infographic
New IT security professionals
invariably have KPIs but
employers are not acknowledging
their bearing on business
success, new research from
Thycotic reveals.
22
T
The vast majority of IT security
professionals work to a set of Key
Performance Indicators (KPIs) yet
struggle to align these metrics with
overall business goals, according to
a new study by Thycotic, a provider
of privileged access management
(PAM) solutions for more than 10,000
organisations worldwide.
More than four out of five (84%)
respondents have KPIs and an even
higher proportion (92%) say they
review security in terms of its impact
on the business. Even so, nearly
half (44%), say their organisation
struggles to align security initiatives
with the business’ overall goals while
more than a third (35%) aren’t clear
what the business goals are.
Following interviews with more than
100 IT security decision makers
within the UK, the research shows
the most popular performance metric
is to count the number of security
breaches (56%) followed by time
taken to resolve a breach (51%).
It appears, however, these criteria
may not be that useful. Around two
in five (39%) say they have no way
of measuring what difference past
security initiatives have made to the
business. Furthermore, more than a
third (36%) agree it’s not a priority for
them to measure security success
once initiatives have been rolled out.
Opening the purse strings
Lack of clarity around metrics has
a knock-on effect when it comes to
obtaining budgets to fund further IT
security initiatives. When asked what
makes the biggest difference to how
IT security budget is allocated, nearly
half of the respondents (47%) point
to evidence of the success and ROI
of previous security initiatives.
Other strategies include
benchmarking levels of security
spend against the competition
(37%) while talking up the fear
factor remains a favourite tactic
(38%). Interestingly, more than a
quarter (27%) of respondents look
to evidence of past success as
the most important way to justify
security spend.
Disconnected from
the business
There is evidence to suggest
security teams’ everyday focus
on responding to immediate
threats and incidents leads them
to become too disconnected from
the business. Over a third (36%)
have no clear vision of how other
departments measure success
while 38% agree business goals
are not communicated to them. In
consequence, security professionals
feel removed from the rest of the
business. This is reflected in their
relatively low opinion of the impact
they are making. Asked if security
teams are hitting a home run or
‘just par for the course’, less than
one fifth (17%) feel their role/team
consistently meets expectations.
The reactive nature
of an IT security
professional’s
work leaves
them constantly
looking to past
achievements
to demonstrate
their value – a
metric that bears
no correlation to
the organisation’s
current situation
or success.
Issue 19
|
www.intelligentciso.com