2012 Ponemon Report: The State of Risk-Based Security Management


Published on

Download the full report here: www.Tripwire.com/Ponemon2012

Risk-based security management (RBSM) is rapidly gaining acceptance as an essential security practice. But how far along are organizations with it? Ponemon Institute and Tripwire teamed up to explore the state of RBSM in the US. Discover the study’s key findings:

+Although organizations profess a strong commitment to RBSM, they’re taking little action
+Those organizations with a formal approach to RBSM tend to walk the talk.
+Most organizations implement the appropriate preventive controls, but neglect to implement sufficient detective controls.
+Position level of the respondent in the organization affects how threats rank on their "Security Fright Index."
+How perceptions of RBSM differ in the US, the UK, Germany and the Netherlands

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • today I like to take you through the results of the state of risk-based security management for 2012. This is based on a large-scale study that was done on behalf of tripwire and it covers a lot of different aspects of risk management. I’ll provide you with a bit of background and cover some of the key findings of the study. I’ll also provide some background on why this study was performed and then discuss some of the key findings that we take from the data that was gathered. Finally, I’ll wrap this up with a few recommendations and resources that hopefully you can take away use in your daily work.
  • let’s begin by talking about some of the changes that are facing us in the world of information security today. As I speak with customers around the world, a number of trends are emerging. For example many information security professionals executives included now have to rip appeals to other parts of the business to get funding. This often includes speaking with non-technical audiences. For example, I was working with a group of hospitals recently, and they have to appeal to hospital boards for project funding, IT investments, and other staffing needs for example. In these cases, it can be very difficult for the non-technical executives to really understand why the security executives are asking for more money. This presents its own challenges, which I’ll discuss a little more in detail later.I’ve also spoken with a number of enterprises, who are trying to be more proactive in security. Essentially they want to move things from simply focusing on alerting, to moving into providing useful information actually enables strategic decisions in other words, a decision centerAnother dynamic I’ve observed is that compliance is really beginning to drive conversations around risk management area I believe, this is a result of audits focus on top-down, risk-based compliance This translates into a focus that brings risk more into the picture as discussions occur around information security.Another aspect of this is the need by executive management, to more effectively allocate budgets based on objective measures Since many of these executives are financial professionals, they are accustomed to balancing risk versus rewardFinally, many of the higher profile information security events and breaches are more visible than ever to non-technical executives and our environment. This is due to something I called the iPad effect. How many of you have executives in your company who read the Wall Street Journal or some other newspaper on the iPad, then send around lots of links to stories that relate to information security? The good news is, this provides a prime opportunity for us to engage with them around the importance of what we do every day.When you put all of this together, I hope you'll understand some of the reasons we undertook this study of the state of risk management and specifically risk-based security management, and hopefully you'll pick up a few pointers that will help you getting your organization to embrace risk and as a key part of security.
  • Now, let's talk about about the study itself. This is a broad-based study that was responded to by over 2000 individuals spanning 4 different countries. I mentioned I work for tripwire, but I want to stress that we commissioned an independent research organization, in this case the Ponemon Institute, to perform this objective study on our behalf. In other words, we didn't want to lead the witness, we wanted an accurate depiction of the state of risk-based security management in today's world.This is the 1st of what we hope will be an annual benchmark of the global state of risk-based security management.Not only do we want to learn about the condition of risk management, we want to derive some prescriptive guidance from these findings. Then, as we resurvey about the same topics in the future, we can determine whether things are getting better, worse, or staying the same.
  • From an industry perspective, we have a broadrepresentation from various types of industry. While the top 5 responding categories represent 64%of the total respondents, no one category is greater than 18%. For a survey of this type, I feel this representation is very well balanced.
  • Let's dig into the demographics a bit deeper. When it comes to job titles, you'll see that we have a pretty broad cross-section of representative titles from the industry. However, I've noticed that we have heavier representation from the supervisor and managerial level of the organizations. I believe this is appropriate, because based on my anecdotal conversations with companies around the world, people in these positions are in the crossfire of risk discussions in information security today.
  • »»The State of RBSM-- What US organizations are doing to address RBSM, such as developing a formal program, deploying specific controls, and measuring program effectiveness.»»Perceptions about RBSM -- The beliefs that organizations hold about RBSM; for example, that it can reduce the cost of security programs and the number of security exploits and data breaches.»»The Security “Fright Index”-- What are the top threats that risk and information security identify to their environments, and what keeps them up awake at night.»»The Evolving Role of the CISO-- With risk management rising in importance, how does it affect the role of the CISOs and shape their current and future responsibilities?»»The Relationship between RBSM Maturity and Security Posture -- Specifically, does the existence of a formal RBSM program or function relate to the maturity of its RBSM program?»»The State of RBSM in Various Countries -- A comparison of the state of RBSM in the US, the UK, Germany and the Netherlands.
  • What's more interesting, is what we found from the answers these people gave. I'll take you through each one of the top findings in a bit more detail and of course you can go to the report if you like full details on all of the findings. We'll talk about how 1st and foremost there is really all talk and no walk when it comes to risk a security management.Then I'll discuss what I believe are some of the imbalances in people's approach to information and risk management.Will move on to the security fright index, which essentially answers the question what keeps you awake at night?And finally will dig into her I believe the biggest void is, metrics.DETAILS, JUST IN CASEAll Talk, No Walk-- Commitment is high (77%)-- Only 52% have a formalized approach-- Only 46% have deployed any risk activity-- 30% have NO strategy, and 23% have an informal strategy-- If they have a formal approach (52%), only 74% have partially or completed deployed activities-- 41% do not categorize the information according to its importanceAn Unbalanced Approach to Information and Risk Management-- 80-90% have partially/fully deployed preventive controls-- Only 50% have deployed detective controls-- Security Fright Index – What Keeps You Awake At Night?Security Fright Index-- What keeps you up at nightNo Metrics = No Success?-- Less than half (45%) have metrics to help demonstrate program success
  • One of the 1st and most promising areas of the data, is around commitment. I was very encouraged by the fact that 77% of the organizations surveyed believe that they have either a significant or very significant commitment to risk management.If this is the case, we must be doing great at risk-based security management, right?Let’s keep going.
  • Of course, as we discussed earlier, there's a big difference between intent and practice. This data around the existence of a risk management strategy bears that out.You see from the data, that 23% of the organizations have both formal and consistently applied strategy risk management.Another 24% have a formal strategy in place, but it's applied only inconsistently.The worrisome part, is that 53% of the organizations either have an ad hoc strategy or no strategy at all around risk management.
  • Next, let's look at the percentage of organizations that have actually formalized their approach to risk-based security management or at least established a function dedicated to risk-based security management. So now, we move from 77% who are serious about RBSM, to 52% that have actually established a dedicated function to look after information security risk.Things don’t look as rosy as they did at first, do they?
  • Next, we wanted to find out how far along these organizations are in their practices around risk management. When we look at these numbers, only 36% of the organizations are in late to middle or mature stages of risk management program adoption. The good news is, slightly more than that–38%–are in the middle stage of risk management adoption which means they have at least partially deployed some of their risk management programs and practices.
  • Before we look at the specific fears, let's take a look at what people are expecting to get out of risk management.One interesting phenomenon here, is the difference between the US and the UK versus Germany and the Netherlands. In the US and the UK the biggest focus from a benefits perspective is in reducing the cost of security programs.In contrast in Germany and the Netherlands, the biggest benefit their seeking is to improve their compliance with laws and regulations.I believe some of this has to do with timing. A lot of the regulatory pressure in the US and the UK has passed, due to heavy focus on things like PCI which was very deadline driven.In contrast, in Germany and the Netherlands, not only are the PCI deadlines a bit further behind, we also see heavy handed legislation around information privacy and financial reporting which could explain why they are are more focused on compliance with laws or regulation.
  • So, to net it out, a lot of organizations are paying lip service to risk-based security management.Most of the organizations are talking about risk-based security management, and even claiming to be committed to it.Unfortunately, when we dig into the numbers less than half of them are doing anything meaningful around risk-based security management and their organizations today.While it may be a bit of an exaggeration to say that people are all talk and no walk around the space security management, I think you'll agree we have a lot of work to do.
  • The next finding was that there is an imbalance between risk management and security. Let's look at the numbers.
