Volume 1, Published February, 2007

IT Risk Management Report

Trends through December 2006

“As IT becomes the cornerstone of our connections with customers, suppliers, partners, and business information, identifying and managing IT Risk becomes a core business capability.”
– Greg Hughes, Executive Vice President Worldwide Services and Support, Symantec Corporation

Table of Contents
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1 – Understanding IT Risk
.........................................................................................5 As the role of IT grows, IT Risk is emerging as a major component of organizational risk. IT Risks span Security, Availability, Performance and Compliance – each with its own drivers and potential impacts.

2 – Process and technology effectiveness in Managing IT Risk

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Technology controls to manage IT Risk are often deployed more effectively than process controls. Yet organizations that manage IT Risk effectively deploy people and process controls equally well.

3 – Aligning IT and business risks

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

IT has moved from the glass house to the front lines – and perceptions of IT Risk often differ by role and function within organizations.These misalignments are barriers to effective IT Risk management.

4 – Understanding effective Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Effective IT Risk Management demands a disciplined, structured program to develop awareness, quantify costs and impacts, and design and implement a solution that adapts to organizational requirements.

5 – Risk Mitigation: process and payoff . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
The good news is that there’s a substantial upside to IT Risk Management – a more effective organization, with better control of its costs, technology, and future.

Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
In a connected world, we share a responsibility to identify and manage risk so our customers, suppliers and partners can work with us confidently toward our common goals.

Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Executive Summary
Information Technology (IT) Risk is a growing component of total Operational Risk. As businesses increasingly depend on IT to automate processes and store information, IT Risk Management is emerging as a separate practice. Organizations across sectors and industries have begun to consolidate functions to develop a more comprehensive, focused approach to IT Risk. IT Risk includes security, availability, performance and compliance elements, each with its own drivers and capacity for harm. This study examined IT Risk, along with the technology and process controls used to mitigate it, in a year-long study based on in-depth structured interviews with more than 500 IT professionals around the world. The study determined that across industries, regions, and job roles, IT professionals: • rate themselves more effective in their deployments of technology than of process controls • see management of IT assets and configuration and change processes as particular problem areas • see people and process improvements as holding the greatest opportunities for them to move from good to great Data from high-performance organizations yielded a surprising – and very encouraging – result. More-effective organizations – even though they often face higher risk levels – expect fewer incidents than less-effective organizations. More detailed analysis into the specific controls deployed by these companies revealed that best-in-class organizations perform with high effectiveness across most controls, including process controls, while lower-performing organizations typically focus on a small number of more tactical controls. The study identified substantial differences in the ways IT operational personnel and executives view their IT Risk exposure, and examined these in detail. Differing internal viewpoints on IT Risk, and poor alignment between IT Risk Management programs and overall business objectives, may themselves create risk. This appears to occur when Risk Management programs are not tailored to the specific risk profile of the business or coordinated across functional and business unit lines – leading to areas of both under- and over-investment. Poor organizational support for IT Risk awareness and training is both a compelling example of poor alignment, and a major cause. Best-in-class IT Risk management requires a disciplined approach that includes IT Risk awareness, quantification of business impacts, solution design and implementation across people, process, and technology, and creation of a sustained IT Risk Management program complete with performance measurement and a model for continuous improvement. A staged program helps balance benefits, risks and costs at every step of implementation.


This report is intended for executives with responsibilities for general, financial and IT management – anyone concerned with IT Risk and its management. With a broad cross-section of experience from IT professionals across industries, geographies and organization types, the report should provide context for Risk Management programs at your own organization. Be sure to check these IT Risk Management Report highlights: • Finance and CRM processes introduce the highest IT Risk: see What Drives IT Risk in Section 1 • Best-in-class managers of IT Risk frequently face more IT Risk exposure, but expect fewer incidents: see Effective IT Risk Management performance in Section 2 • Asset Management is the least-effective IT process: see Process effectiveness in Section 2 • Poor alignment between IT Risk strategy and the risk profile of the business can actually create higher business risk: see Why alignment on IT Risk matters in Section 3 • High performance across most process and technology controls, versus a few targeted areas, typically separates great from at-risk organizations: see Effective mitigation in Section 5


.Your customers connect to their financial future through your systems and networks.

alteration or use of information • Availability risks – of inaccessible business processes or data • Performance risks – of delayed access to business processes or data • Compliance risks – of violating legal. often from inadequate management of processes and events. IT Risk is emerging as a significant component of total business risk as IT assumes a more prominent role in organizations. regulatory or IT policy requirements 5 . and can account for more than 50% of total capital expenditure at some companies.Section 1 Understanding IT Risk Risk is potential damage to an organization’s value. Individual IT Risks may be classified as: • Security risks – of unauthorized access.

For example. • IT Risk evolves as fast as technology changes. or supervisory or legal controls. and may include risks from external events such as natural disasters or changes in government regulation. IT Risk has grown to prominence as a component of total operational risk. IT Risk Management is emerging as a separate practice because of the unique role IT plays in today’s organizations: • IT is now integral to many business operations and transactions. currency. In Financial Services and Online Retail. The types and levels of risk organizations face vary with their business and preferred risk profile. or internal processes associated with product quality. For example. As IT has become widely and deeply interconnected with business operations. And a high-growth financial organization in a developing nation might be more concerned about availability and performance risks as it scales up operations than a financial organization in a more mature market where security and compliance concerns prevail. for example. Financial risk is well understood. Operational risk results from operations rather than transactions. famine and disease. an entertainment company with many customer-facing systems and a strong brand image might have a very different risk profile than a manufacturer with few externallyfacing systems but significant trade and design information to protect. loss of intellectual property. What is IT Risk? Business risks range from everyday operational shortcomings to rare cataclysmic failures. Business risk is often split into financial and operational components. organization and plant performance. virtually the entire business may be carried out across IT systems and networks. pricing. 6 . More than just a specialty area of Operational Risk Management. Different risks affect different individuals and organizations in different ways – and as the world changes. and other types of financial risk. so do the origins and types of risk we face. online “phishing” fraud – and legal and regulatory requirements for IT countermeasures – were virtually unknown just three years ago.Understanding IT Risk Life’s risks extend from poor mobile-phone connections through war. and established markets help organizations manage or transfer their credit.

Aligning IT skills and processes – including IT Risk Management – to organizational goals is a constant challenge. and prioritization of these elements is an important early step in establishing an effective IT Risk Management program. or personnel – or IT as a whole – will diminish business productivity or value • Compliance risk – that information handling or processing will fail to meet regulatory. each with its own set of drivers and potential impacts. p m Co lia nc e Application Performance and IT Performance Optimize Resources Ensure Correct Configuration Classifying IT Risk To help organizations understand and analyze IT Risk and organize their mitigation strategies. Internal and External Malicious Threats Se cu Keep Bad Things Out Keep Important Things In y rit Ava il a y lit bi Natural Disasters and System Failures Keep Systems Up Ensure Rapid Recovery IT Risk r fo Per Ensure Adequate Controls Automate Evidence Collection m IT Policy and External Regulations ce Figure 1: IT Risk spans four areas. every organization has its own unique IT Risk profile. Figure 1 outlines a framework for classifying risks according to their impact on the organization. accessed or used by unauthorized parties • Availability risk – that information or applications will be inaccessible due to system failure or natural disaster. measurement. applications. As we will see. Although the survey on which this report is based concentrated on Security and Compliance areas of risk. The framework classifies IT Risks as: • Security risk – that information will be altered. IT or business policy requirements These four categories classify all elements of IT Risk that we have seen in organizations. this implies no prioritization of the four elements of IT Risk. Table 1 (next page) provides further information and examples of sources and potential impacts of risks in each category. an 7 .• Identification. including any recovery period • Performance risk – that underperformance of systems. and management of IT Risk requires specialized knowledge and skills. analysis.

with examples of the sources and potential impacts associated with each.Disgruntled employees .Poor change management processes .Physical destruction . including: • Graham-Leach-Bliley Act • EU Data Protection Directive • Health Insurance Portability and Accountability Act (HIPAA) • Sarbanes-Oxley Act .External fraud .Reduced client satisfaction .Inadequate third-party compliance standards . confidence in it and technology and processes for managing it .Malicious code .Risk Category Source Potential Impact Security Compromise of information. or consequences of noncompliance with IT policies .Damage to assets Availability Failure or delay in delivering IT processes or information needed for business transactions and operations .Force majeure .Litigation .Internal IT safeguards supporting compliance .Corruption of information .Network outages .Interruption or delay of businesscritical process .Damage to reputation & brand .Poor system architectures .Damage to reputation .Theft of financial assets .Identity theft . employee confidence .External attacks .Network congestion .Reduced IT staff productivity Performance Slow or inefficient operation of IT processes supporting business transactions and operations .Lost IT productivity Compliance Penalties.Abandoned transactions and lost sales .Data center failures .Proliferation of platform and messaging types .Expansion from central to end-point compliance .Regulations unique to each jurisdiction.Executive productivity Table 1: Categories of IT Risk.Interruption or delay of businesscritical processes .Reduced customer. partner.Breach of client confidentiality . fines and loss of reputation from failure to comply with laws and regulations.Inefficient code .Legal actions .Reduced user productivity .Inappropriate access .Reduced client or partner loyalty .Hardware failures .Inadequate capacity . 8 .

Symantec surveyed 528 individuals on topics related to IT Risk. Participants held a range of professional responsibilities in organizations of different sizes. we asked a subset of respondents (n = 310)* to rate the IT Risk associated with each of seven key businesses processes in their organization. Admin. IT Risk associated with Finance and Administration processes (leftmost column) led participants’ ratings for High or Critical risk. 9 . others not. Resources Critical R&D Supply Chain Moderate Figure 2: IT Risk associated with each of seven key business processes. Business-process definitions Customer Relationship Management (CRM) – sales and electronic commerce Supply Chain Management (SCM) – the entire product value chain from source to end-user Operations Management – operational control of continuous service and product processes Research & Development – the development cycle of products and service offerings Business Intelligence – the corporate ability to make timely. IT Risk by Business Process 100% 80% % of respondents 60% 40% 20% 0% Finance. High Corp.1 The results are shown in Figure 2. Numbers in parentheses (“n= ”) report the number of surveys supporting each graph or data comparison. “Survey instruments” for details. Research and Supply-chain processes received the lowest risk ratings. informed business judgments Finance & Administration – the process of financial and administrative management Corporate Resources – business functions supporting the organization as a whole * This study used two separate survey instruments – some questions were repeated on both. Please see the Appendix. industries and geographies – the Appendix provides demographic details. To assess the magnitude of IT Risk associated with core business processes.What drives IT Risk? From October 2005 through October 2006. followed by those associated with critical customer-facing and operational tasks. CRM Nil Operations Low Business Intel.

with a very substantial 66% and 70% of respondents rating these risks as High and Critical. and lower only for functions further removed from revenue generation and the customer experience. 10 . respectively. with over 66% of the respondents rating it High or Critical. nearly a third of professionals ranked IT Risk High or Critical. About half the respondents rated Intellectual Property risk as High or Critical. First. while National Security and Criminal and Civil Laws were seen to introduce the least risk – only 36% and 44% of respondents. IT Risk by Compliance Area 100% 80% % of respondents 60% 40% 20% 0% Data Retention Nil Data Protection Low Corp. IT Risk affects every major business process category: for even the lowest-ranked business process. with 53% giving Critical or High ratings for all three measures. Second. only 27% of those surveyed rated SCM risks as High or Critical. Governance Moderate IP High Civil. and just 33% rated R&D risks this way. followed by Corporate Governance. Research & Development and Supply Chain Management systems and processes introduced the least amount of IT Risk. Operations and Business Intelligence processes ranked second.Systems and processes supporting Finance and Administrative were associated with the greatest IT Risk. The results are illustrated in Figure 3 (n = 528 except for Data Retention. Data Protection and Retention show the highest proportion of High and Critical ratings. These results highlight two important points. respectively. IT Risk is highest for critical operational functions or those that manage critical and proprietary or confidential information. Criminal Critical National Security Figure 3: IT Risk index ratings associated with six areas of Regulatory Compliance. n = 310). Compliance with Corporate Governance policies ranked third. rating these either High or Critical. Respondents saw Data Protection and Retention introducing the greatest amount of compliance risk into their organizations. Our analysis also explored the components of compliance risk. Sales. Participants were asked how much risk each of six categories of regulations introduced into their organization. with 55% High or Critical ratings.

To help understand the impact of IT Risk associated with compliance processes. and applied it to organizations with different demographics. exposing them to more regulations and requiring greater compliance with internal policies to monitor and govern organizational behavior. 11 . or national disaster Civil & Criminal Legal Framework – assuring that IT systems and networks systems support legal infrastructure through electronic signatures. more than half the respondents saw High or Critical IT Risk in areas governing the proper operation of their organizations and protection of critical information. war. while 33% of organizations with more than 20. For example.000 employees see compliance risk as critical to their organizations. Respondents from Europe. only 15% of organizations with fewer employees do. Results show that organization size is a significant determinant of perceived compliance risk. we will explore reasons for low risk ratings by organizations operating in high-risk environments. Although a definitive explanation for this requires further investigation. the data are consistent with larger organizations’ greater complexity.Compliance definitions Data Protection – securing confidentiality of private and personal information. And despite the stringent regulations they face. data movement and use of IT resources Intellectual Property Protection – protecting individual and corporate intellectual property As with Business Processes. respondents expressed strong concerns about IT Risk in every Compliance area – risks in even the lowest-ranked areas were seen as significant by a third to half of the respondents. In Section 5. for example against identity theft Data Retention – ensuring that enterprise data is stored securely and retained for access by legitimate users Corporate Governance – assuring that public disclosures accurately reflect corporate performance National Security – protecting citizens and national infrastructure from terrorism. only 28% of Financial Services and 4% of Healthcare organizations rated compliance risk as critical. and geographic span of operations. we compiled an index to measure the relative importance of each of the six compliance measures above. This level of concern – across so broad a range of roles and industries – underscores how poorly managed these risks may be judged by those best-positioned to know. the Middle East and Africa generally saw less risk associated with compliance than their counterparts in the United States. number of business processes and operations. The Aerospace and Defense industry segment was the only industry in which a majority of respondents rated compliance risk as critical. More significantly.

.Patient health and privacy connect when medical records are transmitted or stored.

see their organizations’ capabilities to deploy IT Risk Management technologies as more effective than their capabilities deploying processes. Professionals surveyed at all levels of organizations across industries. scale. 13 .Section 2 Process and technology effectiveness in Managing IT Risk Effective IT Risk Management requires competence and investment in processes and technologies. and geographic reach.

The most effective IT Risk Management programs use well-defined controls that combine wellchosen technologies and best-practice processes. but on the differing perceptions of professionals within the organizations. more organizations have added Chief Risk Officers and other executive positions with responsibilities for IT Risk management. or have adopted formalized service-management standards such as the IT Infrastructure Library (ITIL®). ISO 17799. size. published by the United Kingdom’s Office of 4 Government Commerce. and expanded to encompass availability and performance in addition to security and compliance. 14 . organizations often struggle to put its principles into practice. few organizations have formalized their IT Risk Management programs until recently. COBIT3 and ITIL. refined by Symantec experience in dealing with highly effective organi- zations. Participants’ ratings of their organizations’ effectiveness deploying processes and technologies for IT Risk Management depend not only on their organizations’ industry. to determine whether organizations facing high levels of risk are more likely to have implemented highly-effective controls. range of operation and other demographic factors. They are derived from best practices defined by international standards including the code of practice for information security management (ISO/IEC 17799:20052). We have identified eight technology and eight process controls that represent best practices for managing IT Risk (see sidebar. “Process and Technology Controls for IT Risk Management. We also asked them to rate the amount of risk their organizations face.IT Risk Management processes and technology While acknowledging the relevance of Risk Management to IT. In the past few years. however.” for details). We asked survey participants to rate their success implementing each of the defined IT Risk Management controls – both process and technology. Controls for IT Risk Management Although Risk Management principles have received wide attention. and COBIT® to help them manage IT Risk.

replicate and protect data Configuration and Change Management – tools and processes to regulate change Resilient Infrastructure – technology to detect and correct vulnerabilities related to availability (e.Process and Technology Controls for IT Risk Management Process Controls IT and Security Strategic Management. efficient and secure Systems Build and Deployment – systems and technologies to assure effective. authority for security and external security-related communications Training and Awareness – processes to increase visibility and knowledge of security risks Assessment and Auditing – processes to assess the environment. controls. Policy and Architecture – architectures. secure deployment of new and updated systems Data Life Cycle Management – technology to move. policies and processes used to implement strategy Authentication. Protocol and Host Security – network design and infrastructure including segmentation. Development and Testing – processes.g. procedures. Roles and Responsibilities – standards for interactions between groups. perimeter defense and availability Physical Security – technologies governing access to IT infrastructure and facilities 15 . Classification and Management – processes to identify and classify assets.. and methodologies to ensure that new and updated applications are appropriate. supporting execution of asset-class-based policies Incident Readiness and Response – standards for preparation for and response to incidents Technology Controls Application Design. Authorization and Access Management – processes and technology to verify users’ identities and control access to resources Operational Design. protocols. workflow and resource management Asset Inventory. Workflows and Automation – design and implementation of automated solutions. policies and strategies defined to run IT services Organizational Structure. redundancy and failover) Performance Management – technology to monitor and manage system performance Network.

with only 38% rating their organizations more than 75% effective. Awareness Operational Asset Inv. “Authentication. Audit Architecture 50% effective Training. so that some will be overprotected and others underprotected. assessment and audit. and incident response.Process effectiveness We surveyed our sample of IT professionals (n=310) to understand how effective they thought their organizations were in deploying eight key process-based controls. and access. Without careful risk assessment. Structure Response Access <10% effective 25% effective IT Policy Assessment.. operational design.. They rate themselves moderately effective at policy-setting and compliance. Yet this discipline is fundamental to build an IT Risk Management program that reflects the organization’s priorities. or asset management. authorization. Instead. Organizational Incident Authorization. ordered left-to-right in decreasing order of perceived effectiveness. The data show that the path from basic performance to best practice requires moving IT Risk Management programs away from a reactive posture. The results are shown in Figure 4. Design Classification. Respondents rated “Asset Inventory Classification and Management” least effective of all their deployments. Management >90% effective 75% effective Figure 4: Ratings of organizations’ effectiveness at IT Risk Management processes. with 68% of respondents rating their organizations more than 75% effective. designed for protection against malicious external threats. all assets are likely to be treated equally. IT Risk Management Process Effectiveness 100% 80% % of respondents 60% 40% 20% 0% Authent. programs should raise IT Risk awareness and spread avoidance and mitigation efforts throughout their organizations. And few felt they performed effectively in employee and IT staff training and awareness. Management. “Asset Inventory Classification and Management” was lowest. Authorization and Access” was rated highest for effectiveness. and authentication. 16 . The findings show that most IT professionals feel their organizations are most effective deploying tactical controls for which they are accountable: organizational structure.

The low ratings of configuration and change and performance management deployments are significant. there are recent signs of improvement.Technology effectiveness Figure 5 below represents how effective organizations are in deploying technology controls: IT Risk Management Technology Effectiveness 100% 80% % of respondents 60% 40% 20% 0% Network. Although the survey identifies change management as a problem area.”5 Evergreen Systems noted that. “Network Protocol and Host Security” and “Physical Security” were the top-rated technology control deployments. Organizations use these technologies to understand the configurations and performance levels of IT assets so they can minimize service disruptions and increase throughput. Poor configuration and change management also constrains efforts to adapt and modernize systems for new opportunities or threats. respectively.” We will see in Section 4 that these disciplines are important drivers of performance improvements in IT organizations. 17 . “Configuration and Change Management” received such ratings from only 55% of respondents. and up to date. processes and tools as core components of the organization. Protocol. process or technology. with 80% and 77% of respondents. In their “ITIL Change Management Maturity Benchmark Study. and “Performance Management” from just 52%. “IT executives are increasingly integrating and internalizing change management procedures. These deployments are critical in keeping systems stable. performing effectively. Secure and Change Management Application Management Development >90% effective 25% effective 75% effective Figure 5: Ratings of organizations’ technology effectiveness. with only 43% rating their deployments 75% effective or higher. Host Security <10% effective Physical Security Resilient Secure Data Infrastructure Lifecycle Management 50% effective Secure Systems Config. “Secure Application Development” was least-frequently rated effective. These are the strongest ratings of all controls. ordered left-to-right in decreasing order of perceived effectiveness. rating their organizations more than 75% effective. Perform.

we analyzed the data according to demographic categories. and professional role of respondents. Technology and Process effectiveness index To compare organizations’ effectiveness deploying IT Risk Management processes and technology by industry. so while secure application development proves very cost-effective over time. IT Risk Management Process vs. Weak or Poor at implementing and deploying these controls.The role of secure application development is growing. Technology Effectiveness Effectiveness Index 100% 80% % of respondents 60% 40% 20% 0% Process Poor Weak Good Technology Strong Figure 6: Effectiveness indexes of organizations. with just a few variations. The first averages ratings for eight process controls. The relative strength of technology over process effectiveness was robust across industry. geography. specifically: 18 . operating region. each index averages eight individual factors. Figure 6 compares these effectiveness ratings. the second for eight technology controls.6 For a closer look. It shows that organizations are generally more effective implementing technology than they are processes: 33% rated Strong on the Technology Effectiveness Index. Organizations’ implementations are generally stronger for technology controls. we defined two indexes. Process effectiveness lags behind technology despite the recent industry focus on processes. organization size. rating implementation effectiveness of technology and process controls. ISO and COBIT. using frameworks such as ITIL. The technology requires substantial early investments in tools and skills. it remains in an early stage of adoption at most organizations. organization size and respondent job role. as IT professionals recognize its effectiveness in preventing exploitation of application vulnerabilities by eliminating them at the source. only 25% on the Process Effectiveness Index. Good. We set levels to classify organizations as Strong.

n=78) • Good – third (26th to 50th. n=77) • Worst – fourth (25th or worse n=78) For each quartile. Results appear in Figure 7. we divided 310 respondents into quartiles according to their overall effectiveness in the 16 process and technology controls identified earlier. Perceived IT Risks and Incidents by IT Risk Management Effectiveness by Quartile 5 4 Index 3 2 1 Worst Good Better Best Compliance Risk Business Process Risk Incidents Figure 7: Expected IT incident rates and two categories of IT Risk for organizations in each IT Risk Management performance quartile. we calculated and plotted separate indexes for regulatory and operational IT Risk (across 6 compliance and 7 business-process IT Risk areas). n=77) • Better – second (51st to 75th. Best in Class: IT Risk and incident expectations To help understand what makes organizations stand out as Best in Class at IT Risk Management. all groups rated their organizations more effective with technology than with process controls for IT Risk Management. again. 19 . in no case were process controls rated more effective. despite increasing perception of IT Risk. but every classification showed greater effectiveness with technology controls than with process controls. Healthcare and Manufacturing did effectiveness deploying process controls even approach parity with effectiveness deploying technology controls. IT incident expectations decline with effectiveness.• only in Government. together with the rates at which respondents expected IT incidents. The classifications were: • Best in Class – top quartile (76th or better percentile. • ratings of overall effectiveness from Managers were higher than those from either Directors or Executives. • large organizations and global organizations (often the same) were more effective deploying both technology and process controls.

we believed that the 16 process and technology controls identified in earlier sections would prove to be effective defenses or countermeasures.These results show that organizations rated more effective at managing IT Risk also experience higher levels of both Regulatory and Operational Risk. gaps between the concentric polygons reveal differences in effectiveness from one performance quartile to another – for example. organizations may actually reduce incident rates below the levels experienced by less-effective firms operating in safer environments. We had anticipated higher incident rates at high risk levels. These areas are the most tactical in scope and straightforward in implementation. They have deployed other controls lightly or not at all. Host Security” technology effectiveness for all quartiles in Figure 8. either because negative impacts are more likely where risk exposure is higher. we’ve seen that despite facing the study’s highest levels of risk. Clearly. For example. The data show the opposite: effective organizations expect fewer incidents despite operating in riskier environments. This result suggests that by building awareness of exposure to IT Risks and improving technology and processes for mitigating them. The result also cautions organizations not to count on a low-exposure operating environment to protect them from incidents without effective technical and process controls. we used data from performance quartiles identified in the preceding section to plot organizations’ effectiveness in deploying each individual process or technology control. they are doing something right – what is it? When we fielded the research. or because organizations base their perceptions of risk on incident expectations. Asymmetries in the polygons reveal imbalances in effectiveness – for example. Effective IT Risk Management performance The relationship between organizations’ IT Risk Management controls and expected incident rates deserves a close look. In the “radar” graphs of Figure 8. 20 . and assess their deployments as fairly ineffective. The lowest-performing quartile shows modest performance in two process areas (organization and authentication/authorization/access) and two technology areas (network and physical security). and therefore where most organizations get started. best-in-class organizations expect the lowest realization of IT Risk. measured as incidents. reducing an organization’s exposure to both external and internal IT Risks. the high estimates of “Network Protocol. the jump in “Training and Awareness” process effectiveness between the “Worst” and “Good” groups in Figure 7. To test this hypothesis.

Moving from the lowest quartile to the highest reveals a clear trend. It also requires a balanced program to evaluate all 16 measures and optimize incremental investments of people and dollars to achieve the greatest impact. authorization. Awareness IT Policy Mgmt. Access 1 Training. Mgmt. Mgmt. and others. and much better returns on measures such as configuration and change management. Classify. Protocol. and access. 21 . training and awareness. rather than heavy emphasis on a few. Organizations with higher performance show effective performance across most or all measures (shown as distance from the graph’s center). Architect Incident Response Operational Design W Technology Controls by Quartile Perform. Organizations in the top two quartiles begin to experience diminishing returns in areas such as physical security and authentication.. expansive. Network. Audit 3 2 Authent. and raise the effectiveness of deployment of each control. 5 4 Org. and Change Mgmt. involves moving from tactical. and proactive measures. Config. operational design. then. Author. Secure Data Lifecycle Mgmt. Worst Good Better Best Mean Figure 8: Process (top) and technology (bottom) control effectiveness scores for organizations in each performance quartile. and reactive to strategic. Structure Assesment. Host Security Secure Systems Physical Security Secure Appl.. More-effective organizations increase the number of controls they deploy... technical. Development Resilient Infra. data lifecycle management. The path from good to great IT Risk Management.Effectiveness with Controls for Managing IT RIsk Process Controls by Quartile Asset Inv.

and require special defenses.Critical connections face unique risks. .

Aligning differing perspectives on and activities toward IT Risk – among technical staff. and across departments and regions – is critical to avoid gaps. duplication.Section 3 Aligning IT and business risks Organizations manage risks so that they can pursue opportunities while keeping costs under control. 23 . managers and executives. and waste.

and managing risk more closely in areas where the most is at stake. It also cuts duplication and over-investment that wastes resources and creates unnecessary IT complexity and cost. resulting in higher operational efficiency. Aligning an organization’s IT Risk strategy to business strategy is as important as operational alignment. Just as IT departments align their operations to best support those business objectives. and how can an IT Risk Management program advance it? When business and IT operate in alignment. Yet progress is slow: CIO Magazine recently reported their readers’ number-one priority for 2007 was – again – aligning IT and business goals. An effective IT Risk Management program creates an IT Risk profile that supports the businesses’ larger objectives. they must align their Risk Management strategies as well – investing most heavily to mitigate those risks with greatest potential for business impact. Whatever an organization’s risk profile and level of risk tolerance. Alignment clarifies how IT resources may be deployed to bring products to market faster. Organizations’ risk profiles differ according to their lines of business and the strategies they pursue to maximize their effectiveness. Alignment closes gaps between organizational and IT Risk strategies that would leave the organization critically exposed to internal and external risks of all kinds. accepting more risk where business impact is low. and generate new revenue streams for the business. and assuming greater exposure in those areas whose likelihood and impact are lower. Finally.7 Why is alignment so important. greater capacity for innovation. deliver more effective service to customers. a well-prepared IT Risk Management plan also guides system design and decision-making. risk mitigation typically means the ability to manage a larger risk portfolio. 24 . an effective strategy for mitigating IT Risk may both protect an organization against incidents. IT Risk Management strategy – the importance of alignment Aligning IT to business strategy has been a consistent theme in the IT professional and industry press for years. As a result. clearly-visible links identify which IT assets and operations support business operations and the value they create. and reduce IT cost and complexity. and lower IT costs.Aligning IT Risk strategy to organizational goals Aligning their operations to support organizational strategy is a top priority for IT executives worldwide. This visibility transforms IT from a cost center to a driver of business value.

