Home →Security →Why Security Metrics Miss the Mark

Why Security Metrics Miss the Mark

By Karen A. Frenkel | Posted 08-08-2016

1 of

Why Security Metrics Miss the Mark

IT security pros need to consider metrics such as dwell time, or reducing the time a threat is in a network, which helps strengthen overall security posture.
Executives Are Tentative About Security Posture

31% of respondents are still very confident about their security posture, but 65% are only somewhat confident.
Communication Over Security Posture

28% of respondents said the security metrics they use to communicate are effective whereas 65% said the metrics are only somewhat effective.
Where Is the Disconnect?

Executives rely on quantitative metrics while breaches occur.
Number of Breaches Experienced

63% of respondents said they have experienced breaches that resulted in the lost or compromised data this past year.
Why Executives Are Not Confident About Security

Executives are not confident about their security posture because of the way they measure it; most count alerts and incidents, which does not shed light on the real security posture.
Quantitative Metrics Won't Help

"Using quantitative metrics—like counting breaches, totaling response times, and calculating downtime—does not help when breaches are a constant," the report states.
Metrics Used

Rather than measure dwell time, more organizations measure cost of incidents (39%) and reduction in vulnerabilities (39%). These are not as important as how long the threat, attacker or attack vector exists inside an organization and actions taken once past defenses.
The Importance of Dwell Time

Only 33% of those surveyed measure dwell time, the elapsed time from initial breach to containment. If you limit the time a threat exists, damage to the enterprise will be minimized.
Time Spent in Network Before Discovery

Attackers spend an average of 229 days inside a network before they are discovered. The cost of the average breach: $5.85 million in the United States.
Recommendation

Reduce the time a malicious threat acts from within. This will greatly reduce potential damage, speed of mitigation and contain exposure.
- Why Security Metrics Miss the Mark
  
  View Slideshow »
View All Slideshows >

A majority of IT security executives are only somewhat confident in their enterprise's security, according to a new survey. One-third of respondents are confident in their security posture and one-quarter said they communicate effectively about security metrics and posture to senior management. These executives continue to rely mainly on quantitative metrics aimed at preventing breaches. "With security spending continuing to skyrocket, it's more important than ever to be able to report on metrics that matter, not just quantitative metrics like counting breaches," said Ed Hammersla,Chief Strategy Officer and President, Federal Division, Forcepoint.

"To be more confident, we need to shift our thinking to metrics such as dwell time, or reducing the time the threat is in our network, which reduces damage and helps strengthen our overall security posture." The main take away: intruders can do more damage the longer they poke around and move laterally within a network. If an organization limits the time a threat exists, it will minimize damage. The study, "Why Executives Lack Security Posture of Confidence," was conducted by Forcepoint and included 100 responses from American IT security executives.

Karen A. Frenkel writes about technology and innovation and lives in New York City.