Risk-Based Security Management Needs Improvement

By Don Reisinger  |  Posted 08-26-2013 Email Print this article Print

How do you judge the effectiveness of your security response? It's a question that risk-based security management company Tripwire, along with research firm Ponemon Institute, asked 1,320 IT professionals in a recent survey. One thing is abundantly clear in Tripwire’s The State of Risk-Based Security Management study: IT professionals are still too heavily focused on responsive metrics rather than proactive metrics. "In light of the maturity curve in deployment of risk-based security management, it's not surprising that the majority of organizations are not using metrics oriented toward higher order outcomes," says Larry Ponemon, chairman and founder of the Ponemon Institute. "Respondents are still focused primarily on operational aspects. And, while many executives are focused on more visible outcomes, like reduction in data breaches, very few organizations are tracking more proactive metrics." In other words, companies are not doing enough to safeguard themselves from potential security issues. Granted, that behavior could be due to the fact that budgets and time are short, but it's important to respond quickly and efficiently to security troubles. And on that front, due diligence before security issues occur is just as important as after they surface.

  • Time Is of the Essence

    When it comes to compliance, the most important metric for IT professionals is mean-time-to-patch, according to 49% of them.
    1-Time Is of the Essence
  • You Didn't Do That, Did You?

    33% of IT pros spend most of their compliance time determining whether employees violated any policies, which is also a top concern.
    2-You Didn't Do That, Did You?
  • Protecting Against Threats

    Determining whether endpoints are free from malware and viruses is an important metric among 45% of IT pros tasked with protecting against threats.
    3-Protecting Against Threats
  • Living in a Quantifiable World

    35% of IT pros say that reducing data breaches is enough of a metric to judge performance even though the numbers don't always add up.
    4-Living in a Quantifiable World
  • It's All About Knowledge

    The trouble with measuring performance on outbreaks is that not all of the outbreaks are discovered. That's why 35% of IT professionals like to monitor vulnerabilities and eliminate those.
    5-It's All About Knowledge
  • Time Waits for No One

    Just 13% of IT pros are concerned about the mean time to detect a security incident, while only 8% measured how long it took to fix a security problem.
    6-Time Waits for No One
  • The Cost of Doing Business

    52% of IT professionals evaluate performance based on their ability to reduce the cost of security management.
    7-The Cost of Doing Business
  • A Lack of Measuring

    Once again, time is largely an afterthought, with only 5% of IT pros indicating that the length of time to contain security breaches and exploits is measured in their department.
    8-A Lack of Measuring
  • Budgets, Budgets, Budgets

    49% of security professionals say they're judged based on their ability to effectively stay within budget.
    9-Budgets, Budgets, Budgets
  • What About the Training?

    IT professionals want business-side employees to receive the proper security training they need to reduce the types of risky behavior that sends corporate networks into lockdown.
    10-What About the Training?
Don Reisinger is a freelance technology columnist. He started writing about technology for Ziff-Davis' Gearlog.com. Since then, he has written extremely popular columns for CNET.com, Computerworld, InformationWeek, and others. He has appeared numerous times on national television to share his expertise with viewers. You can follow his every move at http://twitter.com/donreisinger.


Submit a Comment

Loading Comments...
Thanks for your registration, follow us on our social networks to keep up-to-date