CyberArk survey finds executives overly reliant on compliance metrics to measure security program effectiveness
Seventy-nine percent of it security professionals report to executive management on compliance, yet 59% say threat detection metrics are most critical.
New industry research sponsored by CyberArk (NASDAQ: CYBR) finds that one-third of CEOs and 43% of management teams are not regularly briefed on cyber security issues. Additionally, while 79% of IT security professionals are reporting on compliance metrics to demonstrate security program effectiveness, 59% state that threat detection metrics are most important.
An independent survey of global IT security professionals, "The Gap Between Executive Awareness and Enterprise Security," drills into the types of metrics used to measure security program effectiveness, frequency of reporting, and other factors such as budget and skills.
The cyber security gap: executive awareness and responsibility
The survey shows that 60% of respondents believe their organisation can be breached. As cyber attacks grow in aggression and impact, CEOs and boards are being held accountable for the security posture of their organisation. A closer look at the perceptions of IT security practitioners regarding executive cyber security leadership provides some clues into what's driving a lack of alignment:
* 61% believe that CEOs do not know enough about cyber security;
* 69% say cyber security is too technical for their CEO;
* 53% think that CEOs make business decisions without regard to security;
* 44% believe CEOs simply do not grasp the severity of today's risks.
IT security professionals need to properly educate executives
While IT security professionals are relying on executive-level leadership on security issues, CEOs are increasingly relying on their IT security teams to provide them with the security information that matters. The survey shows that the cyber security awareness gap may be driven in part by the need for security teams to properly educate CEOs on what's business critical when it comes to security:
* One-third of CEOs are still not regularly briefed on cyber security issues and related business risks;
* Forty-three percent of management teams do not regularly receive security status reports;
* Fifty-nine percent of respondents emphasised threat detection metrics as the most effective for measuring security program effectiveness, yet 79% still provide compliance and audit findings to their CEOs and executive teams;
* Executive visibility into security program effectiveness varies by industry with the highest percentage of respondents in financial services (72%) and healthcare (70%) saying they regularly provide executives with reports and metrics;
* 50% or less of respondents in manufacturing, hospitality, transportation and non-profit industries said that they regularly provide reports and metrics to their executive teams;
"Compliance does not equal security. It can lull a CEO into a state of complacency because all it demonstrates is a simple checking of a box without context for responsible levels of information protection," said John Worrall, chief marketing officer, CyberArk. "Security professionals are briefing executives on the wrong information. They need to arm their CEOs and executive teams with information that matters such threat detection and risk metrics versus compliance and system availability."
Is budget a barrier to effective cyber security?
Improving IT security fundamentals is a critical step in improving an organisation's overall security posture. The survey identified areas for improving organisational security:
* Seventy-five percent of respondents cited budgeting issues as the primary barrier to improving cyber security;
* In the face of a growing cyber security skills gap, 53% cited the lack of expertise as a primary barrier;
* Endpoint security and privileged account security were cited as the top two organisational security priorities over the coming year.
"Increasingly it's CEOs who own the security agenda - whether they want to or not. One of our goals with this survey was to identify specific gaps between IT security and executive teams and help drive productive conversations that prioritize enterprise security," continued Worrall. "By providing greater visibility into how cyber security programs are performing, and regularly communicating needs around budget and skills, IT security professionals will gain the support of the executive team and in turn help their organisation become more proactive in protecting against advanced threats."
To help support the need for greater executive guidance and dialogue around critical cyber security decisions, CyberArk recently launched a new industry initiative, the CISO View. The CISO View provides a forum for the CISO community to share best practices and tangible guidance for building effective cyber security programs. A new report, "The Balancing Act: The CISO View on Improving Privileged Access Controls," features advice from a panel of CISOs from global 1 000 enterprises about how to lead a comprehensive privileged account security program including recommendations for getting executive buy-in, delivering metrics that matter, and measuring effectiveness of the controls. The report is available for free at http://www.cyberark.com/cisoview.
"The Gap Between Executive Awareness and Enterprise Security" survey was conducted by Dimensional Research. The study, commissioned by CyberArk, surveyed 304 global IT security professionals. The primary research goal was to capture hard data on visibility and support of security programs at the executive level. In addition, researchers sought to determine which metrics are used to define security effectiveness.