  • When we dig into the perceived risk versus where people are actually deploying their resources and money, we find that there is a mismatch.Some of this I believe is due to what I refer to as “habitual IT spending”–spending out of habit. For example look at the network layer of the diagram here. The 1st column represents the allocated spending in this category. The 2nd column represents the perceived security risk around that particular area. So from a network layer perspective, you'll find that we're spending way more on this category then we believe is justified by the risk.On the flipside, look at the application layer. 11% of the budget is being allocated there, while we believe that 34% of the risk is present in the application layer.The best explanation I can offer for this, is that organizations have traditionally spent a lot of money on the perimeter and on "widget-like" products. In other words, appliances you can plug into the network and get an auditor off your back, or have some kind of visible proof that you are “doing your job” in case anyone asks. Of course, the traditional hype from security vendors who claim to be able to catch the bad guys in the act, don't help.I also believe that this is another symptom of the fact that most people's approach to risk is not adaptive. In other words, the risk landscape changes, but their habits, approaches, and spending do not change with the risks.
  • Next, we looked at the state of control adoption in the environments.When it comes to preventive controls, things actually don't look too bad. If we look at the top 3 areas of adoption, we see that people are :investing in the creation of policies and procedures,Deploying technology for malware detection and prevention,And creating policies around system hardening.These all sound pretty good, don't they? When you consider that preventive controls are typically in place to 1st, set expectations about what the business expects everyone to do. 2nd, designed to make it easy to do the right thing and difficult or painful to do the wrong thing. And 3rd, designed to provide repeatability and predictability in terms of how people behave when it comes to security.The challenge, is that preventive controls defined what is expected. So how do we prove that people are actually following the rules?
  • Proof, detection, and the data used for enforcement all come from detective controls.If you recall, the top 3 preventive controls were in use by 86% or more of the respondents to the survey.Detective controls are not quite that far along. The best detective control, change control, is only adopted to a level of 68%. The next, vulnerability management, is only at 62%.And the 3rd, security configuration management, which is necessary to implement and enforce security hardening, is only at 49%.So, when I look at this data, I come to the conclusion that a lot of organizations have plenty of expectations around security practices. The gap between preventive and attacked it controls, tells me that many of these organizations are frustrated because they can't enforce the rules that they've created.
  • This brings me to my summary for this finding, that most organizations have an imbalanced approach to security and risk management.The way they are using their budget, staff, and technology is misaligned with where the risks are. We're over investing in some areas, while under investing in other areas in spite of the fact that we recognize the risks are bigger in some of these underfunded areas.2nd, most organizations have a long way to go to even cover the basic 1st steps of risk-based security management.3rd when it comes to controls, organizations are making good progress on creating good expectations through preventive controls, but they will be forever frustrated until they deployed detective controls to hold people accountable to their expectations.
  • In the final category of findings, let's talk about metrics. Less than half the organizations studied are actually using regimented metrics to determine how effective their risk-based security management activities are. This is troubling, because what gets measured improves, and if nothing is being measured in half of these organizations, then not much is likely to be improving.From my conversations with enterprises around the world, it seems that one of the most difficult problems they face is determining what good metrics they should be using for tracking success of risk-based security management.Toward the end of this presentation, I will share with you some of my findings from the customers that I speak with, but 1st let's look at what the objective data tells us.
  • We also looked at how much more detailed set of categories for what is being measured. These tend to be a level down, whereas the metrics on the last slide were more focused on overall program effectiveness, these are more focused on the effectiveness of security activities.I recognize that this is a bit of an eye chart, so let's move to a different view that zooms in on some of the top measurements that are being used.
  • I'm not too excited about some of these metrics either, especially the 1st one. Reduction in the cost of security management activities is an okay indicator, but it's a poor metric.What I mean by this, is that the cost of security management activities doesn't directly drive the effectiveness of those activities up or down. If I double your budget, are we twice a secure? If I cut it in half, are we have to secure? I don't think so.So why has cost the top metric in use? I believe it's because we don't have a lot of good information about strong metrics, and we often get asked about what we're doing by non-technical financial people, and we can explain it very well. Therefore, we are reduced to the least common denominator: cost. Financial people ask about costs when they don't know what else to ask about.Now I do see some good metrics mixed in here. For example, the 2nd one: number of end-users receiving appropriate training. That's a pretty good one to measure. I'd suggest a slight improvement to it, such as moving from a number of end users to a percentage of end-users. This would allow you to have a scalable metric that would work with any size organization.Again, I'll suggest some other metrics in a few minutes.
