Part Two: What are Priorities for Making Security Program Management Better?
Demetrios Lazarikos (Laz)
July 5, 2022
This is the second of three blog posts about our recent survey on security program management. The previous post discussed current practices for security program management. This one covers priorities for future improvements. The final post will review conclusions and recommendations.
The full report is available here: Security Program Management: Priorities and Strategies.
Are Security Leaders Spending Too Much or Too Little Time on Security Program Management Activities?
Our survey asked respondents to think about nine tasks related to security program management and say whether they were spending the right amount of time on them.
The responses for all nine showed a mixture of “spending too much time,” “spending about the right amount of time,” and “not spending enough time.” However, there was a pattern.
The items with the highest “spending too much time” percentages are necessary but relatively routine tasks, such as preparing reports (38%), establishing policies and procedures (38%), and managing assessments (32%). In contrast, the areas where security leaders want to be able to devote more effort are mostly related to strategic activities, such as building alignment between security and business objectives, creating strategic plans, and strengthening relationships with senior management (18%, 17%, and 16%, respectively, “not spending enough time”).
Do Organizations Need to Improve How They Communicate Security Priorities to Management?
The survey asked respondents to describe their agreement with the statement: “Clearly communicating security priorities and investment needs to executive management and the board of directors is a significant challenge for our organization.”
Almost three out of four respondents (73%) believe their organization needs to improve how security leaders communicate with executive management and boards. Of those, 31% “strongly agree” with the statement above. Only about a quarter (27%) feel comfortable with their organization’s capabilities in this area.
Would Better Reporting on Security Maturity and Effectiveness Significantly Strengthen Security?
The ability to objectively document improvements in security maturity and effectiveness can provide benefits to security leaders such as:
- Providing a basis to motivate and reward security teams for activities that materially improve security.
- Demonstrating progress to executives and boards.
- Showing that past investments in security have produced concrete results
Are these advantages really that important? It certainly seems so. An overwhelming 97% of the survey respondents agreed with the statement “Being able to report on improvements in security maturity and effectiveness using consistent, objective data would significantly strengthen the security of our enterprise.” Of those, over half of the security leaders (53%) strongly agreed.
Eleven Security Program Management Activities: Where Would Improvements Be Most Valuable?
The survey listed eleven key activities that are part of security program management, and asked whether improving the organization’s capabilities in each area would be “a little valuable,” “valuable,” or “very valuable.”
The respondents indicated that their highest priorities are to improve their organization’s capabilities to:
- Collect security data in an efficient manner
- Benchmark security performance against industry peers
- Define a roadmap of security initiatives and investments
- Implement the security roadmap
- Identify and prioritize risk
- Maintain a central record for data on security effectiveness