A new study published by the Ponemon Institute and Tripwire shows that risk-based IT security metrics are often too complicated for a company’s senior executives.
According to the report, 75% of the 1,321 of the US and UK respondents have admitted that metrics are important or very important to a risk-based security program.
On the other hand, over half of them are not convinced that the security metrics used by their organizations are properly aligned with the business objectives.
Furthermore, 51% of those surveyed are not sure that the metrics are understood by senior executives.
Most of the respondents (59%) say the information is too technical for non-technical management. In addition, 48% say they have other, more important issues than the security metrics.
40% only communicate with executives when there is an actual incident, while 35% believe that it takes too much time and resources to prepare a report for management.
18% of those surveyed simply believe that the management is not interested in learning about security metrics.
“Even though most organizations rely on metrics for operational improvement in IT, more than half of IT professionals appear to be concerned about their ability to use metrics to communicate effectively with senior executives about security,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.
Rekha Shenoy, vice president of marketing and corporate development at Tripwire, commented, “These results correlate with the dozens of conversations we have been having with CISO’s across the globe.”
Shenoy added, “CISO’s talk about the importance of leveraging metrics as a way to influence business leadership and build a risk management practice within their companies. Unfortunately, they struggle with the bigger challenge of producing meaningful metrics while those they use are rarely aligned with business goals.”
The complete State of Risk-Based Security Management report is available here.