According to The State of Risk-Based Security Management, a survey conducted by the Ponemon Institute and sponsored by security vendor Tripwire, commitment to risk-based security management (RBSM) is high, but implementation is low.
The study reveals that although more than three-quarters (77 percent) of the organizations in the study claim a significant or very significant commitment to RBSM, their actions do not back up this claim, the study says.
Slightly more than half of respondents (52 percent) report that they have a formal RBSM function, program, or set of activities dedicated to risk-based security management, according to Ponemon. Less than half (46 percent) report that they have deployed any risk management program activities at all. Forty-one percent don’t classify their information according to its importance to the organization.
Among those organizations that do have a formal function, program, or set of activities dedicated to risk management, almost three-quarters (74 percent) have either partially or completely implemented some risk management practices, the study says.
Most organizations are looking to reduce risk by implementing preventive tools and practices, but many do not have tools and practices for detecting threats and compromises once they have penetrated enterprise defenses, Ponemon reports.
"It turns out that 80 to 90 percent of the organizations report deploying the majority of the important preventive controls, but only 50 percent report deploying the majority of important detective controls," the survey states.
While many respondents indicated that a lack of resources, skilled personnel, and leadership are barriers to implementing RBSM, Ponemon suggests that the lack of a formal program or strategy is a more significant roadblock.
Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.