So you think IT risk management is a science? Or maybe you’ve never thought about it—you've just assumed that some clever expert has worked out all the angles. Unfortunately that’s not the case. The latest Symantec IT Risk Management Report gives some figures about how organizations manage (or fail to manage) their IT risk. It makes for interesting reading and includes some data about real incidents, analyzed jointly by Symantec and MIT’s Center for Information Research. However, what is clear is that IT risk management, although not a science, is evolving as a business discipline.
Correlation analysis of the data in the report shows that organizations are beginning to follow a natural progression in the way that they treat the management of their IT risk. They tend to start by looking at the security risk, then move on to consider availability and delivery risk, and finally address performance and compliance risk by implementing the more strategic controls. Experience shows that this progression is generally instinctive, rather than scientific. The most obvious and intrusive issues (like confidentiality and availability) tend to be dealt with first, especially if there is a good technological way of dealing with them. Strategic issues are more complex and difficult, as we all know. Therefore, they tend to get left until last. This is a pity because some of the more strategic controls are relatively easy to implement and will have an immediate and obvious benefit.
Take establishing a risk-aware culture, for example. The report shows that only 43 percent of organizations feel they are really effective at training and awareness. The implication is obvious, IT risk management may not be a science, but awareness of it is something that can be taught. Once people understand why it’s needed, and what they need to do about it, there’s no doubt that you will have fewer IT incidents.
Previous blogs in this series: