IT risk myths uncovered

Awareness of the importance of IT risk management is increasing, but myths still remain, according to the second volume of Symantec’s IT Risk Management Report.

The vendor’s report is driven by the analysis of more than 400 in-depth, structured surveys with IT professionals worldwide and identifies key issues, trends and analyses.

The report found that practitioners are embracing a more balanced approach that encompasses security, availability, compliance and performance risks, but there is still the issue of misunderstandings of IT risk management which can lead to potential IT system failures, and ultimately impact business continuity.

Most interestingly the report uncovered four myths which remain in the IT risk space.

MYTH ONE: IT risk is security risk

Despite traditional perceptions associating IT risk primarily with security risks, survey results indicate the emergence of a broader view among IT professionals.

Of the survey respondents, 78 percent gave “critical” or “serious” ratings to availability risk as opposed to security, performance and compliance risks, with 70, 68 and 63 percent respectively. The fact that only 15 percent separate the highest and lowest scoring risk-types indicates that IT professionals are adopting a more balanced, less security-centric view of IT risk.

“It is encouraging to see Symantec’s report highlight that organisations are recognising the criticality of managing IT risk in areas such as availability and performance in addition to security,” said Jon Oltsik, senior analyst at Enterprise Strategy Group. “In today’s connected world, businesses are starting to understand that failures across a broad spectrum of systems can impact the business operations and results.”

The report findings confirmed that security and compliance risks often attract attention because of their high visibility and impact – 63 percent of respondents rated data loss incidents as having a serious impact on their business. However, increased emphasis is being placed on availability risks, which the report shows can flow through the value chain and create impacts measuring millions of dollars, even from minor performance issues. Researchers at Dartmouth and the University of Virginia recently determined that a hypothetical
Supervisory Control and Data Acquisition (SCADA) network failure at an oil refinery would result in an estimated economic impact of US$405 million, with the supplier only bearing US$255 million of the impact, while others in the supply chain would assume the remaining loss.
MYTH TWO: IT risk management is a project

The myth that IT risk management can be addressed in a single project, or even as a series of point-in-time exercises across budget periods or years, ignores the dynamic nature of the internal and external IT risk environment. IT risk management should be approached as an ongoing process in order to keep pace with the changing landscape businesses face today.

IT security, availability, compliance and performance incidents can impact the modern organisation at an alarming rate. The report revealed the following regarding the frequency of different types of IT incidents:

• 69 percent expect a minor IT incident once a month;
• 63 percent expect a major IT failure at least once a year;
• 26 percent expect a regulatory non-compliance incident at least once a year;
• 25 percent expect a data-loss incident at least once a year.

The report shows that the most effective organisations take a more holistic approach. However, many organisations appear to be failing to implement some fundamental risk management controls, such as asset classification and management, where only 40 percent of participants rate their performance as 75 percent effective or higher. In addition, only 34 percent of participants believe that they have an up-to-date inventory for their wireless and mobile devices, which are essential in today’s business world.

MYTH THREE: Technology alone mitigates IT risk

While technology plays a critical role in risk mitigation, the people and processes supported by technology also determine the effectiveness of an IT risk management program. According to the report, process issues cause 53 percent of IT incidents. Several controls also showed a decline in ratings from the previous report one year ago, causing increasing concerns. For instance, process controls such as training and awareness decreased from nearly 50 percent in Volume I to only 43 percent of respondents rating their training and awareness programs as more than 75 percent effective.

Similar to Volume One, the new report also shows very little improvement for the low rating of the asset and inventory classification control. Finally, only 43 percent of participants rate data lifecycle management “greater than 75 percent” effective, a 17 percent decline from Volume One.

Weakness of these controls suggests that assets will be treated equally, so that some systems, processes and objects will be overprotected and others underprotected from IT risk, resulting in cost and service inefficiencies. Volume II of the IT Risk Management Report highlighted a 10 percent improvement in the number of participants rating secure application development “more than 75 percent effective.” The report also signals that problem management is rising on the agenda.

MYTH FOUR: IT risk management has already become a formal discipline

The report makes it clear that IT risk management is an evolving business discipline, rather than a precise science, due to reliance on the experience accumulated by individuals and organisations as they keep pace with
a changing business and technology environment.

There is a growing understanding that IT risk management incorporates elements of operational risk management, quality control and business and IT governance. In addition, practitioners may come to see IT risk management as a set of fixed principles and relationships, universally applicable across industries and geographies.