Security Metrics Are Undervalued, Misunderstood
Keeping your corporate network secure is arguably the most important aspect of any CIO’s job. But a new study from risk-based security compliance company Tripwire seems to indicate that determining the metrics for security and conveying to the business side what it takes to keep a company safe is quite difficult. And when security and its importance cannot be conveyed to the business side, security itself suffers. “Chief Information Security Officers talk about the importance of leveraging metrics as a way to influence business leadership and build a risk management practice within their companies,” says Rekha Shenoy, vice president of marketing at Tripwire. “Unfortunately, they struggle with the bigger challenge of producing meaningful metrics while those they use are rarely aligned with business goals.” In other words, there’s a communication problem in the enterprise. And unfortunately, the communication problem is directly tied to corporate security. Tripwire’s study, which includes responses from more than 1,300 IT professionals, reveals a profound disconnect between business and IT when it comes to conveying security’s importance in the enterprise.