Symantec Report Shows IT Risk Management Lacking
"We took commonly held beliefs and put them under scrutiny and see if they still hold up," said Bob Yang, director of Symantec education services. "The overall trend is very encouraging. IT as a discipline is maturing."
Researchers conducted in-depth surveys and face-to-face interviews with more than 400 IT professionals in an attempt to classify security, availability, performance and compliance risks in the workplace. Their findings led them to examine and challenge four myths upheld by IT personnel and corporate heads related to risks.
Ultimately, the study addressed the overarching importance that IT serves throughout an entire organization, indicating that companies will be required to take more steps to manage IT failures as the world becomes more dependent on IT systems and processes.
"Within an organization, (IT) absolutely impacts every function, from the lowest level on up," said Yang. "We see increasing momentum in security awareness and companies want to develop a comprehensive strategy. At a macro level, IT risk doesn't necessarily just impact a company. It impacts all its trading partners."
That doesn't mean that companies are rushing to beef up IT risk management policies. The study indicated a serious disconnect between organizations that expect a major issue from laptops and mobile devices and their plans to manage the risks that these devices potentially create. Highlights of the study also found that 63 percent of respondents expected a major IT failure at least once a year, and 69 percent expect IT incidents to occur about once a month, while only 40 percent were actively managing their assets.
"While awareness is there, execution in terms of risk mitigation isn't there yet," Yang added.
In light of these statistics, Symantec researchers said that the survey's findings provided an opportunity to debunk popular myths and ultimately elevate and broaden the level of discussion between channel partners and their customers. Businesses and end users could then continue the conversation about adopting a comprehensive security strategy with their IT staff.
“What systems can tolerate more risk? Traditionally that discussion has been hard. Having a structured framework and toolset is a key part of the purpose of our report,” said Yang, who noted that the report could be used as a catalyst for channel partners to “move from a theoretical discussion to a fact-based discussion” with customers about comprehensive security strategies.
The study challenged the notion that IT risks are synonymous with security risks, concluding that businesses are adopting a more balanced view of IT risk, with more than 78 percent of respondents rating availability risk -- information or applications made inaccessible by process or systems failures -- as the most important aspect of IT risk.
"While systems might not go down, performance bottleneck can have just as devastating impact on a business," said Yang. "If your Website is slow and you miscalculate bandwidth requirements, it's just as bad as not having the Web site up at all."
The study found that many companies still see security as a one-time project -- a view which underestimates the evolving nature of security threats and IT risk management. The study also addressed the myth that IT risks could be mitigated by technology alone, concluding that the organizations that best managed their risk and have the fewest incidents, are those that balance technology with other sets of mitigations, such as training and updated process controls.
"As IT budgets shrink, people are forced to do more with less," said Yang. "The conventional strategy is that companies keep buying products but less service.”
Finally, the report debunked the fact that the IT risk management is a formulaic science, showing that in reality, that IT risk management is based on accumulated experience and adaptive good practices.
“IT is such a core part of business processes now,” said Yang. “I can’t imagine holding IT to a lower standard than that of the rest of the business.”