IT security blind spots created by SMEs due to incorrect metrics

The results, collected through a survey of IT decision makers at companies with more than 500 employees by Vanson Bourne, also indicate that there is a communication gap between the IT department and the boardroom—despite the fact that frequency of reporting between the two is increasing. In addition, the survey uncovers a potential to increase efficiency in IT security actions by reducing the current extensive reporting times.

Top on the list of tracked key performance indicators (KPIs) in the UK with 57 per cent is “quantity of security breaches detected.” This KPI is a strong trailing indicator of detective and preventative controls, but does not necessarily enable proactive prevention of further incidents. However, KPIs that do demonstrate proactive prevention are only tracked by a minority of companies, with 41 per cent listing “checking if their systems are equipped with up to date anti-virus or malware protection” and 30 per cent “monitoring if they are equipped with the latest software versions”– these are both indicators that are critical for determining IT security status. 

Because of zero-day exploits, minimising the time to roll out new patches or antivirus patterns is critical – yet the former KPI is only being measured by 32 per cent and the latter by 19 per cent. Encouragingly, 48 per cent of respondents in the UK say that they want to track more KPIs, but claim that lack of manpower and an automated approach is holding them back.

“Transparency around security is key for IT managers who are constantly playing catch-up to the ever-evolving threat landscape,” said Gavin Millard, Technical Director for Tenable Network Security in Europe, Middle East and Africa. “Despite this, 54 per cent of IT decision makers are tracking the number of malware detected, which is often viewed as a false flag metric. Measuring the amount of malware detected gives little insight into the efficiency and effectiveness of the control; it merely indicates that it is functioning on some of the systems, some of the time. Strategic decisions based on the wrong data are not only ineffective but can also give a false sense of security.”

Over half of IT managers report the company’s security status to their board once per quarter or more frequently. In fact, 49 per cent confirm that IT security is a high priority for their CEO, with seven per cent saying it is a top priority. Furthermore, 50 per cent of share half or more of all KPIs tracked with their board, with 26 per cent sharing all of them.

Creating transparency in IT security is a huge task – 39 per cent of UK companies have IT security solutions from three or more vendors in place and 53 per cent compile all their reports manually, of which 54 per cent need to report every quarter or more. In line with these findings 40 per cent confirmed that it takes up to two or three days to compile a management-ready report. In view of this, 54 per cent consider more resources for monitoring solutions to add additional value to protect their organisation from threats.

“Looking at these results specifically, it becomes painfully clear that IT staff are spending a large portion of their time on reporting,” explained Millard. “This is time that is being taken away from more strategic tasks designed to improve overall IT security of the business. The drain to resources is then compounded by the increasing workload driven by the rise of mobile and cloud—34 per cent of survey respondents confirmed they had to add 20 per cent or more devices or services to their monitoring efforts within the last twelve months.”

“As long as security blind spots within an organisation exist, businesses will not be able to rest easy from the threat of attack. Gaining clarity on the effectiveness of the investments currently made within security and making risk-based, data-driven decisions on what other controls are necessary put businesses on a more secure footing.”

Image source

Share this story

Close
Menu
Send this to a friend