Risky Business: Understanding IT Risk Management
If 2006 was the year of NAC, then 2007 is already shaping up to be the year of Risk Management. Perhaps you missed many of the analyst and expert New Year’s predictions of information security evolving into IT Risk Management this year, but a brief walk through RSA’s show floor and a perusal of the product news coverage would have only confirmed 2007’s focus on IT risk.
Similar to NAC’s challenges, there seems to be a good deal of confusion regarding the definition of IT Risk Management and how it is practiced. Fortunately—nearly one year later and after 500+ in-depth interviews with IT executives and business professionals worldwide—Symantec released the results of a new study, the IT Risk Management Report. The report is designed to cut through some of the industry noise and help organizations understand the fundamental elements of IT Risk Management and provide best practices to begin managing those risks.
Key findings from the study include:
• Organizations anticipate major information loss and compliance failures at surprisingly high frequencies:
- 66 percent expect a major regulatory incident at least once every five years
- 58 percent expect a major data loss at least once every five years
- 60 percent expect a major IT incident at least once a year
• Organizations are more effective in implementing technology controls than process controls. Worst performance was in key areas such as asset and configuration management.
• Best-in-class organizations have an "appropriate paranoia": they perceive higher risk levels even though they experience fewer IT incidents. As a result, they were more effective at implementing the entire range of controls, not just a few.
• IT executives have different perceptions of compliance risk and business process risk than IT directors. This indicates a lack of communication in the organization, which is likely to lead to wasted resources.
The report is based on the experiences of IT professionals across 37 industries and a range of geographies and organization types. It outlines a five-step process to help organizations put consistent, measurable, long-term programs in place to avoid over- and under-investment and achieve steady improvements measured against agreed goals.
The development of the 52-page report was a tremendous undertaking, but one that should prove worthwhile in helping organizations better understand and manage IT risk. Managing IT risk is becoming everyone’s job—from the CIO to the backup administrator—so we encourage all to take a look. And while you’re at it, get an individualized peer benchmark report that compares your organization to others in your industry. Complete this survey online or download a PDF version to return by fax.