Security teams are being swamped by requests for metrics – here’s why

February 21, 2020

Barnaby Clarke

In the ‘good old days’, it was sufficient for security teams to produce subjective, qualitative reporting. But as their programmes have become more mature, security teams are increasingly using metrics and data to better understand their security posture and to communicate with stakeholders. 

The number of requests for metrics, from within the business and outside of it, is climbing rapidly. In fact, our research has found that security teams now spend a third of their time on reporting, with 70% of the process being conducted manually.

But why is the number of requests for metrics increasing?

Internal stakeholders want metrics

Cybersecurity is becoming one of the top risks to enterprises. As a result, there is a range of internal stakeholders that need security metrics in order to prioritise and report on risk. This includes the board, GRC, IT, internal auditors, heads of department and C-level execs.

Ultimately, these stakeholders are looking for reassurance. They understand that you can’t be 100% secure. There is always the risk of a breach occurring. But they want reassurance that the security team is doing everything it can to keep that risk within the accepted appetite. Metrics provide a degree of objectivity and substantiation that qualitative assessments can’t match.

Regulators want more metrics

The regulators are in a similar position to the internal stakeholders – they want reassurance that the organisation has sufficient security measures in place. 

Ultimately, the regulators and the internal stakeholders are on the same side – making sure security gets done to a standard of quality, whether this is protecting customers and their data or the company’s reputation.

The challenge for global enterprises is that security teams can find themselves answering to different regulators in the different markets that they operate in. For example, one team might have to substantiate compliance with GDPR in Europe, New York’s SHIELD Act, and CCPA in California. Each of these regulations will have different reporting standards, so security teams have to present the same data in many different ways to give all of the regulators the information that they need.

There is an upward trend in the regulatory landscape – more regulations will be introduced over time, with increasingly stringent demands. The MAS Cyber Hygiene Notice in Singapore, for example, specifies that banks must ensure that controls are present on every asset – previously unseen terminology that makes it much more difficult to prove compliance. 

Why is this a challenge for security teams?

Lack of basic visibility and trust in their data

Though most security teams are now using metrics, it must be noted that some metrics programmes are more mature than others. Not all security teams will be able to answer every question asked of them with the systems and processes they have in place.

In our experience, many large enterprises struggle to report on their security in a meaningful way for multiple reasons. They can’t see all of their assets, they can’t see what controls are deployed against those assets, and they don’t know if those controls are actually working as intended. This means it is very difficult for companies to produce solid metrics on controls coverage and gaps.

There is also a lack of trust in the underlying data because that data may be either incomplete or out of date. In turn, teams spend more resources on getting to the more accurate or recent data, thus extending the process yet further. But fundamentally, the mistrust means the metrics they have in place may not be telling the whole story.

Too many tools

Our research has found that the average security team is now running more than fifty different security tools. This creates real challenges for security teams when it comes to reporting.

The security product market is fragmented. Most of the tools on the market are designed to address a specific issue. They’re not always designed to be part of an ecosystem, as they often output data in inconsistent ways.

As a result, security teams have to manually extract data from each of these tools and then format it so that the data can be combined to create a unified view of security posture. This is a complex and time-consuming process that’s closer to data science than conventional cybersecurity and diverts attention away from the security team’s core responsibility – securing the organisation and its data. 

So, what is the answer?

Internal stakeholders and regulators need security metrics, and that will not go away anytime soon. In fact, it’s more likely to increase. Coupled with this, IT estates are becoming more complex and security teams are buying more tools to manage the increasing risk. 

How can security teams meet stakeholder needs without diverting time away from their core responsibilities? 

One of the core ingredients to solving complex data analysis challenges like this is automation. And it’s not easy. But, by unifying their IT and security data and automating their reporting, security teams can efficiently produce trusted metrics for different stakeholders, aligned to whatever framework they require. Our research found that over 70% of security leaders believe that Continuous Controls Monitoring can deliver improved tracking of security metrics and better interaction with stakeholders.

If you’ve got questions about anything in this post, feel free to get in touch on Twitter, Linkedin or email to carry on the conversation.