A newly released survey commissioned by security vendor TripWire with the Ponemon Institute suggests that customers need help connecting actual risks to their security strategies.
The report, based on feedback from approximately 2,000 international respondents serving in a broad spectrum of roles and vertical markets, says that 77 percent of the respondents expressed significant or very significant commitment to risk-based security management, yet barely more than half have a formalized approach to it, and slightly less than half have actually deployed any risk-based security activities. Roughly one-third have no such strategy at all.
“Risk-based security management is about having a prescribed method for not only categorizing any business assets in terms of risk, but being able to analyze the likelihood and impact of those risks,” explained Dwayne Melancon, TripWire’s CTO, who also presented the findings at this week’s Gartner Risk Management Summit in Washington, DC. “Effective strategic planning is about fully understanding the risks and being able to gauge the impact on the organization if these things should occur. If you can categorize things in this way, you can better allocate your resources and build more effective security strategy by aligning your budget with the highest risk areas.”
The report says about 40 percent of the respondents had not categorized risks according to their relative importance to the organization, thereby missing a key step in knowing what is critical to protect. It also determined that there is an imbalance between where people perceive risk and where they are actually spending their money.
“A lot of people perceive their risk at the network layer to be very low, but that is where the bulk of their money is going,” said Melancon. “So, in many cases, the right solution is to begin trending their network layer investments down, and begin spending more money where there's higher risk around applications and data. To be able to have a good business-level conversation about this depends upon your ability to focus on actual risks in their proper perspective. Otherwise, it becomes a matter of who does a better job of making their pitch, and that's not effective.”
NEXT: The Role of the Channel