Tripwire has released results from an extensive study focused on the state of risk-based security management with the Ponemon Institute.
The study examined the disconnect between an organizations commitments to risk-based security management and its ability to develop the collaboration, communication styles and culture necessary for effective security programs across the organization.
The study respondents included 749 U.S. and 571 U.K. professionals in the following areas: IT security, IT operations, IT risk management, business operations, compliance/internal audit and enterprise risk management.
“Risk-based security is an extremely complex problem where predictability and outcomes are constantly changing,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.
“This means that even the most secure and sophisticated organizations experience risk because there are too many variables in play. Effective communication and collaboration across the organization are crucial in mitigating this risk.”
The full report can be found here: http://www.tripwire.com/register/the-state-of-risk-based-security-2013-full-report/
38. • Broadest set of foundational security controls
• Business context with blended asset and risk scoring
• Security business intelligence with performance
reporting and visualization to make better decisions
• Covering the extended enterprise
43. Connect Security To the Business
Enable Aligned & Risk-based Security
Deliver Foundational Security Controls
Provide Flexible & Scalable Deployment
Options
44. Connect Security To the Business
Enable Aligned & Risk-based Security
Deliver Foundational Security Controls
Provide Flexible & Scalable Deployment
Options
Hinweis der Redaktion
Ask the audience whether they think risk management is an art or a science
By industry:- Largest difference in the industrial industry. By job title:Professionals with roles in IT (security, operations) or in compliance, tend to think it’s more a SCIENCEProfessionals in business operations or risk management (IT or ERM) tend to lean towards ART
Key findings from the survey include:81 percent rated their organization’s commitment to risk-based security management as ‘significant’ or ‘very significant’
However:46 percent say their organization’s approach or strategy for risk-based security management is non-existent or ‘ad-hoc’Only 29 percent have a security risk management strategy that is applied consistently across the enterprise
47 percent don’t have a risk-based security management program or most program activities have not been deployed
62 percent say that the business has little or no input involvement in providing risk-based analysisRoughly 50%say their metrics are not aligned with needs of the business
Key findings from the survey include:88 percent identified the protection of intellectual property and 78 percent identified the minimization of non-compliance as a key business objectives for risk-based security programs
The lack of proactive security posture communication that can be understood by nontechnical executives is a significant challenge for a majority of security professionals. The chain of communication to the senior executive team is definitely broken. Key findings from the survey include:- 64 percent said they don’t communicate security risk with senior executives or only communicate when a serious security risk is revealed.
50/50 effective and not effective. Why? Top reasons:- Information is too technical to be understood by non-technical managementMore pressing issues take precedenceWe only communicate with senior executives when there is an actual incidentIt takes too much time and resources to prepare and report metrics for senior executives
What’s needed is a way to communicate that is like how CFOs do it. THEY communicate highly technical, conceptual information about business every day, month, quarter, and year, and most in the C-suite seem to get it. I reject the notion that execs at that level cannot be communicated with except by ‘dumbing down’ the data. Sure – they’re not going to get or even care about security details, but they need trends, comparisons, and big-picture views that only the CISO can provide.
Instead, all they usually want to know is are we secure, and how we’re trending. Really, not even that – their questions go to – will I be sued? Are you keeping our company safe such that we won’t be subject to humiliation, public ridicule, and of course, a lower P/E ratio? So charts like these might make sense to you and your team, (CLICK) but execs may need an even higher roll-up. Regardless of the visuals – and they should be designed to fit what your organization could best receive, your execs need a higher level roll-up.A Rollup, a summary, a dashboard, regardless of the tool you use – this is preferred. Visualizations can really help your work resonate with your peers and boards. Some of you may already be collecting the right data, and you and your teams DO get into the small details because you know it’s where a lot of the more subtle issues exist. Most CISOs I talk to will acknowledge that they spend a lot of manhours, manual labor and analysis to produce something from data across the organizational and technical silos. And, there’s often fine art of extrapolation, probabilities, and impact assessed between apples and pears. As you know everything is not easily comparable. Ideally to automate and save time, as well as keep the data consistent and normalized across dissimilar systems, you could use a tool like ours (CLICK)
We help you connect security to the business by:Continuously measuring security and risk postureDelivering reports easily understood by non-technical executivesMaking it easy to customize and integrate into your environment to improve decision makingWhich saves you time, money and effort to reducing risks in your business
Covering the extended enterprise so you know you are secure
Tripwire is unique becauseThe resource to make CSTB a realityLeverage our best-in-class data and put it in business context (VA + Change + Config + Events = Priceless Has the metrics, scorecards and analytics that rollup and connect security efforts to business initiativesHas security peer benchmarks Has sophisticated asset management and risk scoring Deliver the SANS CSC First 5Has best-in-class vulnerability & configuration managementSolves the SANS 20 CSC “First Five” right out of the boxMost Scalable, Flexible solution for the EnterpriseHas enterprise scalability and integration delivery options: appliances, virtualized, cloud, agent and agentless or hybridCover everything: breadth & depth
As part of Tripwire’s risk-based security management, there is the broadest set of foundational security controls available in the market today:Continuous discovery and monitoring of your entire IT infrastructureBreadth – secure your entire infrastructure, including physical, virtual, web-based, database and network devices Completeness – configuration auditing and management, vulnerability management, file integrity monitoring and log and event managementComprehensive asset discovery and reconciliationHighly accurate and deep coverage in vulnerability and configuration discovery Research team providing up to date coverage in the ever changing threat environmentAutomates and assures regulatory and policy complianceFlexible deployment options including on premise and/or cloud-based and, agent or agentless monitoring One suite for Security configuration, hardware, software and integrity vulnerabilities
As part of Tripwire’s risk-based security management, there is the broadest set of foundational security controls available in the market today:Continuous discovery and monitoring of your entire IT infrastructureBreadth – secure your entire infrastructure, including physical, virtual, web-based, database and network devices Completeness – configuration auditing and management, vulnerability management, file integrity monitoring and log and event managementComprehensive asset discovery and reconciliationHighly accurate and deep coverage in vulnerability and configuration discovery Research team providing up to date coverage in the ever changing threat environmentAutomates and assures regulatory and policy complianceFlexible deployment options including on premise and/or cloud-based and, agent or agentless monitoring One suite for Security configuration, hardware, software and integrity vulnerabilities
Our solution…
Lead The Market Convergence of Critical Security Controls Enable Business-aligned & Risk-based Security Provide Flexible & ScalableDeployment Options