As the IT landscape evolves, companies are leveraging new tools and solutions in an effort to enhance mobility and productivity. In doing so, organizations may be able to gain a competitive advantage over rival firms, which will be important in the increasingly competitive private sector.
While the era of innovation can help companies boost efficiency, the growing adoption of cloud computing, virtualization and mobile trends also raises the potential for breaches caused from vulnerabilities. As a result, it is important that decision-makers incorporate risk into their daily operations to mitigate concerns associated with the IT landscape.
According to a new global study by the Ponemon Institute, however, many organizations in the U.K. are taking the wrong approach to risk-based security management (RBSM).
Deploying the wrong metrics will yield irrelevant strategies
The report found that the majority of U.K. companies evaluate RBSM programs on cost. While reducing expenses is important in today's struggling economy, it should not be the primary focus for data security initiatives.
The Ponemon Institute noted that following cost metrics can encourage the wrong behavior in a business as decision-makers will look for the least expensive solutions to protect mission-critical information and applications. In many cases, these tools are not as effective as more expensive services, resulting in a false sense of security and increasing the number of infrastructure vulnerabilities.
Instead of focusing on price, decision-makers must base their programs on the quality of controls used to safeguard valuable resources. If companies neglect to use the right metrics, it will be impossible for them to establish how well they are protecting solutions.
RBSM is necessary in today's business world
Companies need to maintain a strong commitment to RBSM programs and follow through on initiatives. The survey noted that approximately 72 percent of U.K. organizations say they are committed to RBSM, yet more than 50 percent have not implemented a formal policy, according to the Ponemon Institute. Among the businesses that do have strategies in place, many are taking the wrong approach.
The report noted that many U.K. firms are implementing robust preventative controls, which enhance data protection by limiting unauthorized access to mission-critical assets. While this is important, too many companies are neglecting to deploy detection solutions. As a result, an organization is only as strong as the tools used to safeguard resources because IT departments will not be able to identify or monitor virtual environments.
By taking a balanced approach to RBSM, companies will be able to prevent and detect anomalies more effectively and strengthen overall security.
"We believe risk-based security management will transform organizations' approach to protecting critical information assets and technologies from one that is reactive to proactive," Ponemon Institute founder Larry Ponemon said.
Insider threat evaluations differ between countries
The report noted that nearly three-quarters of businesses in the United States claim malicious insiders are a serious threat to IT security. In the U.K., however, only 49 percent of organizations feel insiders pose a danger to mission-critical assets.
It is imperative that companies do not take downplay any potential threat, especially insiders. Decision-makers need to protect the "crown jewels" of the organization first and learn from past mistakes, a separate InformationWeek report said.
"If you experience an attack, you're not alone, but learn from it," Dawn Cappelli, the technical manager at Carnegie Mellon University's CERT insider threat center, said, according to InformationWeek.
Risk management programs should also include employee training sessions that teach individuals how to properly use new solutions.
By following through with a risk-based security management program, companies can mitigate concerns associated with insiders and new technologies. As a result, organizations can embrace innovative trends without the concern of exposing sensitive data and systems.
Data Security News from SimplySecurity.com by Trend Micro