Risk-Based Security Management Needs Improvement

 
 
By Don Reisinger  |  Posted 08-26-2013 Email
 
 
 
 
 
 
 
 
 
  • Previous
    1-Time Is of the Essence
    Next

    Time Is of the Essence

    When it comes to compliance, the most important metric for IT professionals is mean-time-to-patch, according to 49% of them.
  • Previous
    2-You Didn't Do That, Did You?
    Next

    You Didn't Do That, Did You?

    33% of IT pros spend most of their compliance time determining whether employees violated any policies, which is also a top concern.
  • Previous
    3-Protecting Against Threats
    Next

    Protecting Against Threats

    Determining whether endpoints are free from malware and viruses is an important metric among 45% of IT pros tasked with protecting against threats.
  • Previous
    4-Living in a Quantifiable World
    Next

    Living in a Quantifiable World

    35% of IT pros say that reducing data breaches is enough of a metric to judge performance even though the numbers don't always add up.
  • Previous
    5-It's All About Knowledge
    Next

    It's All About Knowledge

    The trouble with measuring performance on outbreaks is that not all of the outbreaks are discovered. That's why 35% of IT professionals like to monitor vulnerabilities and eliminate those.
  • Previous
    6-Time Waits for No One
    Next

    Time Waits for No One

    Just 13% of IT pros are concerned about the mean time to detect a security incident, while only 8% measured how long it took to fix a security problem.
  • Previous
    7-The Cost of Doing Business
    Next

    The Cost of Doing Business

    52% of IT professionals evaluate performance based on their ability to reduce the cost of security management.
  • Previous
    8-A Lack of Measuring
    Next

    A Lack of Measuring

    Once again, time is largely an afterthought, with only 5% of IT pros indicating that the length of time to contain security breaches and exploits is measured in their department.
  • Previous
    9-Budgets, Budgets, Budgets
    Next

    Budgets, Budgets, Budgets

    49% of security professionals say they're judged based on their ability to effectively stay within budget.
  • Previous
    10-What About the Training?
    Next

    What About the Training?

    IT professionals want business-side employees to receive the proper security training they need to reduce the types of risky behavior that sends corporate networks into lockdown.
 

How do you judge the effectiveness of your security response? It's a question that risk-based security management company Tripwire, along with research firm Ponemon Institute, asked 1,320 IT professionals in a recent survey. One thing is abundantly clear in Tripwire’s The State of Risk-Based Security Management study: IT professionals are still too heavily focused on responsive metrics rather than proactive metrics. "In light of the maturity curve in deployment of risk-based security management, it's not surprising that the majority of organizations are not using metrics oriented toward higher order outcomes," says Larry Ponemon, chairman and founder of the Ponemon Institute. "Respondents are still focused primarily on operational aspects. And, while many executives are focused on more visible outcomes, like reduction in data breaches, very few organizations are tracking more proactive metrics." In other words, companies are not doing enough to safeguard themselves from potential security issues. Granted, that behavior could be due to the fact that budgets and time are short, but it's important to respond quickly and efficiently to security troubles. And on that front, due diligence before security issues occur is just as important as after they surface.

 
 
 
 
 
Don Reisinger is a freelance technology columnist. He started writing about technology for Ziff-Davis' Gearlog.com. Since then, he has written extremely popular columns for CNET.com, Computerworld, InformationWeek, and others. He has appeared numerous times on national television to share his expertise with viewers. You can follow his every move at http://twitter.com/donreisinger.

 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login Register