The Ponemon Institute has been querying more than 1300 US and UK professionals from security, IT, compliance, risk management and audit. The results show that risk-based security management has credence as a term, but is not yet fully embedded in the business. For example, 77% of respondents rate their organization’s approach to risk-based security management as ‘significant’, but 61% say that the business has little or no input involvement in providing risk-based analysis. Furthermore, more than half of the respondents either have no risk-based program at all, or have one where the major part of it has not been deployed.
Since the fundamental purpose of a risk-based approach is to more closely align the function and cost of security to the assets it protects, then the owners and users of those assets need to be involved in the analysis of risk. The survey suggests, however, that ‘security’ is still largely considered a separate and perhaps grudgingly necessary part of the business rather than a key part of the overall business proposition.
“The findings from this report strongly indicate that risk-based security management is still viewed as an IT or security task instead of a business task”, confirms Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “Unfortunately, the full value of a risk-based approach to security can only be realized when senior business leaders fully participate in the process.”
The prize of a successful risk-based approach to security management is nothing less than the individually tailored best possible security at the lowest possible cost. For this to be achieved, security needs to come out of its silo and into the boardroom as a fundamental part of the business. With the world economy still depressed and fragile, with the threat from cyber criminals still growing, and with legal regulations getting evermore complex, successfully integrated security and business offers the promise of a business edge over rivals.
Compliance offers a potential route to this end. Senior management cannot ignore its necessity. Eighty-six percent of the survey respondents identified the minimization of non-compliance as a key business objective for risk-based security programs. The lessons learned in a risk-based approach to compliance could be applied to general security.
But it’s not happening yet. “There’s a big gap between risk-based security program commitment and how organizations are actually operating,” notes Elizabeth Ireland, vice president of product marketing for Tripwire. “This could be because many organizations haven’t fully connected the importance of their cyber security program to their top-level business risks in spite of the rapid increase in cyber security threats.”