2017 Trends in Security Metrics and Security Assurance Measurement
Introduction
Most managers today have heard one or more variations of the old adages “What gets measured gets
improved,” and “You can’t manage what you don’t measure.” Few, if any, business managers today,
including IT security leaders, would dispute the idea that finding a way to measure and track performance
has enormous benefit. However, while the idea of measurement seems simple on the surface, and is almost
universally acknowledged as a good business practice, applying the notion of measurement to IT security
programs can be very challenging.
Security metrics can help IT security teams measure the effectiveness of IT controls and demonstrate
compliance with internal security policies, governance frameworks, and regulatory requirements. Security
metrics can also be used to diagnose problems, identify weak links in your security posture, facilitate
benchmark comparisons, and drive performance improvement. And last, but most certainly not least,
security metrics can be used by IT security teams to show business executives and boards how existing and
planned IT security programs align with business needs.
When it comes to IT security assurance measurement, it may be surprising that even in such a highly
technical and data-oriented field as security, it’s not always clear how IT security metrics can and should
be used to measure the performance of IT security programs. What approaches are IT organizations taking
today in terms of security metrics collection, reporting, and usage? Who are security metrics shared with
and how often? Are security metrics currently being used by IT security teams to demonstrate business
alignment? To demonstrate ROI? If so, what is the impact? And most importantly, how effective are current
approaches to using security metrics as part of a broader approach to security assurance measurement?
The “2017 Trends in Security Metrics and Security Assurance Measurement Report” was commissioned by
Tenable to measure the attitudes, beliefs, and perceptions of IT security professionals in relation to security
metrics. It was also designed to discover whether current approaches to security assurance measurement are
meeting the needs of IT security teams, CISOs, business executives and boards.
This report represents a global survey of 315 IT security decision makers in companies with more than
100 employees across a wide range of vertical industries and geographic regions. In it, we quantify the
experiences modern IT security teams have with capturing, using and sharing metrics used to measure
security assurance. Also examined is how IT security teams use security metrics to communicate the state
of security assurance and security program effectiveness within their own teams, and the ways security
metrics are used in communications with business executives and the board.
Key Takeaways from the 2017 Report:
1. Regular collection, irregular reporting. Although 92% of survey respondents collect security
metrics, only 42% regularly report their metrics. However, survey results also found that IT security
teams who consistently collect and report on security metrics are almost twice as likely to be viewed
as strategic partners by the business. This indicates that IT security teams who collect security
metrics but do not use a regular reporting cadence are missing an important opportunity to be viewed
as a strategic partner by the business.
2. Security metrics typically collected to demonstrate compliance. Security metrics are most
commonly used for demonstrating compliance (74%). Other frequently reported uses included
measuring security program capabilities and maturity (57%), and justifying increased security
investments (51%).
3. Primary driver behind security metrics usage is brand protection. Just over a third of respondents
(38%) were primarily concerned with protecting the brand, customer data and customer privacy. Another
third (33%) felt that metrics help them measure whether they are following IT security best practices.
4. Manual metric collection still common. 92% of survey respondents still rely on some manual
processes to collect security metrics. Only 8% reported fully automated collection.
3 2017 Trends in Security Metrics and Security Assurance Measurement Report
www.DimensionalResearch.com
5. Fewer than half view their IT security teams as a strategic partner to the business. Survey
results showed a clear correlation between use of security metrics and being viewed as a strategic
partner. Consistency in reporting also appeared to be a key factor in terms of being perceived as a
strategic partner to the business.
6. Lack of confidence in the value of security investments is prevalent. More than 70% report they
are not confident that the value from their security spend over the past 24 months has delivered
measurable benefits that justified the investment made (ROI).
7. Clear business objectives are still far too lacking. Survey results showed that clear business
objectives resulted in higher security investment ROI. IT security teams with clear business
objectives that map to security metrics were more than twice as likely to report value from their
security investments. However, more than two-thirds reported that they either had no business
objectives, or that the objectives they had lacked clarity.
8. Security metrics reporting is common within IT, but less common outside of IT. Far too often,
security metrics information has a tendency to stay within the IT team. Fewer than half reported
security metrics outside of IT. Less than a quarter (24%) reported that their security metrics are seen
by the CIO or CISO. Only 23% reported that their metrics were shared with business executives, and
only 18% stated that security metrics were shared with the board.
9. Once boards gets metrics, they want regular updates. Of the 18% that share their metrics with
their board, almost a third (31%) update their boards monthly, while another third (33%) update
their boards quarterly. Only a small number of survey respondents (3%) report that they update their
boards only upon request.
The remainder of this report provides detailed findings and insights into current trends in security
assurance measurement and security metric collection, usage, and reporting.
Security Metric Collection, Reporting, and Usage
A primary area of focus for the research survey was on obtaining data regarding current trends in security
metric collection, reporting, and usage.
Security metrics collection widespread, but reporting irregular
The majority of IT security teams responding (92%) collect metrics related to security. In fact, only a few
companies with more than 100 employees (8%) report that they do not collect security metrics.
Does your organization use security metrics?
No
8%
Yes, we
consistently
collect and
regularly report
security metrics
43%
We collect
security metrics,
but don’t report
them consistently
49%
However, d
Please complete the form to gain access to this content
