But, he says, that progress has been matched or even exceeded by attackers.
"The threat vectors are more sophisticated -bad guys have gotten better," he said.
Erik Devine, CSO of Riverside Medical Center, says one of the biggest ERM successes in his organization has been "finding avenues in technology to secure information at a lower cost."
The biggest challenge, he says, has been trying to integrate information security into the goals of the corporation, "including patient care, financial, compliance and patient information. I'm finding many challenges on changing a philosophy that has been in place for quite some time."
Devine says he also struggles with controlling the risks of a bring-your-own-device (BYOD) culture and how it can lead to unauthorized data leakage, especially in an era when federal laws, including HIPAA and the Health Information Technology for Economic and Clinical Health Act have made medical institutions more directly responsible for any breaches of protected health information.
Wysopal says he thinks security teams are doing better at identifying attackers and their techniques, which lets them set priorities on what kind of defenses they need. But "patching the desktop to mitigate spearphishing remains a challenge," he said.
"Many CSOs are struggling with Web application security also. They are able to cover high-risk apps because the business can see the risk, but often lower-risk marketing-type Web applications go unsecured and can lead to breaches."
Stiennon says that the results of ERM development and maturity at many enterprises is proof of its failure.
"Risk-management methodologies have been deployed at most large enterprises and have reached a high level of maturity. Yet breaches and successful targeted attacks are becoming more frequent and of higher impact. Clearly, risk management is not working."
Stiennon further argues that terms like "risk appetite," which have some meaning in financial markets, really don't mean anything in IT security.
"There is no 20 percent willingness to lose 10 percent of our assets," he said. "The real mandate is to avoid costly data losses. In practice this means risk management methodologies that loosely translate into 'protect everything,' which is demonstrably impossible. But risk managers, even if they agree that their end goal is impossible, argue that doing 50 percent of this will reduce attack surface area, so it is worth doing."
Regarding cutting costs, Stiennon insists it never happens.
"Risk management is extremely costly. It usually involves an expensive team of professionals. None of their activities are directed at stopping targeted attacks that bypass their controls."
And when it comes to enabling the business, Stiennon argues that success in that area can dangerously enable it. The credit card companies, in concert with the U.S. banks, used risk management to determine that the risks associated with banking credential theft was low and allowed an entire economy of cybercriminals to crop up," he said.
Sign up for Computerworld eNewsletters.