Symantec report identifies shortcomings in approaches to mitigating IT risk

The Symantec IT Risk Management Report, a new report aimed at helping executives and IT operational personnel understand the critical elements involved in an effective IT risk management strategy, is based on input from quantitative and qualitative survey research conducted over a twelve month period ending October 2006. Symantec collected information from more than 500 respondents from IT managers to top IT executives in organizations with worldwide operations, in a wide representation of industry segments.

Organizations Anticipate Security Breaches, Incidents

The Symantec IT Risk Management Report survey data indicated that a majority of respondents expect to be impacted by some type of security or compliance incident in the next one to five years. Specifically, 66 percent of respondents expect a major regulatory incident at least once every five years. Additionally, 58 percent of respondents expect a major data loss caused by events such as data center outage, corruption of data, or breach of security systems, at least once every five years.

Deployment of Process Controls Falls Behind Technology Controls

Effective IT risk management requires a strong combination of expertise and investment in process controls and technology controls. The most effective IT risk management programs use defined controls that combine well-chosen technologies and best-practice processes. The Symantec IT Risk Management Report revealed that professionals surveyed at all levels of organizations, across industries, scale, and geographic reach, view their organizations' capabilities with technology controls as more effective than with process controls.

The report findings indicated that authentication, authorization, and access was the process control rated highest for effectiveness, with 68 percent of respondents rating their organization more than 75 percent effective. The report also underlined a specific process control problem in identifying, classifying and managing IT assets. Only 38 percent of respondents rated themselves more than 75 percent effective in implementing asset inventory, classification, and management process controls. These controls are of fundamental importance in building an IT risk management program which reflects the organization's priorities. Without careful risk assessment, all assets are likely to be treated equally, where some may be overprotected and others under protected.

"Organizations are beginning to see the value in taking a proactive, rather than reactive approach to their IT risk management strategy," said Kevin Isaac, Regional Director for Symantec Middle East and North Africa.

"Effective IT risk management requires organizations to assess both their technology and processes, as well as have clear understanding and agreement about different risks that may impact their systems, and their overall business."

"As organizations are growing more and more dependent on their IT systems to conduct business, IT risk has become a primary concern for business leaders and one that should be addressed as part of a larger business risk management strategy," said Isaac. "The Symantec IT Risk Management Report offers organizations a comprehensive view of IT risk perceived by various organizations worldwide."
Holistic Approach to IT Risk Management Yielded Fewer Incidents

Data from the Symantec IT Risk Management Report identified a trend related to Best-in-Class organizations. In this report, Symantec defines Best-in-Class organizations as the top 25 percent of respondents who rated their effectiveness in implementing 16 control areas. These organizations experience higher levels of compliance and business process risk, but lower levels of IT incidents. A detailed analysis revealed that Best-in-Class organizations perform with high effectiveness across a variety of controls, including process controls, creating a holistic approach. The data also indicated that lower-performing organizations typically focus on a small number of more tactical technology controls rather than implementing a broad range of control areas.

The Symantec IT Risk Management Report provides organizations with the benchmarks and recommendations that they need to evaluate the effectiveness of their own IT Risk Management strategy.