While the majority of CISOs may profess a commitment to managing security based on risk management principles, the truth about how they execute on those principles may be a lot more imperfect. The unfortunate reality, say experts, is that many organizations simply pay risk management lip service, but aren't really making security decisions based on risk management metrics.

"It's easy to commit to concepts, but execution depends on something more concrete," says Tim Erlin, director of IT risk and security strategy for Tripwire. "While the idea of managing information security in alignment with business risks is attractive, there's not a lot of guidance or best practice information to inform execution."

A study out last week sponsored by Tripwire and conducted by the Ponemon institute found that while 81 percent of security and risk professionals in the U.S. said their organizations have a significant commitment to risk-based security management, less than 30 percent actually have a formal risk strategy that is applied across the enterprise. Read full story on Dark Reading

Post a comment to the original version of this story on Dark Reading