From Myth to Reality: Evaluating the State of IT Risk Management
Today Symantec launched Volume II of the IT Risk Management Report, entitled “IT Risk Management – From Myth to Reality.” It analyzes the results of interviews with more than 400 IT executives and professionals from around the world during 2007. As the title implies, the report takes a look at the truth behind four common myths around IT Risk Management.
Myth One: IT Risk = Security Risk
The report clearly demonstrates that people really don’t believe this myth any more. In fact, most (78 percent) of those participating in the survey thought that availability was the most important aspect of IT risk. While more than half of the participants rated every risk element serious or business-critical, only 15 percentage points separated the highest and lowest elements.
Myth Two: IT Risk Management is a Project
Well, anyone who believes this myth is making a big mistake because risk assessment and management needs to match the pace of incidents. The great majority of survey participants (69 percent) expected about one IT incident a month and more than a quarter (26 percent) expected a regulatory non-compliance incident every year. It’s therefore pretty clear that IT risk management must be an ongoing process.
Myth Three: Technology Alone Mitigates IT Risk
In fact, the report shows that those organizations that manage their risk the best (and have the fewest incidents) are those that balance technology with people and process controls. Unfortunately, training and awareness, which are really critical people and process controls, were the least effectively implemented at 43 percent, compared to 49 percent in Volume I. And, if we’re going to mitigate IT risks effectively we’ve got to develop a culture of risk awareness.
Myth Four: IT Risk Management is a Science
The report shows that in reality we are dealing with a developing business discipline—one that is based on the accumulating experience and good practice of those engaged in it rather than an exact science.
Some additional highlights of the report include:
• There is a serious disconnect between organizations that expect a major issue resulting from laptops and mobile devices and their plans to manage the risks stemming from such mobile devices.
• The fact that 63 percent of participants thought that data leakage posed a serious risk, but only 40 percent were actively managing their assets (the first critical step to preventing data leakage).
• It isn’t all doom and gloom. Some things seem to be getting better, such as secure system building and application development. This is perhaps indicating that people are beginning to concentrate on the fundamentals.
So, if you’re interested in the reality of IT risk management, you’ve got to read the report and find out the truth behind the stories of snake-oil and magic bullets! Check back on this blog in the next couple of weeks as I will be posting in more detail about the individual myths debunked by the report.