by executives and board members: using formal security metrics means security leaders are likely to see a 10 percent or greater year-over-year increase in security budget.

Commercial success is at risk due to missteps in effectively measuring security performance and communicating it to external stakeholders. Seventy-nine percent of security decision makers surveyed say customer and partner demands for cybersecurity reporting have intensified, but decision makers also say customers are partners receive some of the least accurate reporting of any security stakeholder.

Additionally, 82 percent agree that customer and partner perception of security is increasingly important to the way their firm makes decisions.

Metrics are critical to understanding and improving communication around security performance, but there is vast room for improvement in current methods. Sixty-three percent of respondents have introduced formal security performance metrics, but four of the five top reported measurements lack context and paint an incomplete picture of security performance and can leave companies blind to potential risk.

These metrics include: the number of malware incidents blocked (used by 50 percent of respondents); the number of intrusions blocked by a firewall/network security (50 percent); the percentage of filtered phishing/malicious emails (45 percent); and the number of data loss prevention incidents (40 percent).

Cybersecurity risk ratings emerge as an early security metric bright spot. Forty-five percent of respondents report using cybersecurity ratings, making it the third-most common metric overall. Forty-nine percent of respondents say that security ratings are their top preferred metric. Derived from objective, verifiable information, security ratings provide a strategic and contextualised measurement of security performance.

Forty-three percent of companies using cybersecurity ratings report them out to customers and partners, and 63 percent report them up to the board, indicating that security ratings are emerging as a top method for security performance communication across key company stakeholders.