Video Screencast Help
Security Response

Dispelling Myth 3: IT Risk Management can be Solved by Technology Alone

Created: 06 Feb 2008 08:00:00 GMT • Updated: 23 Jan 2014 18:42:33 GMT
Jeremy  Ward's picture
0 0 Votes
Login to vote

So, you think that there’s a magic bullet to deal with IT risk? In fact you probably wish there was, but since you don’t believe in Santa Claus, you know there isn’t! Of course that doesn’t stop people from looking for a quick technology fix. However, the latest Symantec IT Risk Management Report reveals that technology is not necessarily the issue. The report cites a study conducted jointly by Symantec and MIT’s Center for Information Research, showing that the majority (53 percent) of IT incidents have a process-based cause. Interestingly, the report also shows that organizations believe their technological effectiveness is declining. Last year’s number one effective control set was network, protocol, and host security. It’s still up there at the top, but there’s been a reduction of 16 percent in those who think they’re more than 90 percent effective (down from 47 percent to 31 percent).

Experience shows that it’s a balance of technology, process, and people that is most effective in managing IT risk. Once again, the report bears this out where best-in-class organizations that deploy balanced controls are those that have fewer incidents. Unfortunately, some very important process controls don’t seem to be that well implemented. Only 43 percent of organizations felt themselves to be really effective (more than 75 percent) at data lifecycle monitoring. Those who aren’t effective at this need to be concerned, because knowing where your data is, where it comes from, and where it goes to is the only way that you’re going to be able to demonstrate compliance and governance, as well as guard against data leakage. So don’t give up on the technology! Just remember that there are some very important processes that you must also get right.

Previous blogs in this series:

From Myth to Reality: Evaluating the State of IT Risk Management

Dispelling Myth 1: IT Risk Management is All About Security

Dispelling Myth 2: IT Risk Management is a Project