Eighty percent of companies surveyed experienced a cybersecurity incident in the past year, the most common being malware attacks, according to the Better Security And Business Outcomes With Security Performance Management Report by Forrester Consulting. 

The security incidents affect customer privacy/safety the most — 54 percent report customers were greatly or somewhat harmed by an incident. In fact, 79 percent of companies agree that customer/partner demands for cybersecurity reporting have intensified in recent years. More than one-third of companies agree that they have lost business due to either a real or perceived lack of security rigor. Additionally, 82 percent of decision makers agree that the way customers and partners perceive security is increasingly important to the way their firm makes decisions. 

Additional key findings include:

  • In the wake of an incident, C-level security decision makers are more likely than their staff to cite harm to company reputation and customer acquisition— meaning that C-level decision makers understand the value of effective security better than their direct reports.
  • Companies that have implemented formal security performance metrics are more likely to have seen a 10 percent or greater increase in security budget year over year.
  • 38 percent have lost business due to a perceived or real lack of security rigor.
  • There is increased scrutiny on spending (70 percent agree), and formal metrics are now the key method to justify investments (an approach at 63 percent of companies). However, 63 percent is still considering how important measurement is. And 40 percent say they have warned decision makers of worst-case scenarios to rouse attention in order to justify investments.
  • 63 percent have introduced formal security performance metrics as an approach to help justify current or proposed security investments. Other approaches are developing business case internally (46 percent), using improved maturity calculations (43 percent) and using ROI calculations (43 percent).
  • 39 percent of VP/directors and 48 percent of C-suite levels say a company's ability to attract new customers was harmed following a cybersecurity incident. 
  • 38 percent of VP/directors and 51 percent of C-suite levels say their company's reputation was harmed following a cybersecurity incident.
  • 45 percent of companies use cybersecurity ratings, making it the third most common metric overall. 43 percent of companies using cybersecurity ratings also report them out to customers and partners, more so than any other metric.
  • 63 percent of firms that measure the number of blocked malware incidents also report the metric up to the board.
  • 63 percent of companies have invested in new technology as a way to improve security performance measurement. 
  • Companies using formal security metrics are more likely to have seen a 10 percent or greater increase in their security budget over last year (38 percent of firms with formal metrics said this versus just 25 percent of firms without formal metric).