More than a third of enterprises have lost business due to cyber security failures

Published: Wednesday, 04 September 2019 08:23

BitSight has published a new study that evaluates how executives understand and effectively measure their cyber security performance and adequately communicate it to the board, senior executives, customers, and critical stakeholders.

The commissioned study, ‘Better Security And Business Outcomes With Security Performance Management’ conducted by Forrester Consulting on behalf of BitSight, indicates that cyber security performance is now mission critical for businesses. Among the study’s most interesting findings is that 38 percent of enterprises admit that they have lost business due to either a real or perceived lack of security performance within their organization.  

“Financial success, brand perception, business continuity and company reputation now all hinge on security performance,” said Tom Turner, CEO, BitSight. “But in order to effectively manage performance, you have to measure it. We think this study should serve as a wakeup call for security leaders and their executives and boards to take a close look at their strategies for security performance measurement and reporting – after all, their businesses are now on the line.” 

Based on a survey of 207 security decision makers with responsibility for risk, compliance, and/or communications with boards of directors, the study explores the organizational misalignment and technological complexities that commonly prevent organizations from realizing effective security performance management (SPM).

Additional noteworthy findings include:

Effective security performance management drives business wins and better security outcomes. Nearly three-quarters of C-level respondents say that improved security performance measurement would greatly or significantly improve company financial performance, while the majority of respondents overall agree that improved measurement would improve company business continuity (82 percent) and company reputation (81 percent). Additionally, companies that have formal security performance metrics are more likely to successfully manage security: they are nearly two times more likely to develop security policies, update security technology and perform security trainings. Their investment decisions and strategies are also better trusted by executives and board members: using formal security metrics means security leaders are likely to see a 10 percent or greater year-over-year increase in security budget.

Commercial success is at risk due to missteps in effectively measuring security performance and communicating it to external stakeholders. 79 percent of security decision makers surveyed say customer and partner demands for cyber security reporting have intensified, but decision makers also say customers and partners receive some of the least accurate reporting of any security stakeholder.  Additionally, 82 percent agree that customer and partner perception of security is increasingly important to the way their firm makes decisions.

Metrics are critical to understanding and improving communication around security performance, but there is clear room for improvement in current methods. 63 percent of respondents have introduced formal security performance metrics, but four of the five top reported measurements lack context and paint an incomplete picture of security performance and can leave companies blind to potential risk. These metrics include: the number of malware incidents blocked (used by 50 percent of respondents); the number of intrusions blocked by a firewall/network security (50 percent); the percentage of filtered phishing/malicious emails (45 percent); and the number of data loss prevention incidents (40 percent).

Cyber security risk ratings emerge as an early security metric bright spot. 45 percent of respondents report using cyber security ratings, making it the third-most common metric overall. 49 percent of respondents say that security ratings are their top preferred metric. Derived from objective, verifiable information, security ratings provide a strategic and contextualized measurement of security performance. 43 percent of companies using cyber security ratings report them out to customers and partners, and 63 percent report them up to the board, indicating that security ratings are emerging as a top method for security performance communication across key company stakeholders. 

More details.