This action might not be possible to undo. Are you sure you want to continue?
Volume 1, Published February, 2007
IT Risk Management Report
Trends through December 2006
“As IT becomes the cornerstone of our connections with customers, suppliers, partners, and business information, identifying and managing IT Risk becomes a core business capability.”
– Greg Hughes, Executive Vice President Worldwide Services and Support, Symantec Corporation
Table of Contents
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1 – Understanding IT Risk
.........................................................................................5 As the role of IT grows, IT Risk is emerging as a major component of organizational risk. IT Risks span Security, Availability, Performance and Compliance – each with its own drivers and potential impacts.
2 – Process and technology effectiveness in Managing IT Risk
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Technology controls to manage IT Risk are often deployed more effectively than process controls. Yet organizations that manage IT Risk effectively deploy people and process controls equally well.
3 – Aligning IT and business risks
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
IT has moved from the glass house to the front lines – and perceptions of IT Risk often differ by role and function within organizations.These misalignments are barriers to effective IT Risk management.
4 – Understanding effective Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Effective IT Risk Management demands a disciplined, structured program to develop awareness, quantify costs and impacts, and design and implement a solution that adapts to organizational requirements.
5 – Risk Mitigation: process and payoff . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
The good news is that there’s a substantial upside to IT Risk Management – a more effective organization, with better control of its costs, technology, and future.
Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
In a connected world, we share a responsibility to identify and manage risk so our customers, suppliers and partners can work with us confidently toward our common goals.
Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Information Technology (IT) Risk is a growing component of total Operational Risk. As businesses increasingly depend on IT to automate processes and store information, IT Risk Management is emerging as a separate practice. Organizations across sectors and industries have begun to consolidate functions to develop a more comprehensive, focused approach to IT Risk. IT Risk includes security, availability, performance and compliance elements, each with its own drivers and capacity for harm. This study examined IT Risk, along with the technology and process controls used to mitigate it, in a year-long study based on in-depth structured interviews with more than 500 IT professionals around the world. The study determined that across industries, regions, and job roles, IT professionals: • rate themselves more effective in their deployments of technology than of process controls • see management of IT assets and configuration and change processes as particular problem areas • see people and process improvements as holding the greatest opportunities for them to move from good to great Data from high-performance organizations yielded a surprising – and very encouraging – result. More-effective organizations – even though they often face higher risk levels – expect fewer incidents than less-effective organizations. More detailed analysis into the specific controls deployed by these companies revealed that best-in-class organizations perform with high effectiveness across most controls, including process controls, while lower-performing organizations typically focus on a small number of more tactical controls. The study identified substantial differences in the ways IT operational personnel and executives view their IT Risk exposure, and examined these in detail. Differing internal viewpoints on IT Risk, and poor alignment between IT Risk Management programs and overall business objectives, may themselves create risk. This appears to occur when Risk Management programs are not tailored to the specific risk profile of the business or coordinated across functional and business unit lines – leading to areas of both under- and over-investment. Poor organizational support for IT Risk awareness and training is both a compelling example of poor alignment, and a major cause. Best-in-class IT Risk management requires a disciplined approach that includes IT Risk awareness, quantification of business impacts, solution design and implementation across people, process, and technology, and creation of a sustained IT Risk Management program complete with performance measurement and a model for continuous improvement. A staged program helps balance benefits, risks and costs at every step of implementation.
This report is intended for executives with responsibilities for general, financial and IT management – anyone concerned with IT Risk and its management. With a broad cross-section of experience from IT professionals across industries, geographies and organization types, the report should provide context for Risk Management programs at your own organization. Be sure to check these IT Risk Management Report highlights: • Finance and CRM processes introduce the highest IT Risk: see What Drives IT Risk in Section 1 • Best-in-class managers of IT Risk frequently face more IT Risk exposure, but expect fewer incidents: see Effective IT Risk Management performance in Section 2 • Asset Management is the least-effective IT process: see Process effectiveness in Section 2 • Poor alignment between IT Risk strategy and the risk profile of the business can actually create higher business risk: see Why alignment on IT Risk matters in Section 3 • High performance across most process and technology controls, versus a few targeted areas, typically separates great from at-risk organizations: see Effective mitigation in Section 5
.Your customers connect to their financial future through your systems and networks.
and can account for more than 50% of total capital expenditure at some companies.Section 1 Understanding IT Risk Risk is potential damage to an organization’s value. regulatory or IT policy requirements 5 . often from inadequate management of processes and events. IT Risk is emerging as a significant component of total business risk as IT assumes a more prominent role in organizations. Individual IT Risks may be classified as: • Security risks – of unauthorized access. alteration or use of information • Availability risks – of inaccessible business processes or data • Performance risks – of delayed access to business processes or data • Compliance risks – of violating legal.
