In a new Forrester study commissioned by BitSight, “Better Security And Business Outcomes With Security Performance Management”, key findings implicate the strong need for businesses worldwide to invest in a robust security performance management program. In fact, results from this study showed that companies using formal security metrics are more likely to have seen a 10% or greater increase in their security budget in the last year. Ultimately, this investment allows organizations to leverage this information to win business.
It seems like we hear about a new data breach or cyber incident almost daily. According to this study, in fact, 80% of companies surveyed experienced a security or cyber incident in the past year, the most common being malware attacks.
In this commissioned study, Forrester conducted an online study with 207 security decision-makers with responsibility for risk, compliance, and/or communications with boards of directors to explore the topic of managing internal cybersecurity performance.
It’s clear that companies increasingly realize that a strong security posture is critical to earning customer trust, securing intellectual property, and protecting their brand identity. Customers want to do business with secure businesses — and since empowered customers can easily move their business elsewhere if they feel vulnerable, security decision-makers must seek to understand and quantify their program’s effectiveness, and measure its impact on business objectives. They need to be on the lookout for indications of failure that will harm the business most. Survey respondents confirmed this by stating that they are more likely to do business with companies with good security, as they know their data and intellectual property are protected.
The need for a security performance measurement solution
Notably, one major key finding from this study emphasizes the need for quantifiable metrics, including security ratings, when managing security performance. When surveyed, respondents said that improved security measurement would greatly improve company financial performance and reduce risk. In fact, nearly three-quarters of C-level respondents confirmed that improved security performance measurement would greatly or significantly improve company financial performance. More than half of companies overall say improving measurement would reduce overall risk.
In addition to reducing overall risk for the business, improving security measurement within an organization can also improve its financial performance. First and foremost, you can’t manage what you can’t measure. Quantifiable security metrics are becoming critical to planning budgets and allocating resources, but the maturity of managing security as a business is still relatively low.
Security is evolving into a business discipline, and so it is being treated like one: 70% of decision-makers agree that scrutiny of security spending efficiency is increasing. And like other business disciplines, formal metrics have emerged as the key method to justify investments (an approach at 63% of companies surveyed). In fact, 49% of decision-makers said that cybersecurity risk ratings are in their top 5 preferred metrics.
In addition to reducing overall risk for the business, improving security measurement can have a direct impact on its financial performance, as validated by these study results. Today, 45% of security and risk leaders use security ratings to measure the performance of their cybersecurity program. At BitSight, our customers use security ratings to align investments and actions with the highest measurable impact over time, efficiently allocate limited resources on the most critical areas of cyber risk within their organization, and facilitate data-driven conversations around cybersecurity among key stakeholders.
By leveraging security ratings, organizations can be confident they are measuring themselves on the same scale that the majority of their key stakeholders are measuring you on as well — be it their partners, regulators, investors, executives, or board members.