Created by the Security Executive Council
In the results of a 2017 Security Barometer poll, security practitioners shared the steps they use to assess risk and how well they feel their organization is tackling significant security risks overall.
Poll question: Which of the following activities does the security function perform in your organization?
The activities shown in the graph are the common ones that organizations tend to perform as part of threat/vulnerability assessments/risk analysis. It was surprising that frequency of some of the activities were as low as they were. For example, only 58% of respondents stated they involved risk owners, and 41% developed a risk calculation (a step usually taken after one assesses the threats and vulnerabilities).
Poll question: In your opinion, how well do you think Security is addressing your organization's most significant security risks?
Fifty percent of the respondents chose the 7-8 range (with 10 being the highest score - adequately addressing significant risks).
Poll question: What are most of the security programs/services in your organization based on?
Thirty-two percent of respondents reported regulations and industry standards, followed by a quarter of respondents stating a formal threat/vulnerability assessment and risk analysis process, was the basis of their security programs and services.
From the results of this poll, it appears Security is focused on mitigation and physical technologies but lagging in formal risk assessments. Are the "hard assets" of security driving security activities, or are the real risks that the organization is facing driving them instead? Without a formal risk assessment, you could be working on the right stuff - but that is not very provable or defensible. This poll suggests a need to merge a formal risk assessment process with the security risk management framework.