EDITOR’S QUESTION
HOW FAR
CAN A POOR
CYBERSECURITY
APPROACH
DETERMINE A
COMPANY’S
REPUTATION?
//////////////////////////////////////////////////////////////////////////////////////////////////////////
B
itSight, the Standard in Security Ratings, has announced the
availability of a new study that evaluates how executives
understand and effectively measure their cybersecurity
performance and adequately communicate it to the board, senior
executives, customers and critical stakeholders. The September 2019
commissioned study conducted by Forrester Consulting on behalf of
BitSight titled, Better Security And Business Outcomes With Security
Performance Management, indicates that cybersecurity performance
is critical to achieving commercial success. Among the study’s most
interesting findings is that nearly two in five (38%) of enterprises admit
they have lost business due to either a real or perceived lack of security
performance within their organisation.
“Financial success, brand perception, business continuity and
company reputation now all hinge on security performance,” said
Tom Turner, CEO, BitSight. “But in order to effectively manage
performance, you have to measure it. We think this study should
serve as a wakeup call for security leaders and their executives
and boards to take a close look at their strategies for security
performance measurement and reporting – after all, their
businesses are now on the line.”
Based on a survey of 207 security decision makers with responsibility
for risk, compliance and/or communications with boards of
directors, the study explores the organisational misalignment and
technological complexities that commonly prevent organisations
from realising effective security performance management (SPM).
Additional noteworthy findings include:
• Effective security performance management drives business
wins and better security outcomes. Nearly three-quarters of
C-level respondents say that improved security performance
measurement would greatly or significantly improve company
financial performance, while the majority of respondents overall
agree that improved measurement would improve company
32
INTELLIGENTCIO
business continuity (82%) and company reputation (81%).
Additionally, companies that have formal security performance
metrics are more likely to successfully manage security: they are
nearly two times more likely to develop security policies, update
security technology and perform security training
• Commercial success is at risk due to missteps in effectively
measuring security performance and communicating it to
external stakeholders. Seventy-nine percent of security decision
makers surveyed say customer and partner demands for
cybersecurity reporting have intensified, but decision makers also
say customers and partners receive some of the least accurate
reporting of any security stakeholder
• Metrics are critical to understanding and improving
communication around security performance, but there is vast
room for improvement in current methods. Sixty-three percent of
respondents have introduced formal security performance metrics,
but four of the five top reported measurements lack context and
paint an incomplete picture of security performance and can
leave companies blind to potential risk. These metrics include: the
number of malware incidents blocked; the number of intrusions
blocked by a firewall/network security (50%); the percentage of
filtered phishing/malicious emails (45%); and the number of data
loss prevention incidents (40%)
• Cybersecurity risk ratings emerge as an early security metric bright
spot. Forty-five percent of respondents report using cybersecurity
ratings, making it the third-most common metric overall.
Forty-nine percent say security ratings are their top preferred
metric. Derived from objective, verifiable information, security
ratings provide a strategic and contextualised measurement of
security performance. Forty-three percent of companies using
cybersecurity ratings report them out to customers and partners
and 63% report them up to the board, indicating that security
ratings are emerging as a top method for security performance
communication across key company stakeholders
www.intelligentcio.com