What is IT Risk? Business risks range from everyday operational shortcomings to rare cataclysmic failures. famine and disease. or supervisory or legal controls.Understanding IT Risk Life’s risks extend from poor mobile-phone connections through war. IT Risk Management is emerging as a separate practice because of the unique role IT plays in today’s organizations: • IT is now integral to many business operations and transactions. so do the origins and types of risk we face. organization and plant performance. for example. online “phishing” fraud – and legal and regulatory requirements for IT countermeasures – were virtually unknown just three years ago. loss of intellectual property. and may include risks from external events such as natural disasters or changes in government regulation. 6 . The types and levels of risk organizations face vary with their business and preferred risk profile. In Financial Services and Online Retail. virtually the entire business may be carried out across IT systems and networks. Different risks affect different individuals and organizations in different ways – and as the world changes. Financial risk is well understood. For example. and other types of financial risk. Operational risk results from operations rather than transactions. • IT Risk evolves as fast as technology changes. For example. currency. IT Risk has grown to prominence as a component of total operational risk. As IT has become widely and deeply interconnected with business operations. or internal processes associated with product quality. More than just a specialty area of Operational Risk Management. Business risk is often split into financial and operational components. And a high-growth financial organization in a developing nation might be more concerned about availability and performance risks as it scales up operations than a financial organization in a more mature market where security and compliance concerns prevail. pricing. an entertainment company with many customer-facing systems and a strong brand image might have a very different risk profile than a manufacturer with few externallyfacing systems but significant trade and design information to protect. and established markets help organizations manage or transfer their credit.
an 7 . including any recovery period • Performance risk – that underperformance of systems. measurement. Although the survey on which this report is based concentrated on Security and Compliance areas of risk. accessed or used by unauthorized parties • Availability risk – that information or applications will be inaccessible due to system failure or natural disaster. applications. and management of IT Risk requires specialized knowledge and skills. and prioritization of these elements is an important early step in establishing an effective IT Risk Management program. Figure 1 outlines a framework for classifying risks according to their impact on the organization. As we will see. analysis. each with its own set of drivers and potential impacts. every organization has its own unique IT Risk profile. Table 1 (next page) provides further information and examples of sources and potential impacts of risks in each category.• Identification. Internal and External Malicious Threats Se cu Keep Bad Things Out Keep Important Things In y rit Ava il a y lit bi Natural Disasters and System Failures Keep Systems Up Ensure Rapid Recovery IT Risk r fo Per Ensure Adequate Controls Automate Evidence Collection m IT Policy and External Regulations ce Figure 1: IT Risk spans four areas. this implies no prioritization of the four elements of IT Risk. The framework classifies IT Risks as: • Security risk – that information will be altered. or personnel – or IT as a whole – will diminish business productivity or value • Compliance risk – that information handling or processing will fail to meet regulatory. p m Co lia nc e Application Performance and IT Performance Optimize Resources Ensure Correct Configuration Classifying IT Risk To help organizations understand and analyze IT Risk and organize their mitigation strategies. IT or business policy requirements These four categories classify all elements of IT Risk that we have seen in organizations. Aligning IT skills and processes – including IT Risk Management – to organizational goals is a constant challenge.
Inefficient code .Damage to assets Availability Failure or delay in delivering IT processes or information needed for business transactions and operations .Identity theft .Inadequate third-party compliance standards .Regulations unique to each jurisdiction.Proliferation of platform and messaging types . or consequences of noncompliance with IT policies .Interruption or delay of businesscritical process . including: • Graham-Leach-Bliley Act • EU Data Protection Directive • Health Insurance Portability and Accountability Act (HIPAA) • Sarbanes-Oxley Act .Damage to reputation .Executive productivity Table 1: Categories of IT Risk.Breach of client confidentiality .Internal IT safeguards supporting compliance .Theft of financial assets .Reduced client or partner loyalty .Interruption or delay of businesscritical processes .Reduced user productivity . confidence in it and technology and processes for managing it .Force majeure . fines and loss of reputation from failure to comply with laws and regulations. employee confidence .Inappropriate access .Inadequate capacity .Risk Category Source Potential Impact Security Compromise of information.Network outages . 8 .Reduced IT staff productivity Performance Slow or inefficient operation of IT processes supporting business transactions and operations .Abandoned transactions and lost sales .External attacks . with examples of the sources and potential impacts associated with each.Disgruntled employees .Data center failures .Physical destruction .Poor change management processes .Malicious code . partner.External fraud .Poor system architectures .Damage to reputation & brand .Lost IT productivity Compliance Penalties.Network congestion .Corruption of information .Reduced client satisfaction .Reduced customer.Litigation .Expansion from central to end-point compliance .Hardware failures .Legal actions .
Research and Supply-chain processes received the lowest risk ratings. Admin. High Corp. informed business judgments Finance & Administration – the process of financial and administrative management Corporate Resources – business functions supporting the organization as a whole * This study used two separate survey instruments – some questions were repeated on both. we asked a subset of respondents (n = 310)* to rate the IT Risk associated with each of seven key businesses processes in their organization. CRM Nil Operations Low Business Intel. industries and geographies – the Appendix provides demographic details. Business-process definitions Customer Relationship Management (CRM) – sales and electronic commerce Supply Chain Management (SCM) – the entire product value chain from source to end-user Operations Management – operational control of continuous service and product processes Research & Development – the development cycle of products and service offerings Business Intelligence – the corporate ability to make timely. Symantec surveyed 528 individuals on topics related to IT Risk. Resources Critical R&D Supply Chain Moderate Figure 2: IT Risk associated with each of seven key business processes.What drives IT Risk? From October 2005 through October 2006. others not. “Survey instruments” for details. Please see the Appendix. 9 . IT Risk by Business Process 100% 80% % of respondents 60% 40% 20% 0% Finance. To assess the magnitude of IT Risk associated with core business processes. Participants held a range of professional responsibilities in organizations of different sizes.1 The results are shown in Figure 2. Numbers in parentheses (“n= ”) report the number of surveys supporting each graph or data comparison. IT Risk associated with Finance and Administration processes (leftmost column) led participants’ ratings for High or Critical risk. followed by those associated with critical customer-facing and operational tasks.
only 27% of those surveyed rated SCM risks as High or Critical. Second. with 53% giving Critical or High ratings for all three measures. Our analysis also explored the components of compliance risk. Criminal Critical National Security Figure 3: IT Risk index ratings associated with six areas of Regulatory Compliance. and just 33% rated R&D risks this way. Compliance with Corporate Governance policies ranked third. n = 310). IT Risk by Compliance Area 100% 80% % of respondents 60% 40% 20% 0% Data Retention Nil Data Protection Low Corp. Research & Development and Supply Chain Management systems and processes introduced the least amount of IT Risk. with 55% High or Critical ratings. followed by Corporate Governance. Operations and Business Intelligence processes ranked second. Governance Moderate IP High Civil. The results are illustrated in Figure 3 (n = 528 except for Data Retention. First.Systems and processes supporting Finance and Administrative were associated with the greatest IT Risk. Participants were asked how much risk each of six categories of regulations introduced into their organization. while National Security and Criminal and Civil Laws were seen to introduce the least risk – only 36% and 44% of respondents. IT Risk is highest for critical operational functions or those that manage critical and proprietary or confidential information. IT Risk affects every major business process category: for even the lowest-ranked business process. with a very substantial 66% and 70% of respondents rating these risks as High and Critical. nearly a third of professionals ranked IT Risk High or Critical. rating these either High or Critical. respectively. Respondents saw Data Protection and Retention introducing the greatest amount of compliance risk into their organizations. Sales. These results highlight two important points. and lower only for functions further removed from revenue generation and the customer experience. with over 66% of the respondents rating it High or Critical. respectively. About half the respondents rated Intellectual Property risk as High or Critical. 10 . Data Protection and Retention show the highest proportion of High and Critical ratings.
In Section 5. and applied it to organizations with different demographics. 11 . exposing them to more regulations and requiring greater compliance with internal policies to monitor and govern organizational behavior. To help understand the impact of IT Risk associated with compliance processes. more than half the respondents saw High or Critical IT Risk in areas governing the proper operation of their organizations and protection of critical information. for example against identity theft Data Retention – ensuring that enterprise data is stored securely and retained for access by legitimate users Corporate Governance – assuring that public disclosures accurately reflect corporate performance National Security – protecting citizens and national infrastructure from terrorism. and geographic span of operations. while 33% of organizations with more than 20. respondents expressed strong concerns about IT Risk in every Compliance area – risks in even the lowest-ranked areas were seen as significant by a third to half of the respondents. Respondents from Europe. Although a definitive explanation for this requires further investigation. data movement and use of IT resources Intellectual Property Protection – protecting individual and corporate intellectual property As with Business Processes. war. we will explore reasons for low risk ratings by organizations operating in high-risk environments. This level of concern – across so broad a range of roles and industries – underscores how poorly managed these risks may be judged by those best-positioned to know. the Middle East and Africa generally saw less risk associated with compliance than their counterparts in the United States.Compliance definitions Data Protection – securing confidentiality of private and personal information. More significantly.000 employees see compliance risk as critical to their organizations. or national disaster Civil & Criminal Legal Framework – assuring that IT systems and networks systems support legal infrastructure through electronic signatures. The Aerospace and Defense industry segment was the only industry in which a majority of respondents rated compliance risk as critical. number of business processes and operations. For example. And despite the stringent regulations they face. the data are consistent with larger organizations’ greater complexity. Results show that organization size is a significant determinant of perceived compliance risk. we compiled an index to measure the relative importance of each of the six compliance measures above. only 28% of Financial Services and 4% of Healthcare organizations rated compliance risk as critical. only 15% of organizations with fewer employees do.
