Enterprise security and risk management efforts continue to lag

Increasingly, enterprises realize that they not only need to secure their digital assets, but that they need to do it economically. Most organizations know that they need to be compliant to any number of government or industry regulations that affect them — from HIPAA to GDPR — but simply achieving compliance doesn’t mean an organization has adequately secured itself. Likewise, simply spending more on security by putting in place more ineffective controls does not reduce risk. In fact, it can sometimes steal budget from other efforts that could better secure the enterprise.

It’s about being secure while best furthering the business.

That’s where FAIR comes in. FAIR, or Factor Analysis of Information Risk, is a methodology that aims to quantify and manage risk in any organization. The methodology models risk in financial terms so security professionals can better understand and analyze their security spend.

This week, the FAIR Institute released its annual Maturity Benchmark Survey, and while the 2018 results are somewhat better than the 2017 results, the findings remain concerning. Most of the CISO respondents rated themselves 26 out of 100.

Here are a number of findings from the survey:

Respondents reported being relatively strong at their ability to meet their regulatory compliance mandates, although they came under 50 percent:

Compliance Requirements:   Strong 49%,     Partial 48%,    Weak 3%.


Most respondents believe they are well, or fairly-well funded to run their security program:

Organizational Resources:   Strong 54%,  Partial 43%,  Weak 3%.


When it came to employee awareness of security policies, respondents rated themselves string to fair:

Awareness:  Strong 33%, Partial 58%,   Weak 9%.


Many organizations rated themselves weak to fair when it came to being able to maintain security objectives in the face of business objectives. Remember the cliché in the security field, convenience trumps security:

Motivation:   Strong 13%, Partial 44%,  Weak 43%.


Most organizations have not fully embraced a proven cybersecurity framework on which to model their program:

Model Quality.  Strong 14%,  Partial 51%, Weak 35%.


Finally, most organizations don’t hold annual reviews on their risk management decisions as a check on whether they are on track:

Decision-Making Visibility:  Strong 16%, Partial 50%,  Weak 34%.


“The fact that 75% of the respondents have less than a 50% chance of cost-effectively achieving and maintaining an acceptable level of risk should not feel good to any of us,” Jack Jones, chairman of the FAIR Institute said in a recent webinar that highlighted the survey results.

The survey shows that while enterprises have taken some steps to improve how intelligently they deploy their cybersecurity budgets, they have more work to do. Frameworks such as FAIR can help organizations better measure and understand their information security risks, so that they can manage those risks more effectively.

*** This is a Security Bloggers Network syndicated blog from Cybersecurity Matters – DXC Blogs authored by Cybersecurity Matters. Read the original post at: