Content, Content

Most Companies Fail to Measure Cybersecurity Metrics, KPIs, ROI


Most companies need to do a better job of measuring business success and key metrics on how cybersecurity investments are performing, according to a study of more than 400 global and security executives conducted by privileged access software company Thycotic.

The study potentially opens the door for MSPs and MSSPs to deliver monthly or quarterly reports for customers, describing key performance indicators (KPIs) and outcomes to customers, MSSP Alert believes. Such efforts are standard practice for horizontal MSPs that want to show their business value to SMB owners.

Alas, the Thycotic "2017 State of Cybersecurity Metrics Annual Report" indicated 58 percent of companies do not measure the effectiveness of their cybersecurity investments and performance against best practices.

In addition, the study revealed 80 percent of businesses are not fully satisfied with the cybersecurity metrics that are available, and over 80 percent of companies fail to include business users in cybersecurity purchase decisions.

Other study results included:

  • 80 percent of companies never measure the success of cybersecurity training investments.
  • 80 percent do not know where their sensitive data is located and how to secure it.
  • 80 percent fail to ensure their IT security policies are understood by employees.
  • 60 percent do not adequately protect privileged user accounts.
  • 32 percent are making business decisions and purchasing cybersecurity technology blindly.

More than $100 billion will be spent worldwide on cybersecurity every year by 2020, and cybersecurity metrics must become a priority for businesses to maximize the long-term value of their cybersecurity investments, Thycotic stated.

Cybersecurity Recommendations

Thycotic offered the following recommendations to help businesses improve their cybersecurity operations:

  • Teach employees about proper "cyber hygiene."
  • Implement a "least privilege" approach and culture.
  • Ensure C-suite executives experience a "red team assessment" to identify and resolve cybersecurity issues before they escalate.
  • Develop a cybersecurity plan.
  • Back up critical data and systems.
  • Test data and system restore capabilities regularly.
  • Leverage identity and access management (IAM) technologies and other solutions to safeguard privileged accounts.
  • Customize a recovery plan for different types of cyber threats.
  • Track access to privileged systems and audit security logs.
  • Use key business metrics to monitor cybersecurity successes and failures.

Furthermore, implementing access controls for privileged accounts in network systems and collaborating with business users can help companies secure their operations, Thycotic said.

Dan Kobialka

Dan Kobialka is senior contributing editor, MSSP Alert and ChannelE2E. He covers IT security, IT service provider business strategies and partner programs. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State University. In his free time, Dan enjoys jogging, traveling, playing sports, touring breweries and watching football.