Phone Number +1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Blog

Most Companies Worldwide Fail to Measure Cyber Security Effectiveness and Performance

Written by Jordan True

July 27th, 2017

WASHINGTONJuly 27, 2017 /PRNewswire/ — Thycotic, a provider of privileged account management (PAM) and endpoint privilege management solutions for more than 7,500 organizations worldwide, today announced the release of its first annual 2017 State of Cybersecurity Metrics Report, an analysis of key findings from Thycotic’s Security Measurement Index (SMI), a benchmark survey of more than 400 global business and security executives. Based on internationally accepted standards for security specified in ISO 27001, as well as best practices from industry experts and professional associations, the Security Measurement Index provides a comprehensive benchmark to define how well an organization is measuring the effectiveness of its IT security.

According to the 2017 Report, more than half of the 400 respondents in the survey, 58 percent, scored an “F” or “D” grade when evaluating their organization’s efforts to measure their cybersecurity investments and performance against best practices.

“It’s really astonishing to have the results come in and see just how many people are failing at measuring the effectiveness of their cybersecurity and performance against best practices,” said Joseph Carson, Chief Security Scientist at Thycotic. “At a time when threats are escalating and the need for quantifiable metrics are putting security teams and executives under pressure, the 2017 State of Cybersecurity Metrics Report reveals what is actually occurring so that companies can produce assurances, remedy their errors and protect their businesses.”

With global companies and governments spending more than $100 billion a year on cybersecurity defenses, a substantial number, 32 percent, of companies are making business decisions and purchasing cyber security technology blindly. Even more disturbing, more than 80 percent of respondents fail to include business users in making cyber security purchase decisions, nor have they established a steering committee to evaluate the business impact and risks associated with cybersecurity investments.

Additional key findings from the 2017 State of Cybersecurity Metrics Report include:

  • One in three companies invest in cybersecurity technologies without any way to measure their value or effectiveness.
  • Four out of five companies don’t know where their sensitive data is located, nor how to secure it.
  • Four out of five companies fail to communicate effectively with business stakeholders and include them in cybersecurity investment decisions.
  • Two out of three companies don’t fully measure whether their disaster recovery will work as planned.
  • Four out of five never measure the success of security training investments.
  • While 80 percent of breaches involve stolen or weak credentials, 60 percent of companies still do not adequately protect privileged accounts – their keys to the kingdom.
  • Small businesses are targeted in two out of three cyberattacks.
  • Sixty percent of small businesses go out of business six months after a breach.

“Thycotic’s research team issued this report to not only show the errors that are disrupting business, but also to educate security professionals and executives on which areas are lacking and how to improve,” added Carson. “Our report provides recommendations to educate, protect, monitor and measure their security programs so that improvements can be targeted where they will be most effective.”

To download the full 2017 State of Cybersecurity Metrics Report and view all the findings from the Security Measurement Index benchmark survey, visit: To learn more about Thycotic, please visit the company’s website and follow Thycotic on Twitter at @Thycotic.


Like this post?

Get our top blog posts delivered to your inbox once a month.