Symantec Security Insights : Security Tips of the Month

Security Insights > Security Tips

Symantec Report Takes Aim at Persistent Myths About IT Risk

Introduction

IT Risk—encompassing security, availability, performance, and compliance elements—has become a critical issue for executives and boards of directors. Yet some common myths about IT risk persist, and they need to be dispelled if IT risk is to be managed effectively.

So concludes Volume 2 of the Symantec IT Risk Management Report, issued in late January. Based on survey responses from more than 400 IT professionals in 39 industry sectors, this latest report builds upon the findings of Volume 1, which was released in February 2007.

What changed in a year?

The initial IT Risk Management Report, based on more than 500 interviews, concluded that best-in-class organizations—even though they face higher risk levels—experience fewer incidents than less-effective organizations. Their effective defense against more intense attack may be attributable to balanced investments across a range of controls to mitigate the full spectrum of IT risks.

Volume 2 extends and further defines some of the key issues and trends raised in the first report. For example, awareness of the importance of IT risk management to organizations and the IT profession itself continues to rise. However, this awareness hasn’t yet “dispelled a few persistent misunderstandings about the nature and extent of IT risk, the best ways to manage it, and the shortcuts and traps that lie along the path.”

Specifically, Volume 2 identifies four persistent myths about IT risk management:

Myth #1: IT risk equals security risk

No myth about IT risk management is more persistent than the idea that it is concerned primarily with identifying and mitigating security risks. It may be that the word “risk” seems to apply more easily to security than performance, availability, or compliance. In fact, survey participants rated availability risk as most significant—78% saw it as “serious” or “business-critical” for their organizations, followed by security risk (70%), performance risk (68%), and compliance risk (63%).

“Security is important, but it’s not the whole story,” says Jeremy Ward, Service Development Director at Symantec, who spearheaded the report. “Availability is probably the biggest risk in terms of its importance to the business.”

Interestingly, more than half the participants rated every risk element serious or business-critical, and only 15 percentage points separated the highest and lowest elements.

Survey responses also indicate that IT incidents are common, with 63% of participants expecting a major IT incident every year and 59% a major data loss at least once every five years. In addition, the responses show IT professionals in agreement with their customers about the gravity of data leakage: 63% believe a data leak would have serious impact on their businesses.

Myth #2: IT risk management is a project

Involved as they are in hundreds of projects, busy enterprise IT departments may view the assessment of IT risk as a “one-off” project, to be followed by adjustments to remediate specific deficiencies. While better than no assessment, this approach can yield unsatisfactory results.

“IT risk management isn’t a one-time project,” says Ward. “It’s got to be dynamic and iterative, something you constantly do. It’s not static. As employees, partners, the business environment, and applications change, you have to keep revising your assessment. You don’t point your steering wheel in one direction and then just leave it there.”

On average, the 405 survey participants anticipate “significant” IT-based incidents nearly once a month. “At such an incident rate,” the report observes, “annual or bi-annual IT Risk Management is clearly insufficient.”

Moreover, participants’ responses confirm what is now a fact of life for IT professionals: namely, they operate in an ever changing IT risk environment:

“Not only are IT and business environments rife with every kind of IT risk, but the risks are constantly changing,” the report observes. “In fact, every category of IT risk is evolving all the time, driven by technology change, company go-to-market strategy, and the macro business climate.”