.Patient health and privacy connect when medical records are transmitted or stored.
13 . scale. and geographic reach. see their organizations’ capabilities to deploy IT Risk Management technologies as more effective than their capabilities deploying processes. Professionals surveyed at all levels of organizations across industries.Section 2 Process and technology effectiveness in Managing IT Risk Effective IT Risk Management requires competence and investment in processes and technologies.
or have adopted formalized service-management standards such as the IT Infrastructure Library (ITIL®). Participants’ ratings of their organizations’ effectiveness deploying processes and technologies for IT Risk Management depend not only on their organizations’ industry.” for details). more organizations have added Chief Risk Officers and other executive positions with responsibilities for IT Risk management. We asked survey participants to rate their success implementing each of the defined IT Risk Management controls – both process and technology. range of operation and other demographic factors. We also asked them to rate the amount of risk their organizations face. but on the differing perceptions of professionals within the organizations. few organizations have formalized their IT Risk Management programs until recently. 14 . The most effective IT Risk Management programs use well-defined controls that combine wellchosen technologies and best-practice processes. They are derived from best practices defined by international standards including the code of practice for information security management (ISO/IEC 17799:20052). to determine whether organizations facing high levels of risk are more likely to have implemented highly-effective controls. size. published by the United Kingdom’s Office of 4 Government Commerce. however. refined by Symantec experience in dealing with highly effective organi- zations. Controls for IT Risk Management Although Risk Management principles have received wide attention. and expanded to encompass availability and performance in addition to security and compliance. “Process and Technology Controls for IT Risk Management. ISO 17799.IT Risk Management processes and technology While acknowledging the relevance of Risk Management to IT. and COBIT® to help them manage IT Risk. COBIT3 and ITIL. organizations often struggle to put its principles into practice. In the past few years. We have identified eight technology and eight process controls that represent best practices for managing IT Risk (see sidebar.
Protocol and Host Security – network design and infrastructure including segmentation. Roles and Responsibilities – standards for interactions between groups. supporting execution of asset-class-based policies Incident Readiness and Response – standards for preparation for and response to incidents Technology Controls Application Design. Classification and Management – processes to identify and classify assets. controls. policies and strategies defined to run IT services Organizational Structure. redundancy and failover) Performance Management – technology to monitor and manage system performance Network.g. workflow and resource management Asset Inventory. Policy and Architecture – architectures. authority for security and external security-related communications Training and Awareness – processes to increase visibility and knowledge of security risks Assessment and Auditing – processes to assess the environment. policies and processes used to implement strategy Authentication. secure deployment of new and updated systems Data Life Cycle Management – technology to move. replicate and protect data Configuration and Change Management – tools and processes to regulate change Resilient Infrastructure – technology to detect and correct vulnerabilities related to availability (e.Process and Technology Controls for IT Risk Management Process Controls IT and Security Strategic Management. Authorization and Access Management – processes and technology to verify users’ identities and control access to resources Operational Design.. and methodologies to ensure that new and updated applications are appropriate. procedures. protocols. Development and Testing – processes. perimeter defense and availability Physical Security – technologies governing access to IT infrastructure and facilities 15 . Workflows and Automation – design and implementation of automated solutions. efficient and secure Systems Build and Deployment – systems and technologies to assure effective.
and access. Authorization and Access” was rated highest for effectiveness.. Instead. “Authentication. And few felt they performed effectively in employee and IT staff training and awareness. The results are shown in Figure 4. Management. designed for protection against malicious external threats. operational design. IT Risk Management Process Effectiveness 100% 80% % of respondents 60% 40% 20% 0% Authent. and incident response. assessment and audit. with only 38% rating their organizations more than 75% effective. Respondents rated “Asset Inventory Classification and Management” least effective of all their deployments. ordered left-to-right in decreasing order of perceived effectiveness. Structure Response Access <10% effective 25% effective IT Policy Assessment. Without careful risk assessment. Audit Architecture 50% effective Training. Design Classification.Process effectiveness We surveyed our sample of IT professionals (n=310) to understand how effective they thought their organizations were in deploying eight key process-based controls. They rate themselves moderately effective at policy-setting and compliance. so that some will be overprotected and others underprotected. Organizational Incident Authorization. authorization. all assets are likely to be treated equally. Yet this discipline is fundamental to build an IT Risk Management program that reflects the organization’s priorities.. with 68% of respondents rating their organizations more than 75% effective. Awareness Operational Asset Inv. The findings show that most IT professionals feel their organizations are most effective deploying tactical controls for which they are accountable: organizational structure. 16 . “Asset Inventory Classification and Management” was lowest. or asset management. and authentication. programs should raise IT Risk awareness and spread avoidance and mitigation efforts throughout their organizations. The data show that the path from basic performance to best practice requires moving IT Risk Management programs away from a reactive posture. Management >90% effective 75% effective Figure 4: Ratings of organizations’ effectiveness at IT Risk Management processes.
Poor configuration and change management also constrains efforts to adapt and modernize systems for new opportunities or threats. performing effectively.”5 Evergreen Systems noted that. processes and tools as core components of the organization. with only 43% rating their deployments 75% effective or higher. Perform. Secure and Change Management Application Management Development >90% effective 25% effective 75% effective Figure 5: Ratings of organizations’ technology effectiveness.Technology effectiveness Figure 5 below represents how effective organizations are in deploying technology controls: IT Risk Management Technology Effectiveness 100% 80% % of respondents 60% 40% 20% 0% Network. 17 . “IT executives are increasingly integrating and internalizing change management procedures. with 80% and 77% of respondents. rating their organizations more than 75% effective. there are recent signs of improvement. and up to date. The low ratings of configuration and change and performance management deployments are significant.” We will see in Section 4 that these disciplines are important drivers of performance improvements in IT organizations. process or technology. Host Security <10% effective Physical Security Resilient Secure Data Infrastructure Lifecycle Management 50% effective Secure Systems Config. “Secure Application Development” was least-frequently rated effective. These are the strongest ratings of all controls. Protocol. respectively. ordered left-to-right in decreasing order of perceived effectiveness. Although the survey identifies change management as a problem area. “Network Protocol and Host Security” and “Physical Security” were the top-rated technology control deployments. and “Performance Management” from just 52%. “Configuration and Change Management” received such ratings from only 55% of respondents. In their “ITIL Change Management Maturity Benchmark Study. Organizations use these technologies to understand the configurations and performance levels of IT assets so they can minimize service disruptions and increase throughput. These deployments are critical in keeping systems stable.
using frameworks such as ITIL. The relative strength of technology over process effectiveness was robust across industry. we analyzed the data according to demographic categories. It shows that organizations are generally more effective implementing technology than they are processes: 33% rated Strong on the Technology Effectiveness Index. so while secure application development proves very cost-effective over time. it remains in an early stage of adoption at most organizations. rating implementation effectiveness of technology and process controls. Process effectiveness lags behind technology despite the recent industry focus on processes. ISO and COBIT. organization size and respondent job role. only 25% on the Process Effectiveness Index. each index averages eight individual factors. geography. the second for eight technology controls.The role of secure application development is growing. we defined two indexes. as IT professionals recognize its effectiveness in preventing exploitation of application vulnerabilities by eliminating them at the source. Good. Weak or Poor at implementing and deploying these controls. specifically: 18 .6 For a closer look. with just a few variations. IT Risk Management Process vs. We set levels to classify organizations as Strong. Organizations’ implementations are generally stronger for technology controls. The first averages ratings for eight process controls. Figure 6 compares these effectiveness ratings. Technology and Process effectiveness index To compare organizations’ effectiveness deploying IT Risk Management processes and technology by industry. The technology requires substantial early investments in tools and skills. organization size. and professional role of respondents. operating region. Technology Effectiveness Effectiveness Index 100% 80% % of respondents 60% 40% 20% 0% Process Poor Weak Good Technology Strong Figure 6: Effectiveness indexes of organizations.
n=77) • Worst – fourth (25th or worse n=78) For each quartile. IT incident expectations decline with effectiveness. we divided 310 respondents into quartiles according to their overall effectiveness in the 16 process and technology controls identified earlier. but every classification showed greater effectiveness with technology controls than with process controls. • large organizations and global organizations (often the same) were more effective deploying both technology and process controls.• only in Government. Perceived IT Risks and Incidents by IT Risk Management Effectiveness by Quartile 5 4 Index 3 2 1 Worst Good Better Best Compliance Risk Business Process Risk Incidents Figure 7: Expected IT incident rates and two categories of IT Risk for organizations in each IT Risk Management performance quartile. 19 . despite increasing perception of IT Risk. we calculated and plotted separate indexes for regulatory and operational IT Risk (across 6 compliance and 7 business-process IT Risk areas). • ratings of overall effectiveness from Managers were higher than those from either Directors or Executives. again. Healthcare and Manufacturing did effectiveness deploying process controls even approach parity with effectiveness deploying technology controls. n=78) • Good – third (26th to 50th. together with the rates at which respondents expected IT incidents. The classifications were: • Best in Class – top quartile (76th or better percentile. Results appear in Figure 7. Best in Class: IT Risk and incident expectations To help understand what makes organizations stand out as Best in Class at IT Risk Management. all groups rated their organizations more effective with technology than with process controls for IT Risk Management. n=77) • Better – second (51st to 75th. in no case were process controls rated more effective.
