Less than one-third of U.S. executives are confident in their security posture, and only about 25 percent feel that internal communications about security metrics to senior management is effective, according to recent survey results from Raytheon and Websense. Moreover, nearly 90 percent of the organizations represented suffered at least "one breach with a loss or compromise of data" in the past year, the study found.
Nearly 70 percent of organizations provide security reports to management at least monthly, with 31 percent doing so weekly and 16 percent daily, according to the survey of 100 security executives (figures exceed 100 percent since some organizations have multiple report approaches.) However, those reports might be focused on misleading security metrics,
To combat security issues, most organizations still depend on alerts and actual incidents. But that approach can lead to faulty data analysis, Raytheon found. For instance, an organization may have 400 breaches in 2014 and 300 breaches in 2015, an apparent 25 percent reduction. However, that approach doesn't quantify the number of breaches that triggered a loss or compromise of data.
"Using quantitative metrics—like counting breaches, totaling response times, and calculating downtime—doesn’t help when breaches are a constant," Raytheon asserted. "It is like counting mosquitos on a warm summer night. So, what about the breaches that succeed—the ones that make it past the defenses and start roaming around the network? With eyes constantly focused on the perimeter, organizations often fail to see a threat right under their noses."
For instance, only 33% of those surveyed use dwell time (i.e., the elapsed time from initial breach to containment) alongside the other established metrics, Raytheon noted.
