Symantec IT Risk Management Report Volume 2

Key Conclusions

Symantec analyzed survey results and conducted secondary research to identify and dispel four persistent myths about IT Risk Management.

Myth One: IT Risk = Security Risk

Despite public perceptions, IT Risk covers more than Security:

• Availability Risk was rated most significant – 78% of participants saw it as serious or business-critical for their organizations, followed by Security (70%), Performance (68%), and Compliance (63%).
  
  Implication: It is important to use good practice drawn from standards such as such as ITIL and CoBIT to help IT risk management because these focus on both operational and security concerns.
• More than half the participants rated every risk element serious or business-critical, and only 15 percentage points separated the highest and lowest elements.
  

Implication: Those organizations where IT risk management reports only to the CISO may neglect to deal with many sources of IT risk.

• As suggested from secondary research from Dartmouth, the cost of Availability risks are cascading through the value chain with efficiency impacts measured in millions of dollars from even minor performance issues.
  
  Implication: It is vital to address application performance issues, as these are among the most insidious to monitor and manage and failures have “snowball” effects that can often outpace the losses that result from more obvious IT failures.

• IT incidents are common: 66% expect a major regulatory incident and 59% a major data loss at least once every five years, and at least one major and ten minor IT incidents every year.
  
  Implication: Organizations need to invest more in solutions for monitoring IT compliance. SOX compliance may not be sufficient in itself.

• A new metric for the IT Risk Report, Volume 2 was around data loss. 46% specifically expect a serious data loss incident at least once every year. A possible cause may be linked to t he poorest performing control found in the report: data asset classification, inventory and management (see Myth 3). Customers who do not thoroughly classify categories of data and correct disposition of those different categories may end up with a data loss incident.
  
  Implication: Data loss has very quickly risen as its own source of IT-related risk. Organizations need to focus more on endpoint and messaging management, content-based policies and database security.

• 46% believe failure to consider laptops and remote wireless devices as network end-points may have a serious impact on their business, yet only 34% believe their organizations have an up-to-date inventory covering 90% of such devices.
  
  Implication: While mobile devices represent serious risks for nearly half of organizations, only one third have the ability to manage that risk.

Myth Two: IT Risk Management is a Project

Rather than a point-in-time exercise, IT Risk Management needs to be a continuous program:

• On average, the 405 survey participants anticipate significant IT-based incidents about once a month.
  
  Implications: IT Risk Assessment and Management needs to match the pace of incidents. Many organizations conduct IT risk assessments bi-annually at best, and only inventory assets (including endpoints, servers, databases, application configurations, etc) sporadically. Such organizations may not be assigning sufficient resources to reduce their residual IT risks.
• The report analysis identifies noticeable difference in perceptions of risks across major geographic regions, both in the in the portions of business model that introduce IT Risk and the influence of larger political and regulator environments
  
  Implication: Continuous IT Risk Management programs need to keep pace with changing business climates, including increasingly global economies. Many organizations tie IT risk assessment to annual events such as audits. Our data indicate that this approach leaves an organization potentially exposed to increased IT risk.
• 42% of participants believe a zero-day attack would have a serious impact on their business. There is a slight but statistically significant correlation between better use of incident monitoring and management and configuration/change management controls and fewer zero-day attacks. There is also a better but still emerging correlation between people being concerned with zero-day attacks and higher deployment levels of these controls.
  
  Implication: Organizations need to realize that zero day attacks exploit weaknesses in their ongoing incident monitoring and management and configuration and change control processes and thus affect their ability to deal with IT incidents.

Myth Three: Technology Mitigates IT Risk

IT Risk Management takes more than technology. Effective organizations manage IT Risks by deploying people and process controls, with technology in a supporting role:

• Best-in-class organizations deploy balanced controls to manage IT Risk—and expect fewer incidents than less effective organizations, despite higher perceived risk levels.
  
  Implication: Investment in IT risk management solutions enables organizations to successfully exploit their IT environment for example by more effective use of outsourcing, increasing business-to-business links, having a more flexible workforce and enabling more effective use of the of the web for data and large-scale transactions, while having fewer IT-related incidents.
• Joint research by Symantec and MIT’s Center for Information Research identifies process-based issues as the root causes of 53% of IT incidents.
  
  Implication: Technology is not the main problem, process failure is.
• Organizational structure, roles and responsibilities was the most effectively implemented strategic control – 56% of participants rated their implementations more than 75% effective. Data lifecycle management – a highly process intensive control - was least effective, at 43%.
• Asset inventory, classification and management was the least effectively implemented support control at 40%; Operations management the least effective delivery control at 44%.
• Effectiveness with physical and environmental management has also declined, to 26%, from 44 % last year.
• Training and awareness was the least effectively implemented security control at 43%. Network, protocol and host security was the most effectively implemented security control at 73%.

• The rating of effectiveness with network, protocol and host security had declined since the last report, with only 31% of this year’s participants rating themselves more than 90% effective, compared to 47% of last year’s.

Myth Four: IT Risk Management is a Science

Based on customer surveys and secondary research, Symantec sees IT Risk Management as an evolving business discipline – not a science:

• Our additional qualitative research shows that IT Risk Management brings proven, disciplined processes to the connected world.
  
  Implication: IT risk management controls and processes have succeeded operational risk management, manufacturing process disciplines and business and IT governance, as business–critical must-haves.
• The analysis shows that the best practices for IT Risk Management must include risk assessment and scoping, establishing a risk-aware culture by developing people, and giving the control processes enough time take effect.
  
  Implication: The most cost-effective IT risk management controls are often not highly technical, but consist of basic employee awareness and training about appropriate procedures and the reasons for them.
• Correlation analysis suggests that most effective organizations follow a natural progression in managing IT Risk, starting with security risk, moving to availability risk and delivery controls, and finally addressing compliance and performance risk by implementing strategic controls.

About the Participants

• 405 participants representing 39 industry sectors and all sizes of organizations (25% 1,000-5,000, 28% 5,000-20,000, 21% >20,000) demonstrated involvement in IT risk management.
  
  Implication: IT risk management has traditionally been linked with risk-aware sectors, such as financial services, and with larger enterprises. This report shows that IT risk management is maturing as a discipline, since awareness of it is distributed fairly evenly across many verticals and over all sizes of organization.
• Participants were widely distributed geographically (16% based in Europe, the Middle East or Africa, 28% in Asia-Pacific, and 55% in North America) and significant differences in the approach to IT risk management emerged across the geographical areas.
  
  Implication: This difference in approach means that multi-nationals may have larger challenges in addressing IT risk management across their enterprises.