Directors reported lower levels of compliance risk than Executives or Managers. and Professional categories. and bear responsibility for its exposure to external risks. and second in carrying out business operations. Since the latter group includes non-IT employees. first in complying with regulatory and policy requirements. Achieving internal alignment on IT Risk The survey classified respondents’ jobs into Executive. Assessments of High risks were close to parity: 44% of Directors rated their compliance risk as High. Director. the same as Managers and two percentage points below Executives. Manager. the analysis concentrates on the first three groups.Our survey data identified lack of alignment on assessments of IT Risk within IT departments themselves. The chasm appears in the assessment of Critical risks at the Director level. consultants. Perception of Compliance IT Risk by Professional Responsibility by Job Role 100% 80% % of respondents 60% 40% 20% 0% Executive Low Director Moderate High Manager Critical Professional Figure 9: Ratings of organizations’ compliance IT Risk by respondents in four job categories. 25 . against 22% for Executives and Managers. The results show an organizational chasm between the ranks of Managers who implement IT programs – and therefore bear responsibility for the internal risk exposures and shortcomings of the organization – and senior Executives who set direction for the organization. and between IT departments and the organizations they serve. Directors were least likely to perceive compliance risk as Critical: only 16% did so. Respondents reported the level of IT Risk they perceived. and third parties. Figure 9 shows the level of compliance risk perceived across the range of professional responsibilities in the survey.

but in the opposite direction: 22% of Directors perceived Business Process Risk as Critical. against only 8% of Executives and 12% of Managers. Director and Manager perceptions were outside expectations based on differences in experience with a regulation or technology. But the systematic differences seen among Executive. 26 . Section 2 revealed different effectiveness ratings for deployment of process and technology capabilities.Figure 10 repeats the analysis for IT Risk introduced by Business Processes. revealed that the operational staff closest to implementation of IT programs may be the most inwardly-focused. Directors reported lower levels than either Executives or Managers. IT professionals differ by job role in assessing their risk-management environments. Perceptions of Business Process IT Risk by Professional Responsibility Job Role 100% 80% % of respondents 60% 40% 20% 0% Executive Low Director Moderate High Manager Critical Professional Figure 10: Rating of organizations' business process IT Risk by respondents in four job categories. and have the highest awareness of specific weaknesses. A closer look shows that while 39% of IT managers report their organizations 75% or more effective in implementing technology capabilities. as well as discussions with respondents. due to their direct accountability for operational IT Risks. Misalignment of IT Risk perceptions was even more dramatic. but with perceptions based on awareness of external factors and concern for the unknown. Senior executives most removed from day-to-day operations may share a high perception of IT Risk. Disagreements among the ranks continued with process and technology effectiveness ratings. alignment may be better within organizations than the job-role analysis suggests. The survey data. since these respondents were drawn from different organizations. only 27% of executives agreed. The Director level – which would ideally bridge these operational and strategic viewpoints to facilitate alignment – may be biased toward tactical operational risks over external or regulatory risks. Of course. Again.

Dramatic examples of extreme but infrequent events such as major failures and 100-year natural disasters provide insufficient motivation to do more than the minimum. unavailable systems. causing gaps in the way systems and processes are developed. The first was quantification of value to the organization as a whole. yet organizational alignments make convergence difficult to achieve. Today this disconnect often occurs along organizational lines – for example. Recall that in Figure 4 of Section 2. They insisted that technology-based controls can only go so far. we saw that Training and Awareness ranked third from the bottom in effectiveness among eight process controls. Until an organization’s stakeholders understand the impact of lost information. available. The second element is culture. in the seams between the executives and functions responsible for security. Organizations have different risk profiles to which IT Risk programs should be tuned. a company with tens of thousands of employees averaging 24 years of age may require a very different policy for IM use and Web access on company systems and time than smaller companies with older workforces. and that effective mitigation of IT Risk requires behavioral changes by end users throughout the organization. and compliant. either of which may elevate risk. for example – sustained focus will remain out of reach. and security breaches. these gaps may cause sudden unexpected service-level shortfalls. and operational business continuity and availability. For example. and non-compliant processes in terms that are meaningful to them – lost sales. compliance. system downtime. 27 . Misalignment occurs in two ways. Selective enforcement and highly visible actions may be more effective than stringent policies that are unenforceable because they fail to align with the organization’s culture. Invisible until something goes wrong. for example. Why alignment on IT Risk matters Misalignment of perceptions and actions is more than just a source of internal disagreement about IT Risk Management policy. Solutions such as messaging typically require all these functions to converge on a solution that is secure. we heard a recurring theme about alignment. ranked among their greatest challenges. Two elements were frequently cited as necessary to encourage behavioral change. The first type of misalignment is internal to IT. But they may also incorporate different workforces and cultures that will accept different levels of IT policy awareness and compliance. Respondents told us that training users about IT and security risks. dissatisfied customers or reduced productivity.Alignment – the business side Collecting data for this study at IT conferences and roundtables. deployed and managed. it can itself become a source of IT Risk.

IT management must work closely with clients and stakeholders in the organization as a whole. In combination. they must make sure their departments are aligned internally. 28 . everyone in the department should share an understanding of IT Risks and priorities. First. resulting in loss of agility and increased risk. or under-invest in areas critical to organizational goals. and then track performance at an executive level as part of a corporate balanced scorecard. Companies following best practices in managing IT Risk incorporate the IT Risk strategy within the organization’s annual planning process to ensure alignment within IT and across the organization. From the CIO to the backup administrator. and how they relate to their own areas of responsibility. These disconnects result in “ivory tower” IT programs that over-invest in risk areas relevant to IT but not necessarily high organizational priorities. Both result in lower contributions to the organization’s overall success.The second type of misalignment is between the IT function and the rest of the organization. organizational units and functions may not have sufficient awareness of their own IT Risk exposures. Alternately. enlisting their help to assure that IT priorities reflect the organization’s goals and objectives. The IT Risk program may not fully reflect or respond to the needs of the organization as a whole. Second. and to drive compliance with IT Risk Management programs where necessary. Active management and mitigation of IT Risk requires IT departments to avoid risks created by misalignment. internal and business alignment assures appropriate resource allocation and operational efficiency.

g. Major Information Loss Service impact to your organization. data corruption. integrity or availability (e. and check your results against survey norms on the last page of the report: Context: What reflects the expected frequency of the following incidents in your organization? 1. Minor IT Impact Minor impact to your IT systems affecting less than 10% of your clients and/or servers. hinders the work of individuals or groups: Once a year 10 times a year 20 times a year Every day More than once a day Answers to self-test on page 47. data center outage. full breach of security): Never Once every 5 years Once a year Twice a year More than twice a year 3. caused by a loss of information. 29 . Regulatory Non-Compliance Your enterprise is found to be out of compliance with one or more governing regulations: Never Once every 5 years Once every 2 years Once a year More than once a year 2. Major IT Impact Severe impact to your IT organization affecting more than 10% of your clients and/or servers – halting operations of some critical part of your operations: Once every 5 years Once a year Twice a year 5 times a year More than 5 times a year 4.Sample questions How do your incident expectations measure up to those of the organizations in the survey? Answer these four questions. confidentiality.

and customers. . distributors.Your business depends on reliable connections with suppliers.

