2012 Ponemon Report: The State of Risk-Based Security Management

The State of Risk-Based Security Management (Global Report)

The State of Risk-Based Security Management

(Global Report)

The State of Risk-BasedSecurity ManagementDwayne Melancon, CTOCindy Valladares, Product Marketing

IT SECURITY & COMPLIANCE AUTOMATION

@TripwireInc #RiskyBiz2012

Today’s Speakers

Dwayne Melancon

Chief Technology Officer

@ThatDwayne

Cindy Valladares

Product Marketing Manager

@cindyv

IT SECURITY & COMPLIANCE AUTOMATION5

The State of Risk-Based Security Management 2012

Why The Interest in Risk-Based Security?

About The Study

Key Findings

Obstacles and Inhibitors

Recommendations

IT SECURITY & COMPLIANCE AUTOMATION

Interest in Risk Management is Spiking

Increasingly required to engage non-technical executives for budget

Habitual security spending not aligned with the business

More objective methods needed to allocate limited budgets

Scary things in the news, noticed by business guys

Compliance is driving the conversation around risk

What is Risk-Based Security Management?

Let’s first define Risk

Risk = Probability (x) Impact

An approach that relates the costs of mitigating risks to the perceived value of an asset in the context of:• Threats

• Vulnerabilities

• Impacts to the business

Part of a wider Enterprise Risk Management system and specific to Information Security

The goal is to enable the business

About The State of Risk-Based Security Management Report

Surveyed 2,145 individuals

Four countries: US, UK, Germany, Netherlands

Commissioned by Tripwire

Conducted by an independent research organization

Demographics – By Industry

Demographics – By Job Title

What is Covered in the Report

Perceptions about risk-based security management (RBSM)

The relationship between RBSM maturity and security posture

The evolving role of the CISO

Comparison of the state of RBSM in various countries

Top Findings

1. More talk than walk

2. Unbalanced approach to information and risk management

3. Lack of metrics to measure success

#1 – Lots of Talk. Starting to Walk.

Stated Commitment to RBSM is High

Does a Formal Risk Management Strategy Exist?

Does a Formal Risk Management Function or Program Exist?

Deployments Range in RBMS Maturity

Perceived Benefits of RBSM

Importance of Benefits Differ by Region

Summary: Starting to Walk

Most organizations are talking about risk-based security management

Most claim to be serious about it

Less than half have formal strategies or procedures in place

#2 – Unbalanced Approach to Risk & Security

Perceived Risk vs Allocated Spending

Evidence of “habitual spending”, not risk-based security spending

Existence of Common Preventive Controls

Setting expectations and making it easier to do the right things

Existence of Common Detective Controls

Ensuring reality matches expectations … accountability

Do the Steps for Assessing and Managing Security Risks Exist?

Basic Steps to Assessing and Managing Security Risk:

1. Identify the information that is key to the business

2. Categorize information according to its importance to the business

3. Identify threats to the information

4. Assess vulnerabilities to the systems that process the information

5. Assess the risks of loss or corruption of the information

6. Identify controls necessary to mitigate the risks

7. Implement the controls

8. Monitor controls continuously

8 Steps for Assessing and Managing Security Risks

Maturity Makes a Difference

Risk assessment and controls vary by level of RBSM maturity

Most Are Missing Critical Steps of Risk-based Security Management

Basic Steps to Assessing and Managing Security Risk

1. Identify the information that is key to the business

2. Categorize information according to its importance to the business

3. Identify threats to the information

4. Assess vulnerabilities to the systems that process the information

5. Assess the risks of loss or corruption of the information

6. Identify controls necessary to mitigate the risks

7. Implement the controls

8. Monitor controls continuously

Summary: Unbalanced Approach

Security resources are not aligned with the perceived risks• Over-investing in some areas, woefully underinvested in others

Preventive vs. Detective control implementation• Organizations making good progress on preventive controls, yet they are

• Behind on detective controls; which means

• They have good expectations, but no way to hold others accountable

Most have work to do on the critical last steps of RBSM

#3 – Lack of Metrics to Measure Success

Use of Metrics to Measure Success

What Is Being Measured?

