Despite the increasing number of cyberattacks making headlines, convincing organizations to invest more in cybersecurity technologies remains a major challenge. Too many organizations are still relying on just a firewall and often anti-virus (AV) software that typically has not been updated recently.
Tracking metrics leads to increased cybersecurity investments
A survey of 207 organizations in the U.S. and United Kingdom conducted by Forrester Consulting on behalf of BitSight, a provider of tools for establishing cybersecurity ratings, finds that once organizations start tracking cybersecurity metrics, there is an increase of 10 percent or more in the budget dollars being allocated to cybersecurity on a year-over-year basis. Given that correlation, it’s in the best interest of managed service providers (MSPs) and their cybersecurity vendor partners to make sure those metrics are shared as freely as possible.
In fact, the Bitsight survey notes that organizations with formal cybersecurity metrics in place are 1.8x more likely to develop security policies, 1.7x more likely to update security technology, and 1.6x more likely to invest in security training.
Nearly three-quarters of C-level respondents said that better security performance measurement would greatly or significantly improve company financial performance (see Figure 7). Companies in the survey also reported that better measurement would improve company business continuity (82 percent) and company reputation (81 percent).
The BitSight survey reveals 70 percent of decision makers concur that scrutiny of security spending efficiency is increasing. Much of that increased scrutiny is being driven by the impact cybersecurity issues are having on the business. Over a third of respondents (38 percent) admit their organization has lost business due to either a real or perceived lack of security performance within their organization.
The survey notes that only 45 percent of respondents are gathering security metrics today. The issue the survey finds is most of those metrics are not especially useful to business executives that need to justify the return on investment in cybersecurity.
What metrics are organizations focusing on?
Most organizations are focused on number of malware incidents blocked (50 percent) or the percentage of intrusions blocked by a firewall (50 percent). A more relevant business metric is the number of failed user log-ins. The metric is viewed as a leading indicator of security’s effect on usability, which translates into lower satisfaction scores when customers are unable to easily gain access to a service. It is apparent that organizations need help not just gaining access to security metrics, but also determining what to measure.
Today, there is no shortage of cybersecurity technologies to address any number of cybersecurity issues. The real challenge is that acquiring and managing all those products and platforms tends to raise the total cost of cybersecurity to a point that is often unsustainable for many organizations. This also assumes they can hire and retain the cybersecurity expertise needed to deploy and maintain those platforms.
It will be up to each individual MSP to determine to what degree they want to make security metrics available and at what price point for each of their customers. There is certainly a direct correlation between security metrics and increased budget allocations. In some cases, it might be in MSPs best interest to give away security metrics for free to drive additional spending on services.
There’s an old adage that says things measured are things done. In the case of MSPs, that adage can be modified to also note things measured are also things sold.
Photo: NicoElNino / Shutterstock.
