How well is the security program at your organization doing? That’s always a tough question to answer with any certainty because there is no universally accepted way for measuring security program effectiveness. This week research service provider Wisegate released its 2013 IT Security Benchmark Report that tried to get some answers.
One statistic that stood out to me was that only 56% of those who responded to the survey rated their organizations at an A or a B when it came to the overall maturity of their security posture.
Defining the maturity of security programs is an important subject to me, and it’s one I covered in some depth about two years ago in the story "Are you an IT security leader - really?" That story was based on a survey of more than 9,000 executives for CSO magazine. It found that 43 percent of organizations thought they were “information security leaders.”
However, when dicing survey respondents based on criteria your expect to find from leading organizations, the number of actual “leaders” dropped to about 5 percent. Those criteria included the CISO reporting to a senior exec, a security strategy being in place along with the ability to execute on that strategy, a recent review of their security policy - and if a breach had occurred, the organization had to at least know the reason.
So while 43 percent grade themselves at a B or higher, my bet is if they were vetted on objective criteria we’d see a number well below 10% at best.
Here are some other findings of note within the survey:
- The majority of survey respondents use the technology you’d expect: formal end-user security policies, formal incident response plans, end-point malware/virus protection, intrusion detection/prevention systems, log management, and identity and access management systems.
- Some of the least used technologies included identity governance systems at 28 percent of adoption, as well as software for code reviews and IT GRC software (both at 37 percent).
- Companies with stronger security postures have 1.5 times more processes, policies, software and systems than companies with weaker security postures.
Finally, when it came to budgets, 7.5% of the IT budget goes to security efforts, on average. It’s no surprise that banking and financial services spends the highest, at 10 percent of its IT budget. However, government was found to spend the lowest on security, at 2 percent of its budget.