No one likes to give bad news and that is especially true when you have to inform the boss. So it is no real surprise there is a severe gap in security visibility and perception between C-level executives and IT security staff, a new report said.
In nearly 60 percent of the organizations, responsibility for managing the impact of business or technology change on security posture resides with C-Level executives (CSO, CISO, CIO, CTO, etc.), and in 66 percent of the organizations surveyed, executive and board perception of security is “high,” according to a new Ponemon Institute study sponsored by FireMon.
However, the information on which that perception is based is incomplete, with 60 percent of IT security staff informing executives of specific risks only when the risk is deemed “serious,” or not at all – and in more than half of the cases, actively omitting negative facts, the study said.
On the heels of the Target breach, and the revelation that Target management ignored security alerts, the findings go to the core of what appears to be an endemic issue across every industry.
“What is most concerning is that it would seem security in many organizations is based on perception and ‘gut feel,’ versus hard data,” said study author, Dr. Larry Ponemon. “The stakeholders with the highest responsibility seem to be the least informed – a view that is amplified externally. We also found that executive perception of security ‘strength’ had a virtually identical percentage (63 percent) in external partners, and we know that third-party failings also had a hand in the Target breach.”
The root causes of the broken communication and resulting vulnerability lie in an organizational inability to handle change and accurately set, measure and improve metrics to manage its impact. The study shows:
• While 74 percent of respondents see security metrics as important, 69 percent see an issue of metrics conflicting with business goals and 62 percent feel current metrics don’t provide enough information.
• More than 40 percent see Cloud and mobility/BYOD as the technologies with the greatest impact on security effectiveness. Yet, specific to Cloud, 46 percent said current metrics can’t quantify the full security impact of Cloud models.
• This inexact measurement of change leads IT security staff to rate their agility (57 percent) and effectiveness (56 percent) to accommodate change as “low.” As a result, 64 percent rate their organization’s overall security posture as “moderate” or “low.”
According to the findings, there is overwhelming agreement that metrics are critical to achieving an effective security change management process. Further, real-time analysis is essential or important to understanding new and emerging security risks. However, such metrics and analysis seem to be lacking in most organizations.
The study surveyed 597 individuals who work in IT, IT security, compliance, risk management and other related fields at Fortune 500 class organizations with 1,000 or more employees.
Click here to download the survey.