Risk-based security strategy is the right way to go for most enterprises, but the problem is they have not taken any steps to implement a plan, a new study said.
Commitment to risk-based security management (RBSM) is high, but implementation is low, according to The State of Risk-Based Security Management, a survey conducted by the Ponemon Institute and sponsored by security vendor Tripwire.
Although 77 percent of the organizations in the study claim a significant or very significant commitment to RBSM, their actions do not back up this claim, the study says.
Slightly more than half of respondents (52 percent) said they have a formal RBSM function, program, or set of activities dedicated to risk-based security management, according to Ponemon. Less than half (46 percent) report they have deployed any risk management program activities at all. Forty-one percent don’t classify their information according to its importance to the organization.
Among those organizations that do have a formal function, program, or set of activities dedicated to risk management, 74 percent have either partially or completely implemented some risk management practices, the study said.
Most organizations are looking to reduce risk by implementing preventive tools and practices, but many do not have tools and practices for detecting threats and compromises once they have penetrated enterprise defenses, Ponemon said.
“It turns out that 80 to 90 percent of the organizations report deploying the majority of the important preventive controls, but only 50 percent report deploying the majority of important detective controls,” the survey said.
While many respondents indicated a lack of resources, skilled personnel, and leadership are barriers to implementing RBSM, Ponemon said the lack of a formal program or strategy is a more significant roadblock.