Tripwire being a leading global provider in risk based security who handles security configuration management, vulnerability management, log and event management has proclaimed the results of the situation of risk-based security management with the Ponemon Institute.
The survey was done on 24,550 individuals of U.S. organizations and 18,012 of U.K. individuals. The survey includes question on risk-based security metrics and collect answers comprising 749 from USA and 571 from UK professionals with an average response rate of 3.1%(USA) and 3.25%(UK). The research covers different IT divisions like IT security, risk management, business operation, security compliance, audits etc. Below table shows the actual details of survey’s outcome.
|
SAMPLE RESPONSE |
US-2013 |
UK-2013 |
|
Total sampling frame |
24550 |
18012 |
|
Total returns |
918 |
706 |
|
Rejected and screened surveys |
169 |
135 |
|
Final sample |
749 |
571 |
|
Response rate |
3.1% |
3.2% |
When surveyor asked a question that “Is security risk management art or science?” They got answers stating
- 66% risk managers and 62% of USA business operations found security risk management as an “art”
- 62% IT security workers and 56% of U.S. IT operations found it as a “science”.
The survey shocked all the IT industry stating that there are almost 59% of IT professionals were unable to understand the IT security metrics. The findings revealed from the report are as under.
- 75% responders believe that security metrics are important or too important for risk-based security program.
- 53% responders believe that their security metrics do not match with business objectives.
- 51% responders believe that security metric of their organizations do not express the complete effectiveness of security risk management.
Upon receiving such shocking answers, researchers reply with an option to create security metrics that can be understood by senior executives.
In reply to the question suggested by researchers, they got the following answers:
- 59% responders said that the information about metrics is not too understandable for non-technical management.
- While 48% said, pressing issues get precedent over usual and active communication with their executives.
- 40% answers that they only communicate with senior executives at the time of security urgency.
- 35% said that it takes much time and sources to ready metrics.
- 18% executives showed disinterest in such security metrics.
The biggest challenge that a risk management practice is facing is lacking producing meaningful metrics and alignment of metrics that are not suitable with business goals.
From the above survey, it is clear that majority of people wants a perfect solution for security metrics and build a perfect model for having significant amount of metrics that creates a smooth communication bridge between senior executives and professionals, and of course, the metrics data should be relevant and understandable by executives. Security metrics focus on operational goals and needs technical improvement over business context. To know further get detail report.
About Ponemon
An institute encourages information and privacy management activities in business and government. Moreover, to complete this vision it performs research, provides knowledge to IT leaders, and affirms the data protection and privacy of organizations.
In the final analysis
We can say that still half of organizations have no clear vision about risk-based security plans. Numbers of businesses are still putting their client’s information in the risk by avoiding security measurements and lack of security strategy. Unhappily, the full worth of a risk-based security can only be completed when senior business executives completely partake in the process.
