From myth to reality

Symantec's second volume on IT risk management attempts to dispel the myths that surround the subject and highlights the importance of people and processes for effective risk management.

  • E-Mail
By  Sathya Ashok Published  March 16, 2008

Symantec's second volume on IT risk management attempts to dispel the myths that surround the subject and highlights the importance of people and processes for effective risk management.

The second volume of Symantec's IT risk management report, titled 'IT Risk Management - from Myth to Reality' brings to the fore the false beliefs that surround risk management activities for enterprises and by doing so, tries to bring clarity to the subject.

Symantec's report observes that risk assessment is more of an organisational management task which can be added to with experience and effective implementation of processes.

"The latest report aims to build a common understanding about IT risk, which it views as consisting of four elements: security, performance, availability, and compliance. The report analyses the results of interviews with more than 400 IT executives and professionals from around the world in 2007. As the title implies, the report takes a look behind four common myths that surround IT risk management," states Jeremy Ward, EMEA senior security product manager at Symantec.

The four myths include considering IT risk management to be all about security, thinking of it as a one-time process, believing that technology can mitigate risk and that the entire procedure is akin to science.

"As far as the first risk is concerned, I am glad to say that the report clearly demonstrates that many don't believe it any more. The report shows that concerns about availability risk have now come to the fore - 78% of participants saw it as a serious or critical risk to their business. Many are also beginning to use some of the good practice standards that are out there, such as CoBIT and ITIL," explains Ward.

According to Ward, around 69% of people thought they would probably have some sort of IT incident about once a month or more. About 62% thought they would have a major IT incident and 26% expected to have a regulatory non-compliance incident at least once a year, while 25% expected data leakage from their IT systems and 8% thought they would have a major information loss at least once a year.

"From this it's pretty obvious that a single project isn't going to address your risk management problems. What is needed is a more holistic approach. First you've got to find out what risk is acceptable to you. This means that you have to understand which IT and information assets are important to your business. Once you know what your assets are and how important they are to your business, you will be able to plan what actions to take when the inevitable incidents happen. Unfortunately, only 40% of businesses seem to take asset classification and management seriously," states Ward.

The report also demonstrates that technology alone can never combat IT risks and that a combination of people and processes are necessary for effective risk management within organisations.

"Unfortunately, training and awareness, which are really critical people and process controls, were the least effectively implemented at 43%, compared to 49% in the first volume of the report. And, if we're going to mitigate IT risks effectively we've got to develop a culture of risk awareness. Don't give up on the technology! Just remember that there are some very important processes that you must also get right," says Symantec's Ward.

The last myth is dealt with in the report by the observation that risk assessment is more of an organisational management task which can be added to with experience and effective implementation of processes.

According to Ward, the report also highlights other important issues including the serious disconnect between organisations that expect a major issue resulting from laptops and mobile devices and their plans to manage the risks stemming from such mobile devices. Around 63% of participants thought that data leakage posed a serious risk, but only 40% were actively managing their assets which are the first critical step to preventing data leakage.

"It isn't all doom and gloom. Some things seem to be getting better, such as secure system building and application development. This is perhaps indicating that people are beginning to concentrate on the fundamentals," concludes Ward.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code