14 DAY TRIAL // The executives and the board of many organizations think that their networks are secure, but a new study commissioned by FireMon shows that the perception is based on information that’s often “disturbingly incomplete.”
For example, 66% of the executives and board members believe that their security is “high.” On the other hand, 31% of IT security staff admits that they only inform executives of specific issues if the risks are “serious” and 29% of them say they don’t communicate to senior executives.
This leads to a major gap between what IT security practitioners think, and what they believe their CEOs and board think.
In over half of the surveyed organizations, negative facts are filtered out before being disclosed to the CEO and senior executives.
“What is most concerning is that it would seem security in many organizations is based on perception and ‘gut feel,’ versus hard data. The stakeholders with the highest responsibility seem to be the least informed – a view that is amplified externally,” said Dr. Larry Ponemon, the author of the study.
“We also found that executive perception of security ‘strength’ had a virtually identical percentage (63 percent) in external partners, and we know that third-party failings also had a hand in the Target breach.”
The new study also reveals that while 74% view security metrics as being important, 62% believe the current metrics don’t provide enough information. Furthermore, 69% say security metrics interfere with business goals.
When it comes to barriers in managing IT security changes, most have named insufficient resources or budget, and lack of effective technology solutions.
“The biggest issue is that IT security teams are flying blind. Networks are becoming more complex and expansive, while we freeze or reduce the resources tasked with managing them,” said Jody Brazil, president and CTO of FireMon.
“The fact that the study shows 60 percent performing manual auditing or none at all is alarming. In a threat environment that is 'always on' and aggressive, teams must have the ability to automate and continuously monitor and assess dynamic network environments, and be equipped with proactive tools to provide predictive and prioritized intelligence on an ever-shifting risk profile.”
The complete “Security Metrics to Manage Change: Which Matter, Which Can Be Measured?” report is available on FireMon’s website. The study is based on the responses of close to 600 individuals who work in IT, IT security, compliance and risk management at Fortune 500 organizations with at least 1,000 employees.