Connect with us

Hi, what are you looking for?


Management & Strategy

Risk Based Security Strategy More Talk Than Action for Many, Survey Finds

Organizations are talking the talk when it comes to risk-based security management, but not everyone is walking the walk, according to a new study by the Ponemon Institute.

Organizations are talking the talk when it comes to risk-based security management, but not everyone is walking the walk, according to a new study by the Ponemon Institute.

The research, which was commissioned by security vendor Tripwire, included responses from 2,145 people from organizations in the United States, United Kingdom, Germany and the Netherlands. While 77 percent of respondents expressed significant or very significant commitment to risk-based management, only 52 percent said they have a formalized approach to it. In addition, only 46 percent have actually deployed any risk-based security management program activities.

Risk ManagementAt first, the statistics seem surprising because there “has been so much talk about risk in my conversations with most enterprises,” said Dwayne Melancon, CTO for Tripwire.

“However, when you dig into this, you realize that true risk-orientation is not a spreadsheet exercise – it is a mindset,” he said. “The number of people that must be aligned across multiple, diverse disciplines makes this a challenge. Therefore, I guess it isn’t so surprising that people are doing far more talking than doing in this area.”

The ideal risk-based management strategy is holistic, explained Larry Ponemon, chairman of the institute.

“It considers and attempts to manage all potential risk interrelationships resulting from personnel, manual controls, governance and enabling technologies,” he said. “The ad hoc approach is piecemeal…[it] might consider one element such as the procurement/deployment  of a new technology simply on the basis of TCO without considering how this technology might affect other security objectives. On a final note, the ideal RBSM strategy is one that views risk as both hazard and opportunity.  The ad hoc approach only views risk as a hazard.”

The chief information security officer should take the reins in terms of tying together the business and security objectives of the organization so they can be addressed, the report recommends. While 45 percent of respondents said they had no specific metrics to measure the effectiveness of their risk-based security management programs, of those that do, the most frequently cited metric is “reduction in the cost of security management activities.”

“The significant focus on the cost of security management is interesting as this indicator is not, in itself, a measure of security effectiveness,” the report notes. “However, it is the most frequently cited metric and one that tends to receive a lot of scrutiny in enterprises.”

Advertisement. Scroll to continue reading.

“I believe cost has become a focus because people don’t know what else to measure and, since we are interacting more with non-technical executives, we tend to gravitate toward something they understand and ask about – cost,” Melancon said. “But cost is a poor metric, in that it doesn’t directly correlate to results. If I double your budget, are we twice as secure?”

“I prefer to focus on things that can be trended, are within the direct influence or control of the person accountable for the metric, and that tie back to a more proactive approach to security,” he added.  

Forty-one percent of respondents said that their organizations do not categorize their information according to its importance to the organization, a critical step in making security decisions.  

“Data classification driven by compliance is happening, but it is more akin to an ad hoc approach to RBSM,” Melancon said. “Data classification should focus on key business processes of the organization, not just on the ‘in scope’ areas, narrowly-focused on compliance.  This is one of those areas where we need to improve our ability to provide an overt linkage between where we spend our resources and how it impacts the core capabilities of the business. Organizations [that] don’t have a grasp of what type of information [is] most important to them have the highest chance of failing in risk management.”  

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.