  • In summary, no metrics means no success.Less than half of the organizations we studied are using metrics at all for RB SM.And, of those organizations that are using metrics, I believe that many of them are using ineffective or “false flag” metrics such as cost of security programs and number of vulnerabilities in the environment.Because our ability to be effective hinges on our ability to convey our value, and get appropriate funding for the most important things, I believe metrics are a key area that we should be focused on in terms of improvement.
  • So those are the key findings of the report, and some of the data that support them. Now I'd like to transition into a world of more opinion, based on observations from a number of discussions with a wide variety organizations in the field.These include some observations on what's working and what's not, as well as some recommendations that you can carry forward into your own practices.
  • Okay, now for the moment we've all been waiting for. What are some of the metrics that actually work?If you're looking for some good resources in terms of metrics, if you're a Gartner client I suggest you look at some of the papers by Jeffrey Wheatman. He has done a lot of work on creating effective metrics, and will even review your metrics and provide feedback if you'd like.Some of the ones I've seen that I like or that I've seen work, are things like the ones you see on the screen here.The 1st category is configuration quality. This includes things like the percentage of configurations that are compliant with your check's target security standards, through a risk align the lands. What I mean by riskdoes this: once you've identified your critical assets establish a target. For example, you may target having 95% or more of the systems in your critical group configured in accordance with your configuration hardening standards. In the next category of risk whether that's higher medium or whatever, you may strive for 75% or more of your configurations being aligned with your target security standards.These metrics are good, because they are something you can control, and they decrease your attack surface which reduces your security risk.Configuration and quality metrics can also include things like the number of unauthorized changes, and patch compliance again by target area aligned with your risk level. In other words, focusing on your critical assets where you want to measure the percentage of systems that are patched within 72 hours.Remember, you need to measure things that you can directly influence otherwise you will fail.The 2nd category, control effectiveness, is designed to help you focus on what you can automate to improve your effectiveness, and decrease their reliance on people paying attention. For example, metrics like the percent of incidents detected by an automated control will help decrease the effort and cost required to detect security incidents.Tracking the percent of incidents resulting in loss, will get you focused on what's required to discover incidents more quickly and resolve them more quickly. The percentage of changes that follow the change process is a metric that will get you focused on implementing detective controls so that you can detect when people break the rules and go around your process.The 3rd category I've provided here, security program progress, is designed to track the effectiveness of aspects of your overall security program. For example one of the concerns in the risk study were threats from careless users, and the use of social media. Both of these can be remedied by better employee education around security and security practices. The 2 metrics I've provided here will help you track how effective that training is being implemented and received. The 1st will track what percentage of your overall organization has been trained. You'll note that I mention a breakout by business area. That's designed to help create a bit of competition between the different groups. This is an area where you want employees to take security training seriously, so if you begin to show scores by business area, by definition someone will be at the bottom of the list. No executive wants to be at the bottom of the list, so they will begin to help you drive security training as an important element of your program even if they're only doing it so they don't show up at the bottom of the list.Then, once you have been trained, periodically issue a security recall test or a retention test and again report the scores by business area. This will help you drive the overall retention across the organization and use competition to make it proceed more quickly.These are just some of the metrics that I've come across. If you have any others that are effective, I'd love to know about them. If you have any that you're struggling with, I'd love to engage with you to try to find out a better set of mechanisms to track progress.The most important thing here is that we all can learn from each other and improve the state-of-the-art around not only security actions but measuring the effectiveness of those actions.In a couple of slides shall see my contact information if you have anything to share on this topic, I would love to hear from you.