20 . organizations may actually reduce incident rates below the levels experienced by less-effective firms operating in safer environments. we used data from performance quartiles identified in the preceding section to plot organizations’ effectiveness in deploying each individual process or technology control. or because organizations base their perceptions of risk on incident expectations. gaps between the concentric polygons reveal differences in effectiveness from one performance quartile to another – for example. the high estimates of “Network Protocol. Host Security” technology effectiveness for all quartiles in Figure 8. These areas are the most tactical in scope and straightforward in implementation.These results show that organizations rated more effective at managing IT Risk also experience higher levels of both Regulatory and Operational Risk. They have deployed other controls lightly or not at all. we’ve seen that despite facing the study’s highest levels of risk. We had anticipated higher incident rates at high risk levels. best-in-class organizations expect the lowest realization of IT Risk. Effective IT Risk Management performance The relationship between organizations’ IT Risk Management controls and expected incident rates deserves a close look. In the “radar” graphs of Figure 8. reducing an organization’s exposure to both external and internal IT Risks. Clearly. we believed that the 16 process and technology controls identified in earlier sections would prove to be effective defenses or countermeasures. This result suggests that by building awareness of exposure to IT Risks and improving technology and processes for mitigating them. they are doing something right – what is it? When we fielded the research. measured as incidents. The result also cautions organizations not to count on a low-exposure operating environment to protect them from incidents without effective technical and process controls. and therefore where most organizations get started. Asymmetries in the polygons reveal imbalances in effectiveness – for example. and assess their deployments as fairly ineffective. The data show the opposite: effective organizations expect fewer incidents despite operating in riskier environments. the jump in “Training and Awareness” process effectiveness between the “Worst” and “Good” groups in Figure 7. To test this hypothesis. The lowest-performing quartile shows modest performance in two process areas (organization and authentication/authorization/access) and two technology areas (network and physical security). either because negative impacts are more likely where risk exposure is higher. For example.
operational design. Structure Assesment.Effectiveness with Controls for Managing IT RIsk Process Controls by Quartile Asset Inv. It also requires a balanced program to evaluate all 16 measures and optimize incremental investments of people and dollars to achieve the greatest impact. Organizations in the top two quartiles begin to experience diminishing returns in areas such as physical security and authentication. Protocol. rather than heavy emphasis on a few. authorization... and much better returns on measures such as configuration and change management. expansive. Development Resilient Infra. The path from good to great IT Risk Management. Architect Incident Response Operational Design W Technology Controls by Quartile Perform. Organizations with higher performance show effective performance across most or all measures (shown as distance from the graph’s center). and raise the effectiveness of deployment of each control. data lifecycle management. Audit 3 2 Authent. Classify. Mgmt. then. Network. Author. Worst Good Better Best Mean Figure 8: Process (top) and technology (bottom) control effectiveness scores for organizations in each performance quartile. involves moving from tactical. Mgmt. 5 4 Org. and proactive measures. Access 1 Training. and others. More-effective organizations increase the number of controls they deploy. Host Security Secure Systems Physical Security Secure Appl. training and awareness. and Change Mgmt.. Config. Secure Data Lifecycle Mgmt. Awareness IT Policy Mgmt. technical. and reactive to strategic.. 21 . and access. Moving from the lowest quartile to the highest reveals a clear trend.
. and require special defenses.Critical connections face unique risks.
Aligning differing perspectives on and activities toward IT Risk – among technical staff.Section 3 Aligning IT and business risks Organizations manage risks so that they can pursue opportunities while keeping costs under control. and across departments and regions – is critical to avoid gaps. 23 . managers and executives. and waste. duplication.