The transition from good to great IT Risk Management is achieved primarily by increasing effectiveness across the full range of measures in a structured.Section 4 Understanding effective Risk Management Organizations achieve effective IT Risk Management by deploying a broad range of IT technology and process controls. disciplined program that proceeds from a broad assessment of IT Risks to a closed-loop process of continuous improvement. 31 .

and linkages between phases help maintain focus and continuity of organizational commitment. performance. lasting improvements in IT Risk Management. Achieving Best in Class IT Risk Management Few organizations have achieved the level of IT Risk Management performance achieved by Best in Class organizations in this survey. While the steps themselves. Nor do all companies face the same levels of IT Risk or share similar risk profiles. and compliance. productivity. quantification. and developing an effective program of remediation activities. reputation. How can organizations advance from good IT Risk Management practice to great? For organizations trying to manage IT Risks effectively. the specific tools and tasks supporting them are very valuable. 32 . and cost. The field is still emerging. and ultimately build effective. The case for change. availability. and system downtime costs reached tens of thousands of dollars per hour. a broadly-applicable assessment. per-incident costs of unauthor8 ized access to information averaged over $85. continuous IT Risk Management Programs. A five-step process can help organizations assess their levels of IT Risk. detailed in Figure 11.9 It doesn’t take long for incidents of this scale to create significant drag on an organization. and not all organizations are yet organized to deal with IT Risk in an integrated fashion.Understanding effective IT Risk Management How can an organization build its capabilities for IT Risk Management? While there is no single formula or protocol. is compelling: organizations are experiencing rising incident rates across the areas of security. develop remediation roadmaps. often while reducing IT infrastructure and process complexity and cost. however.000 in 2006. with significant impact to revenue. quantifying and prioritizing them against the organization’s risk profile. design. the challenge includes understanding their portfolio of IT Risks. may seem familiar. According to the Computer Security Institute and the FBI. alignment and measurement program can help organizations marshal their resources effectively to achieve real.

and organizing the dozens or hundreds of IT Risks of which they are already acutely aware. structured framework I can assess and prioritize?” A clear framework requires identifying critical IT assets and understanding how they support critical business processes. infrastructure. assigning each a priority according to risk. 33 . The search for vulnerabilities and weaknesses should cover applications. including: • establishing the program’s scope (how expansive a view of IT Risk is appropriate?) • constructing a risk profile for the organization based on its overall priorities • identifying key areas of IT Risk For many companies. Requirements include legal obligations such as regulations.IT Risk Assessment and Management Process Step 1 Step 2 Step 3 Step 4 Step 5 Develop Awareness of IT Risks Quantify Business Impacts Design Solution Align IT / Business Value & Implement Solution Build & Manage Unified Capability Figure 11: Five-step IT Risk Mitigation process. Step 1 – Develop awareness of IT Risks IT Risk mitigation begins with comprehensive discovery. as well as business requirements such as the privacy. and weaknesses. operations. issues. Finally. vulnerabilities. the challenge of discovery includes both identifying new areas of risk. often by evaluating the risk profile and assessment against IT best practices. staff with privileged access to information. and integrity of business information. and service level agreements. Assessment should also consider the organization’s current requirements. capabilities and vulnerabilities. A common question at this stage is. this stage involves identifying and classifying threats. availability. contracts. Critical assets include the technology infrastructure underlying corporate operations. “How do I take the issues I already know about and assemble them into a comprehensive. and organizations. and the organization’s IT operational processes.

misaligned organizational models. The “currency” of the business case varies according to the business and the area of risk. goals. or unclear requirements or policies. of addressing an area of IT Risk. The next step is to design a set of remediation solutions. and investment. Until they have quantified the impact. across the classic elements of people. In the first. measured in time. For example. process. and the priority and quantification of each area of IT Risk. staff resources. a model might be designed to provide tiered levels of service based on the priorities for different types of data and portions of the business. each with requirements. specifications. For some organizations this will be a narrowly-focused activity to address the most imminent areas of risk.Step 2 – Quantify business impacts Quantifying business impacts is typically the most challenging step – and the most important. negative brand impact or lost viewers for a media company. or the funds needed for mitigation. Quantification of business impacts typically follows a two-phased approach. for others a longer-term program with sequenced waves of initiatives. and technology. A Web site crash will mean lost revenue or sales for a retailer. and functions. The second phase builds detailed business arguments for only those risks identified as high-impact areas. 34 . lost productivity for a manufacturer. Solutions that reduce risk frequently also reduce complexity and cost. Step 3 – Design solution At this point. IT leadership may be unable to attract their colleagues’ attention to it. its current status. and it should be periodic. The key is to build a case that makes sense in the local currency. This phase also includes detailed costing analysis to keep costs and benefits of proposed initiatives aligned to organizational goals. positive or negative. The model can be iterative. whatever it may be. and so on. linked to the organizational and IT planning cycles. the organization knows the scope and components of its Risk Management program. the full portfolio of risks is coarsely prioritized based on potential business impacts according to the organization’s risk profile and the ease or difficulty of risk mitigation. This is especially true when risks have been introduced by dense or poorly-followed processes.

organizations set the stage for collection of baseline data. process. including: • replacing guesswork with quantification and prioritization of IT Risk Management efforts and investments • replacing intermittent. performance tracking. and assessment of program effectiveness against the original business case. Implementation determines whether risk-mitigation initiatives are deployed successfully across people.Step 4 – Align IT and business value. their position in this maturity model depends on their IT Risk profile and progresses through several waves of organizational. With a coherent system of metrics and performance management capabilities. or devolve into local IT projects measured narrowly by software and gear implemented and administrators trained. Step 5 – Build and manage unified capability Once implementation of the first wave of IT Risk solutions is underway. Closed-loop measurement and continuous improvement are essential. For most organizations. reactive projects with a program that delivers consistent improvements over the long run • replacing speculation with clear progress against consensus goals to secure the long-term investments needed for mitigation of IT Risks 35 . As in most change-management programs. most programs’ success lies in the effectiveness of implementation. IT Risk Management follows a maturity model that begins with tactical basics and evolves to Best-in-Class performance. implement solution Although quantification is the most difficult step. By adapting their efforts as their experience and effectiveness grow toward maturity. process. and technological change before reaching its goal. organizations can avoid or overcome the most common implementation challenges. organizations should institute programs for continuous improvement and ongoing governance of their IT Risk Management program. and technology with close involvement of organizational stakeholders.

Connections bring both opportunities and risks – managing them is everyone’s job. .

37 . While there are many ways to manage risk successfully. to focus attention and resources where they matter most. we classified respondents into profiles based on their level of IT Risk and IT Risk Management effectiveness. The best companies align investment to exposure. the resulting levels of risk and the costs to the organization can vary greatly.Section 5 Risk Mitigation: process and payoff In order to understand organizations’ IT Risk strategies better.

