Nearly 40% of Enterprises Lose Business Due to Cybersecurity Performance: BitSight

Do executives understand and effectively measure risk, and adequately communicate it to their board, customers and critical stakeholders? A study suggested they may not be, with 40% of enterprises losing business due to their cybersecurity performance.

The Boston, Mass.-based cybersecurity firm BitSight’s new research, “Better Security and Business Outcomes with Security Performance Management” – produced in conjunction with the Cambridge, Mass.-based Forrester – surveyed over 200 U.S.- and U.K.-based enterprise security leaders on their security performance management and measurement strategies.

The September 2019 commissioned study, which indicates that cybersecurity performance is critical to achieving commercial success, detailed how many enterprises are losing business because of actual or perceived lack of security hygiene, how current security performance metrics (i.e. the number of malware incidents blocked, filtered phishing/malicious emails, etc.) lack context and paint an incomplete picture of performance, leaving companies blind to potential risk, and the C-suite’s point of view on the correlation between security performance and corporate financial performance.

Among the study’s most interesting findings was that nearly two in five enterprises admit they have lost business due to either a real or perceived lack of security performance within their organization.

“Financial success, brand perception, business continuity and company reputation now all hinge on security performance,” Tom Turner, CEO of BitSight, said. “But in order to effectively manage performance, you have to measure it. This report should serve as a wakeup call for security leaders and their executives and boards to take a close look at their strategies for security performance measurement and reporting – after all, their businesses are now on the line.”

The study explored what it describes as misalignment and technological complexities that commonly prevent organizations from realizing effective security performance management. Additional noteworthy findings included the following:

• Effective security performance management drives business wins and better security outcomes. Nearly three-quarters of C-level respondents said improved security performance measurement would greatly or significantly improve company financial performance, while the majority of respondents overall agreed that improved measurement would improve company business continuity (82%) and company reputation (81%). Additionally, companies with formal security performance metrics are more likely to successfully manage security: They are nearly two times more likely to develop security policies, update security technology and perform security trainings.
• Commercial success is at risk due to missteps in effectively measuring security performance and communicating it to external stakeholders. Seventy-nine percent of security decision-makers surveyed said customer and partner demands for cybersecurity reporting have intensified, but only 34% said they provide metrics that accurately measure their security performance to customers and partners. Additionally, 82% agreed customer and partner perception of security is increasingly important to their firm’s decision-making capabilities.
• Metrics are critical to understanding and improving communication around security performance, but there is vast room for improvement in current methods. Sixty-three percent of respondents have introduced formal security performance metrics, but four of the five top reported measurements lack context and paint an incomplete picture of security performance and can leave companies blind to potential risk. These metrics included: the number of malware incidents blocked (50%); the number of intrusions blocked by a firewall/network security (50%); the percentage of filtered phishing/malicious emails (45%); and the number of data loss prevention incidents (40%).
• Cybersecurity risk ratings emerged as an early security metric bright spot. Forty-five percent of respondents said they use cybersecurity ratings, making it the third-most common metric overall. Forty-nine percent of respondents said security ratings are their top preferred metric. Derived from objective, verifiable information, security ratings provide a strategic and contextualized measurement of security performance. Forty-three percent of companies using cybersecurity ratings report them to customers and partners, and 63% report them to the board, indicating that security ratings are emerging as a top method for security performance communication across key company stakeholders.