Many professionals in information security espouse the belief-and commitment to-"risk based" security management. In fact, according to the latest Ponemon Report on Risk Management, 77% of those surveyed claimed a commitment to it. Ironically, the analysis of the responses collected by the survey indicated that despite their stated intentions, most of the respondents and their organizations were not acting in ways that reflected this commitment. While this disconnect is not uncommon, it is nonetheless disconcerting.
In response to this finding we felt it useful to offer guidance to those who wish to implement an RBSM program. We believe these recommendations will not only help you understand the general steps to take, but also provide indicators of your progress.