• IT Risk Balancers (42%) pursue a matching strategy. signaling excessive costs. reactive position and an active posture that gives it the freedom to choose appropriate risks. 38 .IT Risk mitigation profiles The way an organization manages the challenges in its environment can make the difference between a defensive. effective actions. it appears that these organizations have chosen IT Risk Management strategies that meet comparatively low levels of IT Risk with investments that keep their mitigation processes and technologies highly effective. These organizations are frequently Best in Class. Instead. but different from those in the two other segments: • At-Risk respondents (35%) struggle to cope with IT risk: they see their organizations facing medium to high levels of IT Risk. meeting their organizations’ high levels of IT Risk exposure with highly-effective mitigation processes and technologies. we performed a cluster analysis (n=310) to identify consistent patterns in survey respondents’ risk exposure. ensuring mitigation. like Balancers. and missed opportunities elsewhere. • IT Risk Mitigators (23%) maintain effective IT Risk Management programs. Effective mitigation To explore the limits of risk mitigation. and its own path. The most interesting results are from the IT Risk Mitigator cluster. effectiveness of mitigation efforts. Nothing in their underlying demographics separates Mitigators from Balancers. Mitigators expect to enjoy low incident rates. Organizations in this category seem to address IT Risk through overinvestment. Organizations with this profile typically expect a high rate of incidents. but actually experience low levels of IT Risk. but demonstrate poor effectiveness in addressing it through mitigating process and technology measures. show high process and technology effectiveness – yet they face the lowest IT Risk levels of any group. and expectation of IT incidents. displaying all five underlying measurements instead of the single composite score used to create the clusters. Mitigators. The analysis revealed three groups in which respondents are similar to one another. but at high costs. but it is possible that the Discovery and Quantification steps of a well-planned IT Risk mitigation program would identify over-investments. Figure 12 shows the performance of the three groups revealed by the cluster analysis.

IT Risk Exposure. Control Effectiveness and Incident Experience by Performance Cluster Compliance Risk Index Technology Effectiveness Operating Risk Index Process Effectiveness Index Incident Index At Risk Balancer Mitigator Figure 12: Organizational clusters. Figure 13 shows how the groups identified by the cluster analysis would map onto a two-factor grid of IT Risk exposure (bottom axis) and IT Risk Management effectiveness (side axis): Risk Management Patterns – Cluster Analysis IT RIsk Management Effectiveness High IT Risk Mitigators IT Risk Balancer Low IT Risk Low-Mid IT Risk Exposure High Figure 13: Data from the cluster analysis grouped according to IT Risk exposure and IT Risk Management effectiveness. showing that both Balancers and Mitigators deploy highly effective controls despite different levels of risk. occupying the lower-left quadrant and combining low levels of IT Risk and poor implementation of IT Risk Management programs. Mitigators deploy high technology and process effectiveness despite comparatively low levels of compliance and business-process IT Risk. 39 . The cluster analysis did not identify a fourth group. showing all five underlying measurements. We suspect that such organizations are underrepresented in our sample because they are less likely than others to participate in surveys about IT Risk Management or attend industry events with IT Risk Management prominent on the agenda.

A changing IT Risk landscape demands consistent. without constraining business performance. might be to react to risks one by one as they arise. and new external and internal threats to information and infrastructure crop up every day. IT’s support of this capacity for flexible innovation is among its greatest contributions to business value. Organizations that manage their risk portfolios effectively create opportunity: they can make educated.We speculate that this group faces low levels of risk. business priorities change. Their improved IT Risk Management capacity gives them latitude to innovate and explore a wider range of business options. The five-step approach described in Section 4 emphasized the importance of iteration and management to address risk as part of a program of continuous improvement. Some may self-insure against IT Risks by maintaining reserves of financial assets to help with recovery from incidents. And as organizations evolve over time. inadequate or too late. if at all. minimizing risk and cost in areas most vital to the organization. IT Risk must be managed. new regulations are enacted. Their IT Risk strategy. informed decisions on how and when to take on additional risk. Risk mitigation: how far? Can highly-effective IT Risk Management programs ever eliminate IT Risk? Research and common sense suggest not – and certainly not at a reasonable cost. which may not be articulated. absorbing incident costs when that reaction is missing. programmatic management to adapt to and mediate new forms of IT Risk. and implements IT Risk Management programs poorly. 40 .

Risk-management investments pay off by reducing incidents and freeing organizations to compete with greater confidence. agility. Organizations may also choose to invest in process and technology improvements with a primary goal of increasing operational efficiency. Our results don’t speak to their motivations. it may not be the full story. 41 .Operational efficiency – the same path to a different goal We undertook this study to understand IT Risk and the effectiveness of technology and process controls in managing that risk. these disciplines have positive impacts. We assumed Balancer and Mitigator organizations worked primarily to reduce organizational risk – and while true. But regardless of the motivations. Lower risk levels in the Mitigator cluster and lower incident rates among the Best-in-Class would then be by-products of investments made for operational effectiveness. and success.

From the CIO to the backup administrator. IT professionals reported significant gaps and shortcomings in their organizations’ deployments of controls to help them manage IT Risk. IT management must work closely with their business clients to assure those priorities reflect the goals and objectives of the business as a whole. internal and business alignment assures appropriate resource allocation and operational efficiencies. everyone should share a common understanding of IT Risks. due to careful investments that maintain high effectiveness over the entire range of technology and process controls. and personnel may be brought to harm by internal or external threats carried out or weaknesses exposed across IT networks and systems. Respondents rated their organizations more effective at implementing risk-management technology than processes across the full range of industries. Misalignment is itself a source of IT Risk. And they saw particular problems in managing IT assets and configuration and change control – both areas of critical importance in bringing IT Risks under control. avoiding over. In a major year-long study. and how they relate to their individual areas of responsibility. organization size and professional responsibilities. Managing IT Risk is everyone’s job. and achieving steady improvements measured against consensus goals. Managing IT Risk – in service of your organization’s mission – is the subject of this report. sapping resources more effectively deployed elsewhere. from risk exposures created by gaps between IT and organizational perceptions and priorities. their priorities. geographies. Best-in-class organizations – even though they face higher levels of IT Risk – anticipate fewer incidents. The report outlines a five-step process to help organizations put consistent.Conclusions An organization’s assets. Respondents also displayed different perspectives on risk based on their individual responsibilities. operations. and overinvestment in areas of low organizational priority. In combination. measurable.and under-investment. and the purpose of this series. and identify serious problems aligning and coordinating IT Risk Management with the broader goals of their organizations. longterm programs in place. 42 .

43 .

aggregate. much of the report reflects the 310 responses from the second survey. Industry was classified into 37 segments. Most questions were identical on both surveys. Retail. and protect the confidentiality of survey results on behalf of Symantec. Survey instruments Symantec collected 528 records using two survey instruments. An additional 310 individuals responded to the expanded survey. Respondents were offered and received a report comparing their responses to a benchmark group. and identified the industry. Symantec collected 528 responses from IT professionals attending IT events worldwide. Technology Effectiveness and Process Effectiveness.Appendix Methodology Data collection Between October 2005 and October 2006. Ecosystems LLC of Vienna VA to collect. respondent job role and global or regional coverage of the respondent’s business operations. process. The first. Technology Effectiveness and Process Effectiveness. The second added a section on Business Process Risk and additional questions about Compliance Risk. As a result. Mining. Symantec contracted a third party. The “Other” industry group comprises Agriculture. Construction. with the larger sample size and more complete set of questions. number of employees. These demographics provided the variables for much of our analytical work. covered Compliance Risk. so we combined those results for a sample size of 528. with 218 respondents. assembled into seven groups. To ensure candid responses and protect participants’ privacy. Wholesale and Energy. Respondents completed survey questionnaires and submitted results in person. 44 . Incident Rate. Additions and improvements to the second survey prevented use of the full record set for every analysis. Demographics We fielded both versions of the survey to a broad demographic group.

