Security Barometer: How is Your Organization Approaching Assessing Risks?

Return to Risk-Based Security
Created by the Security Executive Council

In the results of a 2017 Security Barometer poll, security practitioners shared the steps they use to assess risk and how well they feel their organization is tackling significant security risks overall.
Poll question: Which of the following activities does the security function perform in your organization?

chart showing which activities the security function perform in your organization

The activities shown in the graph are the common ones that organizations tend to perform as part of threat/vulnerability assessments/risk analysis. It was surprising that frequency of some of the activities were as low as they were. For example, only 58% of respondents stated they involved risk owners, and 41% developed a risk calculation (a step usually taken after one assesses the threats and vulnerabilities).
Poll question: In your opinion, how well do you think Security is addressing your organization's most significant security risks?

Fifty percent of the respondents chose the 7-8 range (with 10 being the highest score - adequately addressing significant risks).

chart showing opinion of how well security addressed most significant risk

Poll question: What are most of the security programs/services in your organization based on?

chart showing what most security programs are based on

Thirty-two percent of respondents reported regulations and industry standards, followed by a quarter of respondents stating a formal threat/vulnerability assessment and risk analysis process, was the basis of their security programs and services.
Next Steps
From the results of this poll, it appears Security is focused on mitigation and physical technologies but lagging in formal risk assessments. Are the "hard assets" of security driving security activities, or are the real risks that the organization is facing driving them instead? Without a formal risk assessment, you could be working on the right stuff - but that is not very provable or defensible. This poll suggests a need to merge a formal risk assessment process with the security risk management framework.

Return to Risk-Based Security