For today’s CIOs, there can be little doubt that these are the proverbial “interesting times.” Think about it: We are more dependent than ever on IT to run our businesses, yet IT failures are commonplace. At the same time, our IT environments are becoming more complex, thus increasing our exposure to all forms of IT risk. The fact is, if we don’t get IT risk under control, we put the entire business at risk. That’s why Symantec believes there has never been a better time for taking a comprehensive approach to IT Risk Management.
It’s no exaggeration to say that IT-driven innovation has become the engine fueling global commerce. That innovation has opened new markets, established new business models, and driven incredible gains in productivity. But those successes haven’t come without consequences. We’ve arrived at a critical juncture where we have become almost entirely dependent on IT. And with IT dependence, comes exposure to IT risks.
What kind of risks are we talking about? Symantec’s
IT Risk Management Report, published for the first time in February, examined IT risk based on interviews with more than 500 IT executives and professionals worldwide. Among the report’s findings:
- 62% of organizations expect a regulatory breach and major information loss in the next five years.
- 66% of organizations perceive high/critical operational risk in finance and administration.
- 61% of organizations are not highly effective at governance, compliance, and continuous improvement.
- 24% of IT staff time is devoted to addressing business application performance delays.
Generally speaking, organizations today must address four main types of IT risk:
- Security This is the risk that internal or external threats may result in unauthorized access to information. This includes such things as data leakage, data privacy, fraud, and endpoint security. It includes broad external threats, such as viruses, as well as more targeted attacks upon specific applications, specific users, and specific information—attacks to steal money and to attack the systems that your people are relying on every day.
- Availability This is the risk that information might be inaccessible due to unplanned system outages. You have a responsibility to customers, employees, and stakeholders to keep your business running. As a result, you need to reduce the risk of application or data loss or data corruption. And, in case of a disaster, you need to be able to recover in the times required by your business.
- Performance This is the risk that information might be inaccessible due to scalability limitations or throughput bottlenecks. Your business needs to accommodate volume and performance requirements—even during peak times. As a result, you need to proactively identify performance issues before end users or applications are impacted. And, to minimize costs, you need to optimize resources and avoid unnecessary hardware expenditures.
- Compliance This is the risk of violating regulatory mandates or failing to meet internal policy requirements. Your business needs to comply with federal and state regulations, such as Sarbanes-Oxley, ISO 9000, or the British Standards Institute PAS56 framework. You need to retain information and provide a highly efficient search and discovery engine to find content in emails as required. In addition, you need to ensure that your employees are meeting your own internal best practices and policies to keep your business operating in the most efficient manner.
But it’s also the case that these four types of IT risk are increasingly interrelated and important to just about everyone in the organization. For example, IT Directors and Managers are on the front lines when IT failures occur. They see how patches must be rolled out in a compliant manner to protect systems from security threats, or how data protection practices designed to improve availability might impact network performance and create security vulnerabilities if data isn’t encrypted. It’s all connected.
Plus, as IT failures become synonymous with business failures, IT risk is becoming a topic within the boardroom and the executive suite. In fact, companies such as FedEx, Proctor and Gamble, and Home Depot have even established special board committees whose sole purpose is management of IT risk.
Symantec Global Services has developed a five-step approach to managing IT risk. The cornerstone of the approach is this belief: When an organization successfully manages IT risk, it is better able to use IT to compete and innovate with confidence.
The first step is to develop an awareness and understanding of specific IT risks to your business – security, availability, performance, and compliance.
The second step is to quantify risks through an impact assessment and develop a business case for IT investment. Impact can take many forms, including customer losses, business losses, damage to brand equity, legal costs, and regulatory fines.
Next, companies should understand the range of tools they can apply to managing IT risk and design a solution. Technology is clearly an important component of the solution, but just as important are tools that address the human elements of an IT system, including training and operational processes.
The fourth step is to align IT risks and costs with the business to find the right level of investment and implement the solution. Obviously we can’t afford to apply the highest levels of protection to every IT risk we identify.
The last step is to develop a systematic ongoing capacity to manage IT risk. It’s not a project but an ongoing activity that must be built into the culture of the organization.
Recently, Symantec introduced a consulting service designed to provide customers with an overview of their current IT risk exposure and guidance on remediation. Symantec Foundation IT Risk Assessment helps organizations take the first step toward a comprehensive IT Risk Management program. The service identifies, categorizes, and prioritizes current IT risks so investments can be made in projects that manage IT risk, cost, and performance for maximum business returns.
The Foundation IT Risk Assessment includes interviews, workshops, data analysis, and an executive presentation of findings and recommendations. Client executives also receive a report detailing current risks and recommended remediation plans. All methodologies are based on industry best practices and years of experience advising and managing IT operations.
Today’s organizations are more dependent than ever on IT. As IT dependence increases, however, the potential for an IT failure to disrupt business operations becomes a serious management concern. Organizations must find a way to reduce exposure to IT risks, decrease costs, and build greater capacity for IT to drive business innovation.
“Amazing opportunities are visible on the horizon,” says Greg Hughes, group president of Symantec Global Services. “But we are approaching the limit of what can be achieved with old ways of thinking.”
Symantec Global Services offer the expertise and resources that organizations need to manage IT risk, maximize IT performance, and control cost. To learn more, click on the link below.
Technorati
Digg
Delicious
Reddit
Newsvine
StumbleUpon
Buzz
Blinklist
Mixx
Google
