A research from security firm Panaseer revealed that cybersecurity leaders in financial organizations are facing issues due to the lack of trusted data that is required to make security decisions and reduce the risk of cyberthreats.
The research “2020 Financial Services Security Metrics Report” found concerns on security measurement and metrics that include data confidence, resource wastage, manual processes, and request overload.
The report exposed multiple issues with the processes, people, and technologies required to have a full understanding of an organization’s cyber posture and the preventative measures. Nearly 96.77% of respondents admitted that they use metrics to measure their cybersecurity posture. While the primary use for security metrics is risk management (41.69%), demonstrating the success of security initiatives (28.04%), supporting security investment business cases (19.11%), and for executive reporting (10.17%).
Around 36.72% of security leaders said that their biggest challenge is trust in the data when creating metrics to measure and report on risk. However, 47.75% could claim to be confident that they are using the right security metrics to measure cyber risk.
Other Key Findings include:
- Metrics have become increasingly important for security leaders. 96% of security leaders use metrics for measuring cybersecurity posture and reporting to a growing group of stakeholders, such as the board, regulators, auditors, and customers.
- The security team is facing an overload of requests for metrics. This overload of requests can also have a serious knock-on effect as security teams divert resources from investigation and response to emerging threats.
- Teams are wasting an inordinate amount of time processing and reporting on metrics. Security teams are spending more than 290 work hours per month on reoccurring and ad-hoc reporting to various stakeholders (outside of security department); most reporting time spent is for IT (44 hours or 5.5 days) and lines-of business (43 hours or 5.4 days).
- Many security leaders do not trust the data they use. Over a third (37%) of security leaders said that the biggest challenge in creating metrics to measure and report on risk was trust in the data.
- Reliance on manual processes fuels the metrics mistrust. Nearly 60% of security leaders are reliant on spreadsheets to calculate security metrics, while 53% use custom scripts.
- Security leaders are aiming for better metric maturity. Nearly half describe their program as basic, elementary, or intermediate. However, two-thirds (65%) claim they want to be at upper intermediate or advanced stages for all audiences by 2021.
The research findings are based on the responses from more than 400 security decision-makers, working in companies within the financial services sector in the U.K. and the U.S.
“Financial service organizations in particular need trusted and timely metrics into their technology risk, segmented where possible to critical operations. With this information, the Board can then have better understanding into what risks it is and isn’t accepting to keep customer data safe,” said Nik Whitfield, CEO, Panaseer.