Security Experts:

Connect with us

Hi, what are you looking for?


A new survey of managers and executives revealed that organizations are all talk and no walk when it comes to risk-based security management, as most have not implemented a formal program to manage risk.

According to research by Tripwire and the Ponemon Institute, security spending within organizations is not aligned with perceived risk. Organizations are making excellent progress with deploying preventive controls, but are not implementing detective controls, the survey found. In fact, for organizations in the United States, 80 to 90 percent said they have partially or fully deployed preventative controls, but only 50 percent have deployed the majority of detective controls, according to Tripwire. As a result, the organizations are unable to identify, implement, and continuously monitor their programs effectively.

The State of Risk Based Security Management (RBSM) study found that many organizations are relying on cost reductions to gauge the success of RBSM programs. Such a metric can “encourage the wrong behavior and actually increase the risk,” Tripwire said.

“We believe risk-based security management will transform organisations’ approach to protecting critical information assets and technologies from one that is reactive to proactive,” said Larry Ponemon of the Ponemon Institute.

Although organizations claim to be strongly committed to RBSM, they aren’t taking action, the survey found. Over 72 percent of UK organizations claimed a “significant” or “very significant” commitment, but more than half of the surveyed organizations didn’t have formal strategies or procedures in place to manage risk. The numbers are similar for US organizations, with 77 percent expressing a strong commitment, but only 52 percent adopting a formal approach. Only 46 percent have actually deployed any RBSM activities, according to the survey.

This gap creates potential risks for businesses moving forward, Tripwire said.

“Savvy security executives will leverage risk as a means to drive business-relevant discussions, and use objective measures to show security effectiveness. It is imperative to break the cycle of ‘habitual security spending’ to better align security resource allocations within their businesses,” said Dwayne Melancon, CTO for Tripwire.

The survey collected information from 2,145 individuals from organizations of different sizes and types in the United Kingdom, Germany, Netherlands and the United States. The respondents were asked how they viewed risk-based security management  within their organizations, how they addressed the risks, and how they measured the effectiveness of the measures deployed.

Greatest IT Security Risks

Perceptions of RBSM differed in the US, UK, Germany and the Netherlands, the survey found. In the US, 71 percent of organizations said they were concerned about malicious insiders, compared to 49 percent in UK, 32 percent in Germany, and only 16 percent in the Netherlands.

Tripwire actually released U.S. results earlier in June during the Gartner Security & Risk Management Summit. About 30 percent of organizations in the US had no RBSM strategy, and about 23 percent had an informal or ad-hoc strategy, Tripwire said.

“It is evident from this data that CISO’s must to move beyond ‘lip service’ when it comes to Risk-Based Security Management,” said Melancon.

The full report is availble here.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Risk Management

CISA has published a report detailing the cybersecurity risks to the K-12 education system and recommendations on how to secure it.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


More than 4,000 internet-accessible Pulse Connect Secure hosts are impacted by at least one known vulnerability, attack surface management firm Censys warns.

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem