If a company understands what it needs to protect, then the cost of security is not as overwhelming as it may seem.
To get to that point, however, a company needs to get under the hood and conduct an audit to figure out where and what they need to spend money.
That is because organizations misalign security spending with perceived security risks and has not yet deployed preventive security technologies, and rarely uses audits to identify security risks, according to a new study focused on the state of risk-based security management with the Ponemon Institute and security firm Tripwire.
The study respondents included 749 U.S. and 571 U.K. professionals in the following areas: IT security, IT operations, IT risk management, business operations, compliance/internal audit and enterprise risk management.
“Given the constantly changing nature of security threats and security technologies, it’s not surprising that many organizations are having difficulty assessing and prioritizing security risks,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “Unfortunately, the misalignment of perceived risk and security spending coupled with the minimal use of security audits means that many organizations don’t have the information they need to improve security risks.”
Asked how their organization assesses and prioritizes risks, the survey showed:
• 50 percent said they identified specific controls at various network layers to ensure the risks were acceptable to the business
• 41 percent said they implemented layered controls to ensure a compensating control exists if one control fails
• 46 percent said they fully or partially deployed continuous monitoring
When asked about the deployment of preventative and detective controls, the study found:
• 93 percent have fully deployed malware detection/prevention
• 53 percent said they have fully or partially deployed encryption as a preventative control
• 43 percent said they have fully or partially deployed log monitoring as a detective control
• 43 percent said they have fully or partially deployed incident detection and alerts
“These results underscore the challenges IT and security professionals grapple with every day,” said John Pierce, vice president of information systems for Tripwire. “The risk and security landscape faced by organizations continues to increase in complexity, requiring us to deploy and manage more sophisticated and comprehensive solutions to address rapidly evolving risks.”
Other findings from the study include:
• 1 percent of respondents used external audits to identify security risks and 6% used internal audits
• While 46 percent of respondents use formal risk assessments to identify security risks, only 32 percent use automated compliance monitoring for this purpose
• 11 percent of an organization’s security budget is spent protecting the application layer, even though 37 percent of respondents identified it as a key security risk
• 19 percent of an organization’s security budget is spent on the human layer
Click here for more information about this study.