Managing IT Risk in the Public Sector
Is the public sector bothered about IT risk? Although it’s a hot topic, as we saw at RSA in February, surely the public sector is more worried about saving money and meeting government targets? Well, yes – but one of the best ways of doing this is to ensure your IT systems operate efficiently and can deliver the services the public want, when they want them, not just when your offices are open. Shared services save money too – but mean sharing the security pain as well as the productivity gain. All this means more IT risk.
Symantec recently released the latest in-depth study taken from its IT Risk Management Report. This is a mini-report on findings from the public sector. The report looks at how IT professionals in the public sector view sources of IT risk and the effectiveness of the controls used to manage it. The report is based on feedback from 77 IT professionals in government and education. It provides a snapshot of how these organizations view the risk, how well they believe they are managing it, and how they could manage it better.
Surprisingly enough, it’s not all bad! When it comes to process controls, the public sector does well in asset inventory classification and management, and pretty well in incident response and organizational structure. However, other controls, especially training and awareness, are not so hot. Among technology controls, the public sector rates itself closest to “best in class” performance for physical security, and network, protocol and host security; but as far less effective in secure application development, secure systems build and deployment, and performance management.
Looking at how the public sector views IT risk, 55 percent of respondents rated finance and administration as critical or high – as one might expect with those targets to meet! However, far fewer respondents associated critical or high risks with customer relationship management – showing that the public sector still sees citizens as passive consumers, not active customers.
These finding confirm my experience in the public sector. We were good at understanding risk assessment (asset inventories and classification are the bedrock of this), and at the bureaucracy of managing risk and responding to incidents. However, it’s clear that there’s still a lot of old fashioned thinking around – too many initiatives are driven “top down” and performance and secure development are just not given a high priority.
Investment in training and awareness is key to changing this thinking. A recent Symantec-sponsored IDC study found that well-trained teams average 10 percent greater productivity than under-skilled teams. With new e-gov initiatives and shared services, too, there must be increased investment in high-performance, secure systems that eliminate costly flaws, manage risks, and optimize service delivery to citizens.
No report can fully address all the IT risks facing the public sector. However, this one gives a clear snapshot of some of the public sector’s strengths and weaknesses. So, we invite you to take a look in light of your own experience and, where appropriate, use these insights to help improve your IT risk management strategy.