Discipline Lacking When Making Cybersecurity Investments
July 31, 2017
Cybersecurity Metrics Report surveyed more than 400 global
business and security executives. Based on internationally
accepted standards for security specified in ISO 27001, as well
as best practices from industry experts and professional
associations, a Security Measurement Index provided a
comprehensive benchmark to define how well an organization is
measuring the effectiveness of its IT security.
According to the 2017 Report, more than half of the 400
respondents in the survey, 58 percent, scored an "F" or "D"
grade when evaluating their organization's efforts to measure
their cybersecurity investments and performance against best
"It's really astonishing to have the results come in and see
just how many people are failing at measuring the effectiveness
of their cybersecurity and performance against best practices,"
said Joseph Carson, Chief Security Scientist at Thycotic. "At a
time when threats are escalating and the need for quantifiable
metrics are putting security teams and executives under
pressure, the 2017 State of Cybersecurity Metrics Report reveals
what is actually occurring so that companies can produce
assurances, remedy their errors and protect their businesses."
With global companies and governments spending more than $100
billion a year on cybersecurity defenses, a substantial number,
32 percent, of companies are making business decisions and
purchasing cyber security technology blindly. Even more
disturbing, more than 80 percent of respondents fail to include
business users in making cyber security purchase decisions, nor
have they established a steering committee to evaluate the
business impact and risks associated with cybersecurity
Additional key findings from the 2017 State of Cybersecurity
Metrics Report include:
in three companies invest in cybersecurity technologies without
any way to measure their value or effectiveness.
•Four out of five companies don't know where their sensitive
data is located, nor how to secure it.
•Four out of five companies fail to communicate effectively with
business stakeholders and include them in cybersecurity
•Two out of three companies don't fully measure whether their
disaster recovery will work as planned.
•Four out of five never measure the success of security training
•While 80 percent of breaches involve stolen or weak
credentials, 60 percent of companies still do not adequately
protect privileged accounts - their keys to the kingdom.
•Small businesses are targeted in two out of three cyberattacks.
•Sixty percent of small businesses go out of business six months
after a breach.
"Thycotic's research team issued this report to not only show
the errors that are disrupting business, but also to educate
security professionals and executives on which areas are lacking
and how to improve," added Carson. "Our report provides
recommendations to educate, protect, monitor and measure their
security programs so that improvements can be targeted where
they will be most effective."