Organizations are talking the talk when it comes to risk-based security management, but not everyone is walking the walk, according to a new study by the Ponemon Institute.
The research, which was commissioned by security vendor Tripwire, included responses from 2,145 people from organizations in the United States, United Kingdom, Germany and the Netherlands. While 77 percent of respondents expressed significant or very significant commitment to risk-based management, only 52 percent said they have a formalized approach to it. In addition, only 46 percent have actually deployed any risk-based security management program activities.
At first, the statistics seem surprising because there "has been so much talk about risk in my conversations with most enterprises," said Dwayne Melancon, CTO for Tripwire.
"However, when you dig into this, you realize that true risk-orientation is not a spreadsheet exercise - it is a mindset," he said. "The number of people that must be aligned across multiple, diverse disciplines makes this a challenge. Therefore, I guess it isn't so surprising that people are doing far more talking than doing in this area."
The ideal risk-based management strategy is holistic, explained Larry Ponemon, chairman of the institute.
"It considers and attempts to manage all potential risk interrelationships resulting from personnel, manual controls, governance and enabling technologies," he said. "The ad hoc approach is piecemeal…[it] might consider one element such as the procurement/deployment of a new technology simply on the basis of TCO without considering how this technology might affect other security objectives. On a final note, the ideal RBSM strategy is one that views risk as both hazard and opportunity. The ad hoc approach only views risk as a hazard."
The chief information security officer should take the reins in terms of tying together the business and security objectives of the organization so they can be addressed, the report recommends. While 45 percent of respondents said they had no specific metrics to measure the effectiveness of their risk-based security management programs, of those that do, the most frequently cited metric is "reduction in the cost of security management activities."
"The significant focus on the cost of security management is interesting as this indicator is not, in itself, a measure of security effectiveness," the report notes. "However, it is the most frequently cited metric and one that tends to receive a lot of scrutiny in enterprises."
"I believe cost has become a focus because people don't know what else to measure and, since we are interacting more with non-technical executives, we tend to gravitate toward something they understand and ask about - cost," Melancon said. "But cost is a poor metric, in that it doesn't directly correlate to results. If I double your budget, are we twice as secure?"
"I prefer to focus on things that can be trended, are within the direct influence or control of the person accountable for the metric, and that tie back to a more proactive approach to security," he added.
Forty-one percent of respondents said that their organizations do not categorize their information according to its importance to the organization, a critical step in making security decisions.
"Data classification driven by compliance is happening, but it is more akin to an ad hoc approach to RBSM," Melancon said. "Data classification should focus on key business processes of the organization, not just on the 'in scope' areas, narrowly-focused on compliance. This is one of those areas where we need to improve our ability to provide an overt linkage between where we spend our resources and how it impacts the core capabilities of the business. Organizations [that] don’t have a grasp of what type of information [is] most important to them have the highest chance of failing in risk management."