Page 2 of 3
According to the survey, only 45 percent have metrics to help demonstrate success, and the ability to do so is critical to security professionals seeking to shore-up budget and other resources. Said TripWire's Melancon, “Information security people are frequently communicating with non-technical executives to get budget and project funding. In many cases, they're having trouble relating the tactics of security to something that would be easily funded from a business perspective.”
According to Melancon, channel partners can be instrumental in providing audits to discover security gaps, though he acknowledges that some customers are reluctant to conduct such audits for fear of what might be found. “That's the wrong way to look at it because the risks are there whether you choose to look at them or not,” he said. “So the key is to come up with a good catalog of risks and to analyze their relative seriousness without emotional bias or political barriers by engaging people in a business discussion.”
“We’re also finding that a lot of these discussions are not having an appropriate balance between preventive and detective controls,” added TripWire product marketing manager Cindy Valladares. “And that's another area where partners can assist by looking at things through an independent lens. Most companies are pretty good with preventive controls but far fewer are focused on detective controls.”
According to the report, between 80 percent and 90 percent of organizations have partially or fully deployed preventive controls, but only about 50 percent have deployed the majority of detective controls.