How is Your Organization Approaching Assessing Risks?
In the results of our current Security Barometer poll, your peers shared the steps they use to assess risk and how well they feel their organization is tackling significant security risks overall.
Poll question: Which of the following activities does the security function perform in your organization?
The activities shown in the graph are the common ones that organizations tend to perform as part of threat/vulnerability assessments/risk analysis. It was surprising that frequency of some of the activities were as low as they were. For example only 58% stated they involved risk owners and 41% developed a risk calculation (a step usually taken after one assesses the threats and vulnerabilities).
Poll question: In your opinion, how well do you think Security is addressing your organization's most significant security risks?
Fifty percent of the respondents chose the 7-8 range (with 10 being the highest score - adequately addressing significant risks).
Poll question: What are most of the security programs/services in your organization based on?
Thirty-two percent of respondents reported regulations and industry standards, followed by a quarter of respondents stating a formal threat/vulnerability assessment and risk analysis process, was the basis of their security programs and services.
From the results of this poll, it appears Security is focused on mitigation and physical technologies but lagging in formal risk assessments. Is the "hard assets" of security driving security activities versus the real risks that a particular organization is facing? Intuitively, without a formal risk assessment, you could be working on the right stuff - but that is not very provable or defensible. This poll suggests a need to merge a formal risk assessment process with the security risk management framework.
If you would like to discuss the benefits of security using a formal risk assessment approach, please contact us at firstname.lastname@example.org