In fact, lack of security metrics and reporting is high on the list of IT professionals’ concerns, according to a survey conducted by Wisegate. Among the findings, 80% said their top security risks (malware, data breaches, and outsider threats) are increasing – but 50% don’t have reporting procedures in place to measure their existing security programs.
But responses show the sheer volume of different products makes communicating strengths and weaknesses in the corporate security profile difficult. It results in failure to communicate program impact in business terms, and a failure for business people to understand security.
Advice from the National Association for Corporate Directors:
“Discussion of cyber-risks between boards and senior managers should include identification of which risks to avoid, accept, mitigate or transfer through insurance as well as specific plans associated with each approach.”
For more, click here.