A new report from Symantec praises CIOs and chief information security officers for taking a broader view of risk. But it raises concerns that IT professionals underestimate the potential for data leakage in a business environment that can span continents and include myriad partners.
In addition, while organisations no longer view IT security as a line item or one-off project, many IT shops fail to do the kind of asset inventory necessary to gain clear insight into the spectrum of risk their businesses face.
The report was based on interviews with 405 IT professionals in 39 industry sectors.
IT professionals are taking a more comprehensive view of IT risk than just six months ago, the study found, dispelling the myth that IT shops equate IT risk with security.
IT executives increasingly say "availability risk" -- the damage done when critical systems go down -- is as serious or even more critical a risk as a breach of information systems, the study found. The IT industry also recognises that failure to comply with compliance mandates can do serious damage to a company's reputation, and cause legal problems as well. Finally, as IT systems become ever more integral to business operations, IT organisations realise that underperforming systems and applications pose a serious risk to productivity and company value.
Expectations vs. reality
Samir Kapuria, managing director of advisory services
"More and more CIOs are recognising that IT risk management is a continuous program, not a project," Kapuria said.
Although IT professionals are taking a more comprehensive view of risk management, the study also found that IT risk programs fail to address some obvious threats. They also fail to fully comprehend the dynamic nature of these threats to their businesses.
For example, the study found that IT professionals are well aware of the dangers posed by data leakage, with 63% agreeing that it can inflict serious damage to their companies.
However, the study suggests that IT professionals are underestimating the frequency of data leaks: A majority of those surveyed said they expect a data leakage incident at their company to happen once every five years; 46% expect data leakage incidents as often as once a year.
Jon Oltsik, senior analyst at The Enterprise Strategy Group, said the study points out that expectations have not caught up with reality. "There is more data, the data is accessible to more people, the risk becomes more pronounced every day," he said. "What the data suggests is we have to be more realistic about the current likelihood of a data breach and execute on those odds rather than on historical expectations."
In general, however, Oltsik said it was encouraging that companies are recognising that IT risk is not just IT's problem.
"IT security was always thought of as the equivalent of risk, but now it is seen as a subset of risk," Olstik said. "I see more companies examining their business processes, understanding who has access to their data and really looking at the performance of their core infrastructure and applications. So companies are starting to look at IT risk as business risk, rather than just a focus on security."
One worrisome trend uncovered in the survey, however, is that companies are not paying enough attention to training and employee awareness. According to the report, process issues cause 53% of IT incidents. But process controls are getting short shrift, the report found. Only 43% of respondents this year rated their process controls such as training and employee awareness as more than 75% effective this time, down from 50% of respondents to the same question a year ago.
Risk, 'round the clock, globe
Companies are under constant assault from IT security, compliance, availability and performance incidents. According to the study, 69% of those surveyed said they expect a minor IT incident once a month, 63% expect a major IT failure at least once a year, 26% expect a regulatory noncompliance incident at least once a year, and 25% expect a data-loss incident at least once a year.
Despite the nonstop threats, however, many organisations do not implement some fundamental risk management controls, such as asset and inventory classification control.
Only 43% of those surveyed, for example, rated data lifecycle management "greater than 75%" effective, down 17% from those surveyed a year ago. The weakness of these controls means assets are apt to be "treated equally," Symantec's Kapuria said, so some systems, processes and objects will be overprotected and others underprotected from IT risk.
Only 34% of respondents said they believe they have an up-to-date inventory for their wireless and mobile devices, which are essential in today's business world. On the other hand, applications are rising on the IT security agenda: The study showed a 10% jump in the number of participants rating secure application development as "more than 75% effective."
The report also sheds light on the state of IT risk management within particular industries. Health care participants expected the most IT incidents of any industry sector. Telecommunications ranked highest in deploying IT risk management controls, followed by banking and financial services. Symantec attributes the superior management controls in the telecommunications, banking and finance sectors to public and governmental scrutiny, better governance and compliance controls and concerns over the protection of personal data.