Whether I’m talking to a customer, prospect or a friend in the information security community, the conversation will often lead us to discuss risk management. Why has this topic become a common topic among business executives and security professionals? Is it because the mainstream media is picking up stories relating data breaches and how it affects the economic health of organizations? Or is it because we’re increasingly feeling the need to engage with non-technical executives to demonstrate the value that security and risk management brings to the table? And who is driving the need to align security to the business: is it a top-down approach or closer to a grass roots effort?
We wanted to find out the answers to these questions and more, so we commissioned the Ponemon Institute to conduct a global survey among security, risk and privacy professionals. The result is the 2012 report on “The State of Risk-Based Security Management“. In total, the study surveyed 2,145 individuals in four countries: the US, the UK, Germany and the Netherlands. There are some very interesting findings in the report.
The report also helps us understand:
- The state of risk-based security management (RBSM) – commitment is high, but not many are ‘walking the risk talk’
- The evolving role of the CISO – and what they can do to help move the conversation up higher in the organization, including what metrics to use to determine effectiveness of risk programs
- The security fright index – what keeps CISOs up awake at night
- RBSM perception and realities – a comparison of responses in the four different countries