Respondents by Industry Public Sector Financial Services Services Manufacturing Other Telecom. Respondents by Professional Responsibility Executive Director Manager Professional 0 20 40 60 80 100 120 Number of Respondents Survey 1 Survey 2 Figure A2: Breakdown of responses by respondents’ professional responsibilities. The “Professional” role includes business. We collected 161 and 308 job-role classifications from Surveys 1 and 2. respectively. Media Healthcare 0 10 20 30 40 50 Number of Respondents Survey 2 60 70 80 90 Survey 1 Figure A1: Breakdown of 528 responses by industry. Please see the text for details. Please see the text for details. 45 . We attribute the lower response rate for job roles in Survey 1 to privacy concerns among European respondents. consultant and other non-IT job functions.

215 respondents from Survey 1 and 299 respondents from Survey 2 reported the total employee count at their organization.000 employees 1. 46 .We measured organization size according to number of employees. We asked respondents to indicate the major areas of the globe in which their organizations had operations. Please see the text for details.000 employees 0 10 20 30 40 50 Number of Respondents Survey 1 60 70 80 90 100 Survey 2 Figure A3: Breakdown of responses by organization size.001 to 20. understand risk-management behavior in terms of geographic scale of operations and globalization.001 to 5.000 employees < 1. Respondents by organization size > 20.000 employees 5. specific attribution of responses to geographic regions is not possible. We can. Since we did not identify headquarters country. Please see the text for details. This question allowed respondents to pick multiple geographic regions. Respondents by organization operating regions Asia Pacific EMEA Latin America North America 0 50 100 150 200 250 300 350 Number of Respondents Survey 1 Survey 2 Figure A4: Breakdown of 528 responses by respondent organizations’ operating region. As seen below. however. so the number of responses exceeds the number of respondents.

Answers to the Self-Test To score your responses against incident expectations reported by 310 respondents in Survey 2. • Business Process Index – business process risks listed on page 19. we compared these to the rest of the data set. Where appropriate. and for correlation and comparative analysis. most during events based in the United Kingdom. • Overall Effectiveness Index – combination of the previous two indexes. we used the data to create six indexes summarizing the average response to a set of questions. The six indexes used in the analysis are: • Compliance Index – compliance risks listed on page 11. “2” for the next. Use of Indexes Indexes used in the report measured total importance or impact of a risk. Please see the report text for details. During the analysis phase. • Process Effectiveness Index – effectiveness of organizations at implementing process capabilities listed on page 18. We used each index to compare means across organization demographics or respondent group. as described on page 19. or incident rate across respondents. assign a value of “1” if you selected the least-frequent alternative. effectiveness measure. to a maximum of “5” for the most-frequent alternative. Add the four scores.We collected 92 of the 528 total responses during events conducted in Europe and South Africa. and then compare them to the survey sample using this table: Best in Class = fewer than 6 points Good performance = 6 to 10 points Underperforming = more than 10 points 47 . • Incident Rate Index – incident expectations. • Technology Effectiveness Index – effectiveness of organizations at implementing technology capabilities listed on page 18.

March 2006. Information Technology – Security Techniques – Code of Practice for Information Security Management. Framingham. (London: Infoconomy. Brian E.. Stephen Elliot. Kenneth. Allan Carey.” Harvard Business Review. A tale of five risk management characters and how they fit into your November-December 1994: reprint. Inc. “From Contingency to Continuity. Michael. Lawrence Gordon. (Boston: International Data Group. Martin Loeb. James. CIO Guide to Sarbanes Oxley. Aligning COBIT. 2006. Framingham. http://www. 2005. MA: IDG Network. Framingham. July 2006). David Scharfstein. Jaikumar. Measuring and Gaining Control of Risk. 2006).References Notes 1 Michael Porter. Lee. November 8. Rasmussen. David. October Froot. William Lucyshyn and Robert Richardson. MA: Forrester Research. 1985). 2005). META Group. Tyson. Sunny Gupta. Burke. March 2006. IL: IT Governance Institute and Norwich. (Sterling. “A Framework for Risk Management. CT: Gartner. Ltd.computerworld.. Kolodgy. Inc. and Jeremy Stein. 48 . Oct 2004) 2 3 4 5 6 7 8 9 General References Adner. December 29. Inc. State of the CIO Survey.itil. Sally Hudson. VA: Evergreen Systems. ITIL Change Management Maturity Benchmark Study. Christian A. 2006. “Operational Risk and Resiliency Frameworks.D. (San Francisco: Computer Security Institute.” E-Business Blog. Framingham.goCSI. Rose Ryan.. February 10. 2004.cio. May 11. Stamford. 2006). 2005).” http://www. (Los Angeles: Line56. “Divide and Conquer: Rethinking IT Strategy. (Rolling Meadows. Broussard. “ITIL Adoption. (ISO/IEC 17799:2005(E). Fall 2006: 4-13. Needham. MA: IDC. January 2005. and Ranjit (New York: The Free Press. Champy. Edgewater. April 2006: reprint. Lassiter. Vijayan. Charles J. Hughes. Inc. (Geneva: International Organization for Standardization. “Enterprise Application Trends. Christiansen. Macauley. Ron. CIO Magazine. Top 10 Predictions for Security in 2006: Countering Crafty Criminals and Insidious Insiders. ITIL and ISO 17799 for Business Benefit. July 2006: 34-40. UK: Office of Government Commerce).” Risk Management Magazine. IT Infrastructure Library. “Four Steps to Successful IT/Business Alignment” SearchCIO. and Tim Grieser. 2005.line56.” McKinsey on IT. “Five Steps to IT Risk Management Best Practices. MD: ReymannGroup.” Harvard Business Review.. Cambridge. MA: IDC.”” META Trends 2005/2006. Frederick. ITIL Penetration is Moving Faster than You Might Think: Some Results of the System Management Software Strategies Study. http://www. UK: Office of Government Commerce. MA: CXO Media.information-age. “Defending Data will be IT Manager 2007 Focus. MA: TechTarget. “Match Your Innovation Strategy to Your Innovation Ecosystem. 2007). http://www. Competitive Advantage: Creating and Sustaining Superior Performance.” Information Age. 2006 CSI/ FBI Computer Crime and Security Survey. (Norwich. Enterprise Risk Management.

Symantec. . and other countries. the Symantec Logo. Symantec reserves the right to make changes without prior notice. Other names may be trademarks of their respective owners. Documentation may include technical or other inaccuracies or typographical errors. Any use of the information contained herein is at the risk of the user. All rights reserved.S.NO WARRANTY. Copyright © 2007 Symantec Corporation. and INFORM are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U. The information provided in this document is being delivered to you “AS IS” and Symantec Corporation makes no warranty as to its accuracy or use.

About Symantec Symantec is a global leader in infrastructure software. enabling businesses and consumers to have confidence in a connected world. compliance.S. Symantec has operations in 40 countries. call toll-free 1 (800) 745 6054. 1/07 11859849 .symantec. Headquartered in Cupertino. Calif. Symantec Corporation World Headquarters 20330 Stevens Creek Boulevard Cupertino. All rights reserved. information. Symantec and the Symantec logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S.. For product information in the U. Other names may be trademarks of their respective owners. More information is available at Copyright © 2007 Symantec Corporation. and performance. CA 95014 USA 1 (408) 517 8000 1 (800) 721 3934 www. The company helps customers protect their infrastructure. and other countries. For specific country offices and contact numbers please visit our Web site. and interactions by delivering software and services that address risks to Confidence in a connected world.