Most security executives lack confidence in their security posture

A new Raytheon|Websense survey of security executives at large companies in the U.S. reveals that confidence in their enterprise security posture is lacking.

According to the 100 security executives who participated, less than one-third (31 percent) are confident in their security posture, and only slightly more than a quarter (28 percent) feel that their communications on security metrics and posture to senior management is effective.

The survey gauged the confidence of executives in their security posture, and the results show that the overwhelming majority of executives (65 percent) are only “Somewhat Confident,” and rightfully so. In the past year, according to the survey, nearly nine in 10 organizations have had at least one breach that resulted in a loss or compromise of data and nearly one in five organizations have had three to five breaches in the past year resulting in a loss or compromise of data.

“With security spending continuing to skyrocket, it is more important than ever to be able to report on metrics that matter, not just quantitative metrics like counting breaches. When breaches are constant, and inevitable, we need a better way,” said Ed Hammersla, president, Raytheon|Websense. “We know threats are going to get in. If we want to be more confident, we need to shift our thinking to metrics such as dwell time, or reducing the time a threat is in our network, which reduces damage and helps strengthen our overall security posture.”


When asked about metrics used to communicate their security posture, only 28 percent of executives surveyed felt the security metrics they used to communicate their security posture were “Completely Effective.” Sixty-five percent felt the metrics were only “Somewhat Effective.”

“It’s encouraging to see that accountability for security has been elevated in most cases to the very top of the organization, but you would question why such an important topic only warrants a weekly to monthly reporting cadence. This is particularly true when the level of confidence in security posture is not high enough to warrant the necessary face time with those accountable, and receiving security reports,” Raj Samani, VP and CTO at Intel Security, told Help Net Security.

Only 33 percent of those surveyed use dwell time (i.e., the elapsed time from initial breach to containment) alongside the other established and less telling metrics such as Cost of Incidents (39 percent) and Reduction in Vulnerabilities (39 percent).

The main takeaway is that intruders can do more damage the longer they have to poke around and move laterally within the network. If an organization can limit the time a threat exists, the damage will be minimized. Organizations should move with urgency to employ different detection, analysis, and ejection techniques so that they can get back to business.