Summary: No Metrics = No Success

Less than half of organizations are using metrics for RBSM

Many organizations are using “false flag” metrics• Cost of security program

• Number of vulnerabilities in the environment

Field Observations & Recommendations

Configuration Quality:• % of configurations compliant with target security standards (risk-aligned)

• i.e. >95% in Critical; >75% in Medium

• number of unauthorized changes

• patch compliance by target area based on risk level• i.e. % of systems patched within 72 hours for Critical; …within 1 week for Medium

Control effectiveness:• % of incidents detected by an automated control

• % of incidents resulting in loss

• mean time to discover security incidents

• % of changes that follow change process

Security program progress:• % of staff (by business area) completing security training

• average scores (by business area) for security recall test

Snapshot: Examples Of Metrics That Are Working

Investigating and adopting a repeatable framework• Careful - don’t over-study it!

Applying risk ranking/scoring methods

Engaging cross-functional “steering committees” to examine various risks• Strategic & Operational, Information Security, Financial,

Employment Practices, Intellectual Property, Physical, Legal, Regulatory, etc.

Prioritizing projects, actions, and investments to bias toward areas of highest risk and impact

Establishing Key Risk Indicators (KRI’s) and Key Risk Objectives (KRO’s) to measure progress

How Are Orgs Approaching This?

“Boil the ocean” approaches

No executive sponsorship or “Tone at the Top”

No (or ineffective) metrics

Too much focus on cost

What Can Make the Move to Risk-Orientation Difficult?

Recommendations: Risk-Based Security Management (RBSM)

Institute a formal RBSM program or function with a formal strategy

Ensure the appropriate balance of preventive and detective controls

Establish and use metrics to demonstrate program success

www.tripwire.comTripwire Americas: 1.800.TRIPWIRETripwire EMEA: +44 (0) 20 7382 5440Tripwire Japan: +812.53206.8610Tripwire Singapore: +65 6733 5051Tripwire Australia-New Zealand: +61 (0) 402 138 980

www.tripwire.com/ponemon2012www.tripwire.com/blog@TripwireInc

Dwayne Melancon@ThatDwayne

Cindy Valladares@cindyv

2012 Ponemon Report: The State of Risk-Based Security Management

Technology

Transcript of 2012 Ponemon Report: The State of Risk-Based Security Management

Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Application Security Study"

Data Risk in the Third-Party Ecosystem - Ponemon Institute Risk in the Third Party... · Ponemon Institute© Research Report Page 1 Data Risk in the Third-Party Ecosystem Ponemon

Security strategy in a world of digital transformation · 2 Ponemon Institute: Mega Trends in Cyber Security Expert Opinion Study, May 2013 3 Ponemon Institute: Total Cost of Compliance

Ponemon cloud security study

Ponemon Institute - Cloud Security Study 2012

Data Security in the Evolving Payments Ecosystem · Ponemon Institute© Research Report Page 1 Data Security in the Evolving Payments Ecosystem Ponemon Institute, April 2015 Part

Security Analytics and More - · PDF fileSecurity Analytics and More White Paper Cisco Public – Ponemon Institute

2015 State of Endpoint Risk FINAL - ponemon.org State of... · Ponemon Institute© Research Report Page 1 2015 State of Endpoint Report: User-Centric Risk Ponemon Institute, January

“The Internet Of Theft” and Events... · Sources: *PWC global state of information security survey report 2015; **Ponemon 2015 Cost of cyber crime study: Global; ***Ponemon 2014

IBM QRadar Security Intelligence: Evidence of Value · IBM QRadar: Evidence of Value Ponemon Institute: February 2014 Background Ponemon Institute was engaged by IBM to conduct an

Защита индустриальных систем. Стоит ли …Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age. Ponemon Institute LLC August

The State of USB Drive Security in Europe FINAL 7media.kingston.com/pdfs/Ponemon/Ponemon_research... · The State of USB Drive Security in Europe Ponemon Institute© Research Report

Tripwire-Ponemon RBSM 2013 Chapter 5 Security Controls and Spending

Ponemon survey cloud security webcast

2007 Ponemon Database Security Study Sponsored by Application Security Inc

Larry Ponemon of Ponemon Institute Explores Current State of Mobile Application (In)Security

The Need for a New IT Security Architecture: Global Study · Ponemon Institute© Research Report Page 1 The Need for a New IT Security Architecture: Global Study Ponemon Institute,

Managing Insider Risk through Training & Culture Insider Risk through Training & Culture Ponemon Institute, May 2016 Part 1. Executive summary Employees and other insiders inadvertently

Ponemon Report: Cyber Security Incident Response: Are we as prepared as we think?

Security Risk Assessment & Audit Report of Security Risk ...

“The Internet Of Theft” and Events... · Sources: PWC global state of information security survey report 2015; Ponemon 2015 Cost of cyber crime study: Global; Ponemon 2014