SOURCE: Tripwire, Inc.

Tripwire, Inc.

June 13, 2012 08:00 ET

Tripwire and Ponemon Institute Reveal Most U.S. Businesses Are "All Talk, No Walk" When It Comes to Risk-Based Security Management

Security Fright Index Shows Malicious Insiders as the Number One Threat to Information Security, Keeping Security Professionals Awake at Night

NATIONAL HARBOR, MD--(Marketwire - Jun 13, 2012) - Tripwire, a leading global provider of IT security solutions, and the Ponemon Institute today announced the results of "The State of Risk-Based Security Management (RBSM) Study" at the Gartner Security & Risk Management Summit. This international study included data from 2,145 individuals from organizations of different sizes and types in the United States, United Kingdom, Germany and the Netherlands.

This study evaluates how organizations view their Risk-Based Security Management (RBSM) and how they address their RBSM through formal programs, deployment of specific controls and how they measure program effectiveness.

The report details the current state of risk management and perceptions about the benefits to organizations as well as provides guidance on how to strengthen an organization's security practices and add value to the business through a risk-based approach. The report also provides recommendations for mitigating risks, protecting data and detecting cyber attacks and data breaches accurately and efficiently.

Highlights from this report include:

  • Although organizations profess a strong commitment to RBSM, they are taking little action. Over three quarters (77 percent) express significant or very significant commitment to RBSM, yet barely more than half (52 percent) have a formalized approach to it, and less than half (46 percent) have actually deployed any RBSM program activities.
  • Those organizations with a formal approach to RBSM tend to walk the talk. Around a third (30 percent) of organizations have no RBSM strategy and close to a quarter (23 percent) only have informal or ad hoc strategy.
  • Most organizations implement the appropriate preventative controls, but neglect to implement sufficient detective controls. Between 80 to 90 percent of organizations have partially or fully deployed preventative controls, but only about 50 percent have deployed the majority of detective controls.
  • Perceptions of RBSM differ in the U.S., U.K., Germany and the Netherlands. In the U.S. 71 percent of organizations say they are concerned about malicious insiders. In the UK that number drops to 49 percent, 32 percent in Germany and only 16 percent in the Netherlands.

Key findings from this study conclude that although a majority of organizations have high commitment levels towards RBSM, only half of these organizations have a formal program, function, or set of activities dedicated to RBSM and most of these are only partially implemented -- or in other words, organizations today are "All talk, no walk."

"It is evident from this data that CISO's must move beyond 'lip service' when it comes to Risk-Based Security Management," said Dwayne Melancon, CTO for Tripwire. "Savvy security executives will leverage risk as a means to drive business-relevant discussions, and use objective measures to show security effectiveness. It is imperative to break the cycle of "habitual security spending" to better align security resource allocations within their businesses."

When asked to indicate their level of concern for specific threats to information security, survey respondents signified their concern over malicious insider threats as being the greatest threat to information security today. This revelation was followed closely by concern from web application vulnerabilities and employee carelessness.

"We believe risk-based security management will transform organizations' approach to protecting critical information assets and technologies from one that is reactive to proactive," said Larry Ponemon of the Ponemon Institute. "Our goal in providing this research is to help organizations make this approach a core business imperative."

To access the complete Ponemon Institute study along with related multimedia content, please visit or follow the conversation on Twitter via the hashtag #RiskyBiz2012

About Ponemon Institute
The Ponemon Institute is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries.

About Tripwire, Inc.
Tripwire is a leading global provider of IT security solutions for enterprises, government agencies and service providers who need to protect their sensitive data on critical infrastructure from breaches, vulnerabilities, and threats. Thousands of customers rely on Tripwire's critical security controls like security configuration management, file integrity monitoring, log and event management. The Tripwire VIA™ platform of integrated controls provides unprecedented visibility and intelligence into business risk while automating complex and manual tasks, enabling organizations to better achieve continuous compliance, mitigate business risk and help ensure operational control. Learn more at or follow us @TripwireInc on Twitter.

Contact Information