Security Risk Management

Performance Measurement and the Cyber Security Mindshift

Melissa Stevens | August 12, 2014

Measuring Security PerformanceThe other day, I received yet another email asking, "How much cyber security is enough?" You probably recognize this message, and see similar phrases on a regular basis. It's a really interesting question and something that a lot of people ponder, but more importantly, I think it signifies an important mind-shift that is starting to occur in the security space. We're starting to wonder, "When will it be enough? When will I be able to say I'm secure?"  The quantification of security performance is now a reality.

Are the Answers in the Data?

Now, more and more teams are starting to look at security performance and optimization. Instead of focusing on the newer, better tools, they've started asking, "How well are we using what we have? Is the issue with our tools or our use of them? Are there areas we can be more effective?" The only way to know this is to measure the results.

This shift is a focus on security outcomes instead of the controls themselves. Performance monitoring has shown that it's not always new technologies that we need - it's the fine tuning of tools we have in place and a bit of house-cleaning that makes the real difference. As explained in a recent BitSight Insights report, some of the most common network vulnerabilities are caused by things like expired certificates, configuration errors and out-of-date patches. These issues are easy to fix- and exploit- when you know the problems exist.  

By monitoring performance and effectiveness on an ongoing basis, security teams are finally able to communicate with boards and executives in a language they can understand. Teams can show where performance has improved, where vulnerabilities exist, and how strategy and investments are impacting performance over time.  They can make a true, metrics driven case for new investments in personnel and technology resources. Additionally, with security benchmarking, they can also show how performance compares across their industry and against other peers.  This shifts the conversation from focusing on "what tools will make us more secure?" to "how secure are we now?"

To learn more about the necessity security performance measurement and benchmarking, attend our August 14 webinar, featuring Jon Oltsik of the Enterprise Strategy Group and Stephen Boyer, BitSight CTO & Cofounder. 

Suggested Posts

3 Ways to Ensure Best-in-Class Third Party Cyber Risk Management

An effective third party cyber risk management program both identifies potential threats and finds ways to mitigate them. Organizations should aspire to the highest possible standards when it comes to their security posture. To do so, they...

READ MORE »

Cyber Risk Should Be A Growing Concern to the Municipal Bond Market

Following an increase in ransomware cyber attacks, most notably May 2017’s WannaCry attack, U.S. public sector entities are starting to see the effects of these attacks on the almost $4 trillion municipal debt market. As a result, issuers...

READ MORE »

Takeaways from the 2017 Gartner Security & Risk Management Summit

This year marked another great Gartner Security & Risk Management Summit with over 3,000 attendees, bringing together CEOs, CIOs, CISOs, IT Directors, Risk Managers, and other risk and security professionals to National Harbor, MD from...

READ MORE »

Subscribe to get security news and updates in your inbox.