The state of risk-based security management

A new Ponemon Institute survey covers risk-based security management program governance and maturity and includes 571 U.K. and 749 U.S. respondents from the following areas: IT security, IT operations, IT risk management, business operations, compliance/internal audit and enterprise risk management.

“The findings from this report strongly indicate that risk-based security management is still viewed as an IT or security task instead of a business task,” noted Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “Unfortunately, the full value of a risk-based approach to security can only be realized when senior business leaders fully participate in the process.”

Key findings from the survey include:

• 77% rated their organizations’ commitment to risk-based security management as “significant’ or “very significant’
• 86% identified the minimization of non-compliance as a key business objectives for risk-based security programs and 85% identified the protection of intellectual property
• 59% say that risk-based security management helps align security programs with business objectives.

However:

• 48% say their organizations approach or strategy for risk-based security management is non-existent or “ad-hoc’
• 61% say that the business has little or no input involvement in providing risk-based analysis
• 51% don’t have a risk-based security management program or most program activities have not been deployed
• Only 27% have a security risk management strategy that is applied consistently across the enterprise.