More

    Risk-Based Security Management Still Has a Ways to Go

    Tripwire, a leading global provider of IT security solutions, and the Ponemon Institute recently announced the results of “The State of Risk-Based Security Management (RBSM) Study.” This international study included data from 2,145 individuals from organizations of different sizes and types in the United States, United Kingdom, Germany and the Netherlands.

    This study evaluates how organizations view their risk-based security management (RBSM) and how they address their RBSM through formal programs, deployment of specific controls and how they measure program effectiveness.

    The report details the current state of risk management and perceptions about the benefits to organizations as well as provides guidance on how to strengthen an organization’s security practices and add value to the business through a risk-based approach. The report also provides recommendations for mitigating risks, protecting data and detecting cyber attacks and data breaches accurately and efficiently.

    Risk-Based Security Management Still Has a Ways to Go - slide 1

    Click through for findings from a global survey on risk-based security management, conducted by Tripwire and the Ponemon Institute.

    Risk-Based Security Management Still Has a Ways to Go - slide 2

    Although organizations profess a strong commitment to RBSM, they are taking little action.

    In the U.S., over three quarters (77 percent) express significant or very significant commitment to RBSM, yet barely more than half (52 percent) have a formalized approach to it, and less than half (46 percent) have actually deployed any RBSM program activities.

    A vast majority of U.K. organizations (72 percent) claim a significant or very significant commitment to RBSM. Even though most organizations are committed to and have a formal RBSM approach, more than half in the U.K. still don’t have formal strategies or procedures in place. Among the companies that do have strategies in place, most are not implementing all elements of a strong RBSM structure creating potential risks for businesses moving forward.

    Risk-Based Security Management Still Has a Ways to Go - slide 3

    Many organizations lack a formal approach to RBSM.

    In the U.S., around a third (30 percent) of organizations have no RBSM strategy and close to a

    Risk-Based Security Management Still Has a Ways to Go - slide 4

    Most organizations implement the appropriate preventative controls, but neglect to implement sufficient detective controls.

    According to survey results, allocated spending is not aligned to perceived risk. In the U.K. organizations are making excellent progress with preventive controls, yet they are lacking when it comes to implementing detective controls resulting in an inability to identify, implement and continuously monitor controls.

    In the U.S., between 80 to 90 percent of organizations have partially or fully deployed preventative controls, but only about 50 percent have deployed the majority of detective controls. For best results organizations need to ensure the appropriate balance of preventive and detective controls.

    Risk-Based Security Management Still Has a Ways to Go - slide 5

    No Metrics = No Success.

    Survey results show the U.K. gauges success of RBSM programs by proving cost reduction of the program. Such a metric can encourage the wrong behavior and actually increase the risk, according to the Ponemon Institute. U.K. organizations must establish and use better metrics to demonstrate program success such as configuration quality, effectiveness of security controls and security program progress. Without these good metrics, organizations will be unable to demonstrate program success.

    Risk-Based Security Management Still Has a Ways to Go - slide 6

    Perceptions of RBSM differ in the U.S., U.K., Germany and the Netherlands.

    In the U.S. 71 percent of organizations say they are concerned about malicious insiders. In the UK that number drops to 49 percent, 32 percent in Germany and only 16 percent in the Netherlands.

    Get the Free Newsletter!

    Subscribe to Daily Tech Insider for top news, trends, and analysis.

    Latest Articles