Security metrics fail to aid exec understanding, say IT pros

IT professionals struggle to communicate effectively about security to senior executives, a study on risk-based security management reveals

IT professionals struggle to communicate effectively about security to senior executives, a study on risk-based security management has revealed.

Almost half of more than 500 UK IT professionals polled by the Ponemon Institute believe that security metrics do not communicate risk efforts to executives accurately.

While 73% said metrics are important or very important to a risk-based security programme, 51% do not believe that the security metrics used by their organisations are aligned with business objectives.

“Even though most organisations rely on metrics for operational improvement in IT, more than half of IT professionals appear to be concerned about their ability to use metrics to communicate effectively with senior executives about security,” said Larry Ponemon, chairman and founder of the Ponemon Institute.

The problem of finding meaningful metrics is a common one, according to security firm Tripwire, which commissioned the study.

It is also the biggest challenge to chief information security officers (CISOs) who seek to use security metrics to influence business leadership and build a risk management practice in their companies, according to Rekha Shenoy, vice-president of marketing and corporate development at Tripwire.

The findings highlight a security communication gap that still exists in many organisations.

According to the research report, one potential contributing factor is that security professionals have traditionally viewed metrics as valuable operational performance measurements, while executives tend to evaluate security based on cost.

However, neither of these approaches is well adapted to communicating the effectiveness of risk-based security programmes.

This disconnect demonstrates the escalating value of communication skills in senior security roles, according to the report.

“As business leaders are required to disclose more about their organisation’s security risks, those business-oriented security executives with good communication skills will be in even greater demand,” the report said.

In rating their own effectiveness in communicating all relevant facts about the state of security risk to senior executives, 47% of IT professionals said they are “not effective”.

When asked why they did not create metrics that are well understood by senior executives, 53% of respondents said the information is too technical to be understood by non-technical management.

Some 42% said pressing issues tended to take precedence and 43% said they communicated with executives only when there is an actual security incident.

More than a third said it takes too much time and resources to prepare and report metrics to senior executives, while 13% said senior executives are not interested in the information.

The report concludes that finding meaningful ways to successfully bridge this communication gap is critical to broader adoption of risk-based security programmes.

“The onus for this effort clearly lies with IT security and risk professionals,” the report said.

Read more on IT risk management