Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Study shows low use of auditing to identify security risks

Tripwire Inc : 16 August, 2013  (Technical Article)
Lack of audits and misalignment of spending against risk result in lack of information in UK companies about how to reduce IT security risks
Study shows low use of auditing to identify security risks

Tripwire has released results from an extensive study focused on the state of risk-based security management with the Ponemon Institute. The study examined security controls and spending and revealed that many organizations misalign security spending with perceived security risks, haven’t yet deployed preventive security technologies, and rarely use audits to identify security risks.

The study respondents included 571 UK professionals in the following areas: IT security, IT operations, IT risk management, business operations, compliance/internal audit and enterprise risk management.

“Given the constantly changing nature of security threats and security technologies, it’s not surprising that many organizations are having difficulty assessing and prioritizing security risks,” noted Dr Larry Ponemon, chairman and founder of the Ponemon Institute. “Unfortunately, the misalignment of perceived risk and security spending coupled with the minimal use of security audits means that many organizations don’t have the information they need to improve security risks.”

When respondents were asked how their organization assesses and prioritizes risks, the results showed:

* Only 49 percent said they identified specific controls at various network layers to ensure the risks were acceptable to the business
* Only 39 percent said they implemented layered controls to ensure a compensating control exists if one control fails
* Only 44 percent said they fully or partially deployed continuous monitoring

When asked about the deployment of preventative and detective controls, the study revealed:

* 90 percent have fully deployed malware detection/prevention
* Only 50 percent said they have fully or partially deployed encryption as a preventative control
* Only 36 percent said they have fully or partially deployed log monitoring as a detective control
* Only 40 percent said they have fully or partially deployed incident detection and alerts

“These results underscore the challenges IT and security professionals grapple with every day,” noted John Pierce, vice president of information systems for Tripwire. “The risk and security landscape faced by organizations continues to increase in complexity, requiring us to deploy and manage more sophisticated and comprehensive solutions to address rapidly evolving risks.”

Other findings from the study include:

* 0 percent of respondents used external audits to identify security risks and only 5 percent used internal audits
* While 43 percent of respondents use formal risk assessments to identify security risks, only 31 percent use automated compliance monitoring for this purpose
* Only 10 percent of an organization’s security budget is spent protecting the application layer, even though 38 percent of respondents identified it as a key security risk
* Only 18 percent of an organization’s security budget is spent on the human layer

Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo