LONDON--(Marketwire - Jul 2, 2012) - Tripwire, a leading global provider of IT security solutions, and the Ponemon Institute today announced the results of "The State of Risk-Based Security Management (RBSM) Study." This international study includes data from 2,145 individuals from organisations of different sizes and types in the United Kingdom, Germany, Netherlands and the United States.
This study evaluates how over 500 U.K. organisations view their Risk-Based Security Management (RBSM) and how they address their RBSM through formal programs, deployment of specific controls and how they measure program effectiveness.
The report details the current state of risk management and perceptions about the benefits to organisations as well as provides guidance on how to strengthen an organisation's security practices and add value to the business through a risk-based approach. The report also provides recommendations for mitigating risks, protecting data and detecting cyber attacks and data breaches accurately and efficiently.
Surprising highlights from this report include:
1. No Metrics = No Success. Survey results show the U.K. gauges success of RBSM programs by proving cost reduction of the program. Such a metric can encourage the wrong behaviour and actually increase the risk, according to the Ponemon Institute. U.K. organisations must establish and use better metrics to demonstrate program success such as configuration quality, effectiveness of security controls and security program progress. Without these good metrics, organisations will be unable to demonstrate program success.
2. Unbalanced approach to risk management and security. According to survey results, allocated spending is not aligned to perceived risk. In the U.K. organisations are making excellent progress with preventive controls, yet they are lacking when it comes to implementing detective controls resulting in an inability to identify, implement and continuously monitor controls. For best results organizations need to ensure the appropriate balance of preventive and detective controls.
3. Although organisations profess a strong commitment to RBSM, not enough organizations are taking action. A vast majority of U.K. organisations (72 percent) claim a significant or very significant commitment to RBSM. Even though most organizations are committed to and have a formal RBSM approach, more than half in the U.K. still don't have formal strategies or procedures in place. Among the companies that do have strategies in place, most are not implementing all elements of a strong RBSM structure creating potential risks for businesses moving forward.
4. Perceptions of RBSM differ in the U.S., U.K., Germany and the Netherlands. In the U.S. 71 percent of organisations say they are concerned about malicious insiders. In the UK that number drops to 49 percent, 32 percent in Germany and only 16 percent in the Netherlands.
"It is evident from this data that CISO's must to move beyond 'lip service' when it comes to Risk-Based Security Management," said Dwayne Melancon, CTO for Tripwire. "Savvy security executives will leverage risk as a means to drive business-relevant discussions, and use objective measures to show security effectiveness. It is imperative to break the cycle of 'habitual security spending' to better align security resource allocations within their businesses."
"We believe risk-based security management will transform organisations' approach to protecting critical information assets and technologies from one that is reactive to proactive," said Larry Ponemon of the Ponemon Institute. "Our goal in providing this research is to help organisations make this approach a core business imperative."
To access the complete Ponemon Institute study along with related multimedia content, please visit http://www.tripwire.com/ponemon2012 or follow the conversation on Twitter via the hashtag #RiskyBiz2012
About Ponemon Institute LLC
The Ponemon Institute is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organisations in a variety of industries.
About Tripwire, Inc.
Tripwire is a leading global provider of IT security solutions for enterprises, government agencies and service providers who need to protect their sensitive data on critical infrastructure from breaches, vulnerabilities, and threats. Thousands of customers rely on Tripwire's critical security controls like security configuration management, file integrity monitoring, log and event management. The Tripwire VIA™ platform of integrated controls provides unprecedented visibility and intelligence into business risk while automating complex and manual tasks, enabling organisations to better achieve continuous compliance, mitigate business risk and help ensure operational control. Learn more at www.tripwire.com or follow us @TripwireInc on Twitter.