  • Let's start with what I'm seeing in terms of how organizations are approaching this problem.Many organizations are investigating and seeking to adopt a repeatable framework. Some examples include FAIR, which stands for factor analysis of information risk, and OCTAVE, which is a well-established risk framework that is being adopted by some government organizations.When you're implementing or adopting a risk framework, don't over complicate things. I see too many organizations that try to apply new practices in a blanket fashion across the enterprise. This is a recipe for frustration it. Focus on a key high-risk area, do what you can to implement some strong workable practices around that area, then move onto the next area. This will allow you to achieve some early wins, and it will limit the percentage of your employee population that has to learn new habits.I've also seen a number of organizations that are forming cross functional steering committees to help look at risk more holistically. These stretch beyond IT and include things like strategic and operational risk representation which is often taken care of by a CFOs staff, or someone from a G&A function. These cross functional teams also often include people with financial influence, people from HR, from legal, from sales, and other parts of the organization.I find these cross functional groups to be very effective, not only in getting everyone on the same page around risk, but in providing more objective analysis of the relative merits of risk management expenditures and efforts.I'm also seeing a wide variety of organizations who are beginning to implement formal risk scoring and ranking methods. Again these are often in conjunction with a prescribed framework.All of these things work together to really form a set of building blocks that you can use to prioritize things. This comes in handy when deciding what projects undertake what actions taken when investments to make so that you can actually bias your decisions where they benefit areas that have the highest risk or highest impact to the organization. In other words, they allow you to focus your resources on solving the biggest problems facing the organization.The final area relates back to the metrics I was talking about before. I see organizations attempting to establish key risk indicators and key risk objectives to help them measure progress. Focusing on of repeatable framework, and crisp measurement, allows you to begin managing by fact rather than by emotion or always paying attention to the latest and loudest person who shows up with some kind of a cause.
  • So those are some of the things are going right. But let's take a look at what isn't going as well.In organizations that are stuck or stall, here are some of the things that tend to slow them down.The 1st is the use of what I referred to as a boil the ocean approach. In other words trying to do too much across too broad of a landscape of your business. Rather than trying to solve every risk problem in the organization pick one or 2 key areas, that relate to one or 2 key business processes, and start there. Remember, non-technical executives tend to think of things in terms of revenue, costs, customer satisfaction, fulfillment, or other key processes in the business. Figure out what the most important process is, what the biggest risk is that's facing that particular area, then identify what you can do from an IT risk perspective to mitigate that risk. If you're successful, those early winds can make it a lot easier to move onto future phases of your projects.Another problem I've seen is when the discussion goes to granular or too geeky very quickly. Executives have short attention spans so keep it high level, and get to the point quickly.Closely related to this, is when there is no buy-in from other parts of the organization. This can be very frustrating because it often looks like a superhero in the IT organization trying to take on the rest of the organization, and force them to adopt a risk oriented focus. If you don't have by and, you're not ready to start executing.The most effective place to get support, is as high in the organization as you can manage. I mentioned tone at the top before. If you're trying to embark on a risk management project to get risk management adopted across your organization, make sure you have an executive sponsor. This is generally either the CEO or someone reporting to the CEO in your organization.We've talked a bit about this one already, but I've also seen ineffective metrics or a complete lack of metrics, stall risk management efforts. I'll get to that in a minute.Finally as I mentioned before, too many organizations are focused on cost as the primary focus of the risk management and security programs. This has got to change.
  • In closing, let's look at some recommendations that you can use to drive your own risk-based security management efforts.1st Institute of formal risk-based security management program or function that has a formal strategy. The goal here is to create a framework that allows you to have for Peter bull, data-driven execution against your risk management goals.Next use that platform to get the organization focused on risk is the primary emphasis, and not on tactics and especially not on cost.Take a look at the controls that you've implemented. Do you have an appropriate balance of preventive and detective controls? One quick litmus test for that is to take a look at your policies. Are there any policies that are particularly frustrating to you because people just don't follow them? If so, those are probably areas in which you've underinvested and detective controls.The 4th area is to establish and use metrics so you can demonstrate program success. When you implement your metrics, make sure they are tied to business goals. What this means is that you may have some higher-level objectives that are more data program level, that will mean something to a CFO or a non-technical executive. You'll also have a set of objectives that are closer to your daily activities. When you create these, make sure they are both comprised of data that is easy to gather and can be trended, and that they are things he you can either directly control or influence. If you are measured on things that you can't directly control, your success will be greatly limited.Finally, ensure that your program includes an aspect of continuous monitoring. Your threat landscape changes, your business priorities change, the technology landscape changes, and all of these things must be considered when you create, fund, and execute on your security plan.
  • ×