“The findings from this report strongly indicate that risk-based security management is still viewed as an IT or security task instead of a business task,” noted Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “Unfortunately, the full value of a risk-based approach to security can only be realized when senior business leaders fully participate in the process.”
Key findings from the survey include:
- 77% rated their organizations’ commitment to risk-based security management as ‘significant’ or ‘very significant’
- 86% identified the minimization of non-compliance as a key business objectives for risk-based security programs and 85% identified the protection of intellectual property
- 59% say that risk-based security management helps align security programs with business objectives.
- 48% say their organizations approach or strategy for risk-based security management is non-existent or ‘ad-hoc’
- 61% say that the business has little or no input involvement in providing risk-based analysis
- 51% don’t have a risk-based security management program or most program activities have not been deployed
- Only 27% have a security risk management strategy that is applied consistently across the enterprise.