Security Barometer: How is Your Organization Approaching Assessing Risks?
Created by the Security Executive Council
Poll question: Which of the following activities does the security function perform in your organization?
The activities shown in the graph are the common ones that organizations tend to perform as part of threat/vulnerability assessments/risk analysis. It was surprising that frequency of some of the activities were as low as they were. For example, only 58% of respondents stated they involved risk owners, and 41% developed a risk calculation (a step usually taken after one assesses the threats and vulnerabilities).
Poll question: In your opinion, how well do you think Security is addressing your organization's most significant security risks?
Fifty percent of the respondents chose the 7-8 range (with 10 being the highest score - adequately addressing significant risks).
Poll question: What are most of the security programs/services in your organization based on?
Thirty-two percent of respondents reported regulations and industry standards, followed by a quarter of respondents stating a formal threat/vulnerability assessment and risk analysis process, was the basis of their security programs and services.
Next StepsFrom the results of this poll, it appears Security is focused on mitigation and physical technologies but lagging in formal risk assessments. Are the "hard assets" of security driving security activities, or are the real risks that the organization is facing driving them instead? Without a formal risk assessment, you could be working on the right stuff - but that is not very provable or defensible. This poll suggests a need to merge a formal risk assessment process with the security risk management framework.
For more information on this topic see Risk-Based Security: Risk Assessment
Watch our 3-minute video to learn about how the SEC works with security leaders. Contact us at: contact @secleader.com.
Copyright Security Executive Council. Last Updated: July 18, 2018
You can download a PDF of this resource below.