an effective strategy for mitigating IT Risk may both protect an organization against incidents. clearly-visible links identify which IT assets and operations support business operations and the value they create. and generate new revenue streams for the business. An effective IT Risk Management program creates an IT Risk profile that supports the businesses’ larger objectives. and reduce IT cost and complexity. accepting more risk where business impact is low. 24 . Alignment closes gaps between organizational and IT Risk strategies that would leave the organization critically exposed to internal and external risks of all kinds. Aligning an organization’s IT Risk strategy to business strategy is as important as operational alignment. IT Risk Management strategy – the importance of alignment Aligning IT to business strategy has been a consistent theme in the IT professional and industry press for years.7 Why is alignment so important. and how can an IT Risk Management program advance it? When business and IT operate in alignment. As a result. Alignment clarifies how IT resources may be deployed to bring products to market faster. they must align their Risk Management strategies as well – investing most heavily to mitigate those risks with greatest potential for business impact. Just as IT departments align their operations to best support those business objectives. It also cuts duplication and over-investment that wastes resources and creates unnecessary IT complexity and cost. and lower IT costs.Aligning IT Risk strategy to organizational goals Aligning their operations to support organizational strategy is a top priority for IT executives worldwide. Whatever an organization’s risk profile and level of risk tolerance. Organizations’ risk profiles differ according to their lines of business and the strategies they pursue to maximize their effectiveness. and assuming greater exposure in those areas whose likelihood and impact are lower. a well-prepared IT Risk Management plan also guides system design and decision-making. resulting in higher operational efficiency. deliver more effective service to customers. and managing risk more closely in areas where the most is at stake. greater capacity for innovation. This visibility transforms IT from a cost center to a driver of business value. Finally. risk mitigation typically means the ability to manage a larger risk portfolio. Yet progress is slow: CIO Magazine recently reported their readers’ number-one priority for 2007 was – again – aligning IT and business goals.
consultants. against 22% for Executives and Managers. the same as Managers and two percentage points below Executives. and third parties. The results show an organizational chasm between the ranks of Managers who implement IT programs – and therefore bear responsibility for the internal risk exposures and shortcomings of the organization – and senior Executives who set direction for the organization. Achieving internal alignment on IT Risk The survey classified respondents’ jobs into Executive. Respondents reported the level of IT Risk they perceived. first in complying with regulatory and policy requirements. Director. 25 . The chasm appears in the assessment of Critical risks at the Director level. and second in carrying out business operations. Directors reported lower levels of compliance risk than Executives or Managers.Our survey data identified lack of alignment on assessments of IT Risk within IT departments themselves. and bear responsibility for its exposure to external risks. Since the latter group includes non-IT employees. Directors were least likely to perceive compliance risk as Critical: only 16% did so. and Professional categories. and between IT departments and the organizations they serve. the analysis concentrates on the first three groups. Assessments of High risks were close to parity: 44% of Directors rated their compliance risk as High. Figure 9 shows the level of compliance risk perceived across the range of professional responsibilities in the survey. Perception of Compliance IT Risk by Professional Responsibility by Job Role 100% 80% % of respondents 60% 40% 20% 0% Executive Low Director Moderate High Manager Critical Professional Figure 9: Ratings of organizations’ compliance IT Risk by respondents in four job categories. Manager.
The Director level – which would ideally bridge these operational and strategic viewpoints to facilitate alignment – may be biased toward tactical operational risks over external or regulatory risks. revealed that the operational staff closest to implementation of IT programs may be the most inwardly-focused. Misalignment of IT Risk perceptions was even more dramatic. IT professionals differ by job role in assessing their risk-management environments. only 27% of executives agreed. against only 8% of Executives and 12% of Managers. Director and Manager perceptions were outside expectations based on differences in experience with a regulation or technology. Perceptions of Business Process IT Risk by Professional Responsibility Job Role 100% 80% % of respondents 60% 40% 20% 0% Executive Low Director Moderate High Manager Critical Professional Figure 10: Rating of organizations' business process IT Risk by respondents in four job categories. since these respondents were drawn from different organizations. But the systematic differences seen among Executive. due to their direct accountability for operational IT Risks. Section 2 revealed different effectiveness ratings for deployment of process and technology capabilities. Disagreements among the ranks continued with process and technology effectiveness ratings. and have the highest awareness of specific weaknesses. as well as discussions with respondents.Figure 10 repeats the analysis for IT Risk introduced by Business Processes. Of course. The survey data. Directors reported lower levels than either Executives or Managers. alignment may be better within organizations than the job-role analysis suggests. but with perceptions based on awareness of external factors and concern for the unknown. 26 . A closer look shows that while 39% of IT managers report their organizations 75% or more effective in implementing technology capabilities. Senior executives most removed from day-to-day operations may share a high perception of IT Risk. but in the opposite direction: 22% of Directors perceived Business Process Risk as Critical. Again.
