Security Pros Struggle to Quantify what Success Looks Like
October 2019 by Thycotic
IT Security Professionals Invariably have KPIs but Employers are not Acknowledging their Bearing on Business Success, New Research from Thycotic Reveals
The vast majority of IT security professionals work to a set of Key Performance Indicators (KPIs) yet struggle to align these metrics with overall business goals, according to a new study by Thycotic, a provider of privileged access management (PAM) solutions for more than 10,000 organisations worldwide. More than four out of five (84%) respondents have KPIs and an even higher proportion (92%) say they review security in terms of its impact on the business. Even so, nearly half (44%), say their organisation struggles to align security initiatives with the business’s overall goals while more than a third (35%) aren’t clear what the business goals are. Following interviews with more than 100 IT security decision makers within the UK, the research shows the most popular performance metric is to count the number of security breaches (56%) followed by time taken to resolve a breach (51%). It appears, however, these criteria may not be that useful. Around two in five (39%) say they have no way of measuring what difference past security initiatives have made to the business. Furthermore, more than a third (36%) agree it’s not a priority for them to measure security success once initiatives have been rolled out.
Opening the Purse Strings
Lack of clarity around metrics has a knock-on effect when it comes to obtaining budgets to fund further IT security initiatives. When asked what makes the biggest difference to how IT security budget is allocated, nearly half of the respondents (47%) point to evidence of the success and ROI of previous security initiatives. Other strategies include benchmarking levels of security spend against the competition (37%) while talking up the fear factor remains a favourite tactic (38%). Interestingly, more than a quarter (27%) of respondents look to evidence of past success as the most important way to justify security spend.
Disconnected from the Business
There is evidence to suggest security teams’ everyday focus on responding to immediate threats and incidents leads them to become too disconnected from the business. Over a third (36%) have no clear vision of how other departments measure success while 38% agree business goals are not communicated to them. In consequence, security professionals feel removed from the rest of the business. This is reflected in their relatively low opinion of the impact they are making. Asked if security teams are hitting a home run or ‘just par for the course’, less than one fifth (17%) feel their role/team consistently meets expectations.