Senior security leaders within financial services companies are being challenged with a lack of trusted data to make effective security decisions and reduce their risk from cyber incidents, according to Panaseer.
Results from a global external survey of over 400 security leaders that work in large financial services companies reveal concerns on security measurement and metrics that include data confidence, manual processes, resource wastage and request overload.
Issues with processes, people and technologies
The results demonstrate myriad issues with the processes, people and technologies required to have a full understanding of the organization’s cyber posture and the preventative measures required to stop a security control failure from becoming a security incident.
The vast majority (96.77%) of respondents claimed they use metrics to measure their cyber posture, with the primary use for security metrics being risk management (41.69%), demonstrating the success of security initiatives (28.04%), supporting security investment business cases (19.11%) and Board/ executive reporting (10.17%).
Over a third (36.72%) of security leaders said that their biggest challenge in creating metrics to measure and report on risk is ‘trust in the data,’ followed by the resources required to produce them (21.34%), the frequency of requests (14.64%) and confusion over knowing what metric to use (15.3%).
Less than half of respondents (47.75%) could claim to be ‘very confident’ that they are using the right security metrics to measure cyber risk.
Too many security leaders still use spreadsheets
Resource requirements and request overload are cited as other issues fueling the metrics mayhem. On average, security teams are spending 5.34 days a month compiling metrics for managing risk – and that doesn’t include the time the team spending compiling metrics for other stakeholders, including regulators, auditors and the Board. Security leaders also claim they must refresh these security metrics for risk teams every 16 days.
Manual processes are also cited as fuelling data mistrust. Over half (59.8%) of security leaders still rely on spreadsheets to produce metrics and 52.85% are using custom scripts. Nearly one in five (18.75%) admitted to relying exclusively on manual processes to develop their security metrics for risk.
Nik Whitfield, CEO, Panaseer: “Security metrics are frequently cited as the bane of the security teams’ lives. Not knowing the accuracy, timeliness or even limitations of a metric can render it useless – which is simply unacceptable against a backdrop of tightening regulation and an increasing attack surface. The President of the European Central Bank recently went on record to warn that a cyber-attack on a major financial institution could trigger a liquidity crisis.
“We must move on from the era of out-of-date inaccurate metrics to one where they are automated and measured on a continuous basis. Financial service organizations, in particular, need trusted and timely metrics into an organization’s technology risk, segmented where possible to critical operations. With this information, the Board can then have a better understanding of what risks are and aren’t acceptable to keep customer data safe.”