Key findings include:
- 75% of respondents say metrics are “important” or “very important” to a risk-based security program
- 53% don’t believe or are unsure that the security metrics used in their organizations are properly aligned with business objectives
- 51% didn’t believe or were unsure that their organizations’ metrics adequately convey the effectiveness of security risk management efforts to senior executives.
- 59% said the information is too technical to be understood by non-technical management
- 48% said pressing issues take precedent
- 40% said they only communicate with executives when there is an actual security incident
- 35% said it takes too much time and resources to prepare and report metrics to senior executives
- 18% said senior executives are not interested in the information.
The survey covers risk-based security metrics and evaluates the attitudes of 1321 respondents (749 U.S. and 571 U.K.) from IT security, IT operations, IT risk management, business operations, compliance/internal audit and enterprise risk management.