A new survey released by Raytheon and websense, called “Study-Why Executives Lack Security Posture Confidence While Knowing that the Metrics They Use to Gauge it are Ineffective,” “reveals that confidence in [executives’] enterprise security posture is lacking.” The results of a survey of 100 security executives were that less than a third (31%) of the executives feel “very confident” in the organization’s security posture, and “only slightly more than a quarter feel that their communications on security metrics and posture to senior management is effective.” The survey revealed that the overwhelming majority (65%) are only “somewhat confident” in their organization’s security posture.

Further, those responding to the survey indicated that almost 9-in-10 organizations had at least one breach in the last year that resulted in data loss or compromise and nearly 1-in-5 have had three to five breaches in the last year resulting in the loss or compromise of data. Data breaches and compromises are not going away.

The authors submit that counting breaches from year to year and using the count as a metric is ineffective and does little to protect the organization from the next breach, particularly when even one breach is costly and damaging. Instead, the survey posits that organizations must look inward and that it is more important to detect how long a threat or attack was inside the organization and measure the effectiveness of the defense to the attack. The conclusion: “it is time for organizations to consider a qualitative approach as part of a comprehensive security program.” Agreed. And we would add that the responsibility of a comprehensive security program does not rest with the IT department. A coordinated effort, with C-Suite engagement and robust communication between the two, is essential to combat threats and minimize risk.