A newly released survey commissioned by security vendor TripWire with the Ponemon Institute suggests that customers need help connecting actual risks to their security strategies.
The report, based on feedback from approximately 2,000 international respondents serving in a broad spectrum of roles and vertical markets, says that 77 percent of the respondents expressed significant or very significant commitment to risk-based security management, yet barely more than half have a formalized approach to it, and slightly less than half have actually deployed any risk-based security activities. Roughly one-third have no such strategy at all.
“Risk-based security management is about having a prescribed method for not only categorizing any business assets in terms of risk, but being able to analyze the likelihood and impact of those risks,” explained Dwayne Melancon, TripWire’s CTO, who also presented the findings at this week’s Gartner Risk Management Summit in Washington, DC. “Effective strategic planning is about fully understanding the risks and being able to gauge the impact on the organization if these things should occur. If you can categorize things in this way, you can better allocate your resources and build more effective security strategy by aligning your budget with the highest risk areas.”
The report says about 40 percent of the respondents had not categorized risks according to their relative importance to the organization, thereby missing a key step in knowing what is critical to protect. It also determined that there is an imbalance between where people perceive risk and where they are actually spending their money.
“A lot of people perceive their risk at the network layer to be very low, but that is where the bulk of their money is going,” said Melancon. “So, in many cases, the right solution is to begin trending their network layer investments down, and begin spending more money where there's higher risk around applications and data. To be able to have a good business-level conversation about this depends upon your ability to focus on actual risks in their proper perspective. Otherwise, it becomes a matter of who does a better job of making their pitch, and that's not effective.”
NEXT: The Role of the ChannelAccording to the survey, only 45 percent have metrics to help demonstrate success, and the ability to do so is critical to security professionals seeking to shore-up budget and other resources. Said TripWire's Melancon, “Information security people are frequently communicating with non-technical executives to get budget and project funding. In many cases, they're having trouble relating the tactics of security to something that would be easily funded from a business perspective.”
According to Melancon, channel partners can be instrumental in providing audits to discover security gaps, though he acknowledges that some customers are reluctant to conduct such audits for fear of what might be found. “That's the wrong way to look at it because the risks are there whether you choose to look at them or not,” he said. “So the key is to come up with a good catalog of risks and to analyze their relative seriousness without emotional bias or political barriers by engaging people in a business discussion.”
“We’re also finding that a lot of these discussions are not having an appropriate balance between preventive and detective controls,” added TripWire product marketing manager Cindy Valladares. “And that's another area where partners can assist by looking at things through an independent lens. Most companies are pretty good with preventive controls but far fewer are focused on detective controls.”
According to the report, between 80 percent and 90 percent of organizations have partially or fully deployed preventive controls, but only about 50 percent have deployed the majority of detective controls.
NEXT: Be CollaborativeIn many cases, the best advice for security experts from channel partners or within customer organizations is to begin with a relatively small-scale discussion, which helps to prevent key stakeholders from disengaging. “Cost is often used as the primary metric, but cost is merely an indicator,” explained TripWire's Melancon. “You can't specifically say that if you double your investment, risk will go down. Nor can you say risk will go up if you cut it in half. We’re trying to get people to adopt a risk framework that enables them to analyze the framework using metrics that are trendable and trackable and things that lead to things they can do directly.”
Examples include process adherence, configuration quality, employee training, effective collaboration among different organizational groups and ongoing monitoring of the company’s security footing.
“We see the most effective results when there are cross-functional steering committees where people have good discussions about the magnitude of risk from an IT perspective, from the hiring perspective, from the legal perspective, etc.,” Melancon said. “This helps the company get a handle on how effectively security investments are being made, and it doesn't become a situation of one part of the organization against the world.”
The channel’s role can lie in helping customers to assess those risks without the political bias or insular thinking that often obstructs effective strategic planning.
“If I were a partner, I would try to get a handle on how I can help organizations move more towards a risk-oriented strategy and implement some controls based on the highest risk," Melancon summarized. “Then, help them develop a proper list of metrics, and be able to assess the levels of those metrics to know whether what they are doing is successful or not. If channel partners can help with that, I think they will be hugely important. Many people just don't know how to get started. If you had a risk management kick-start service, you could probably make a lot of money.”