for example. yet organizational alignments make convergence difficult to achieve. ranked among their greatest challenges. Solutions such as messaging typically require all these functions to converge on a solution that is secure. Why alignment on IT Risk matters Misalignment of perceptions and actions is more than just a source of internal disagreement about IT Risk Management policy. The first was quantification of value to the organization as a whole. either of which may elevate risk. and compliant. we saw that Training and Awareness ranked third from the bottom in effectiveness among eight process controls. But they may also incorporate different workforces and cultures that will accept different levels of IT policy awareness and compliance. Today this disconnect often occurs along organizational lines – for example. The second element is culture. in the seams between the executives and functions responsible for security. and non-compliant processes in terms that are meaningful to them – lost sales. causing gaps in the way systems and processes are developed. Dramatic examples of extreme but infrequent events such as major failures and 100-year natural disasters provide insufficient motivation to do more than the minimum. deployed and managed. a company with tens of thousands of employees averaging 24 years of age may require a very different policy for IM use and Web access on company systems and time than smaller companies with older workforces. unavailable systems. Two elements were frequently cited as necessary to encourage behavioral change. and that effective mitigation of IT Risk requires behavioral changes by end users throughout the organization. these gaps may cause sudden unexpected service-level shortfalls. Invisible until something goes wrong. and operational business continuity and availability. 27 . Misalignment occurs in two ways. Selective enforcement and highly visible actions may be more effective than stringent policies that are unenforceable because they fail to align with the organization’s culture. compliance. Recall that in Figure 4 of Section 2. The first type of misalignment is internal to IT.Alignment – the business side Collecting data for this study at IT conferences and roundtables. for example – sustained focus will remain out of reach. Until an organization’s stakeholders understand the impact of lost information. available. Organizations have different risk profiles to which IT Risk programs should be tuned. system downtime. and security breaches. Respondents told us that training users about IT and security risks. They insisted that technology-based controls can only go so far. we heard a recurring theme about alignment. it can itself become a source of IT Risk. dissatisfied customers or reduced productivity. For example.
they must make sure their departments are aligned internally. Alternately. and how they relate to their own areas of responsibility. enlisting their help to assure that IT priorities reflect the organization’s goals and objectives. or under-invest in areas critical to organizational goals. and then track performance at an executive level as part of a corporate balanced scorecard. Both result in lower contributions to the organization’s overall success. These disconnects result in “ivory tower” IT programs that over-invest in risk areas relevant to IT but not necessarily high organizational priorities. everyone in the department should share an understanding of IT Risks and priorities. Active management and mitigation of IT Risk requires IT departments to avoid risks created by misalignment. 28 . IT management must work closely with clients and stakeholders in the organization as a whole. The IT Risk program may not fully reflect or respond to the needs of the organization as a whole. internal and business alignment assures appropriate resource allocation and operational efficiency. Companies following best practices in managing IT Risk incorporate the IT Risk strategy within the organization’s annual planning process to ensure alignment within IT and across the organization. resulting in loss of agility and increased risk. and to drive compliance with IT Risk Management programs where necessary. In combination. organizational units and functions may not have sufficient awareness of their own IT Risk exposures. First. Second. From the CIO to the backup administrator.The second type of misalignment is between the IT function and the rest of the organization.
integrity or availability (e. hinders the work of individuals or groups: Once a year 10 times a year 20 times a year Every day More than once a day Answers to self-test on page 47. Minor IT Impact Minor impact to your IT systems affecting less than 10% of your clients and/or servers. confidentiality. full breach of security): Never Once every 5 years Once a year Twice a year More than twice a year 3. Major Information Loss Service impact to your organization. caused by a loss of information.Sample questions How do your incident expectations measure up to those of the organizations in the survey? Answer these four questions. data corruption. 29 . and check your results against survey norms on the last page of the report: Context: What reflects the expected frequency of the following incidents in your organization? 1. data center outage. Regulatory Non-Compliance Your enterprise is found to be out of compliance with one or more governing regulations: Never Once every 5 years Once every 2 years Once a year More than once a year 2.g. Major IT Impact Severe impact to your IT organization affecting more than 10% of your clients and/or servers – halting operations of some critical part of your operations: Once every 5 years Once a year Twice a year 5 times a year More than 5 times a year 4.
and customers. .Your business depends on reliable connections with suppliers. distributors.
The transition from good to great IT Risk Management is achieved primarily by increasing effectiveness across the full range of measures in a structured. disciplined program that proceeds from a broad assessment of IT Risks to a closed-loop process of continuous improvement. 31 .Section 4 Understanding effective Risk Management Organizations achieve effective IT Risk Management by deploying a broad range of IT technology and process controls.
While the steps themselves. productivity.000 in 2006. alignment and measurement program can help organizations marshal their resources effectively to achieve real. reputation. lasting improvements in IT Risk Management. design. the specific tools and tasks supporting them are very valuable. and not all organizations are yet organized to deal with IT Risk in an integrated fashion. Achieving Best in Class IT Risk Management Few organizations have achieved the level of IT Risk Management performance achieved by Best in Class organizations in this survey. availability. and ultimately build effective. The case for change. Nor do all companies face the same levels of IT Risk or share similar risk profiles. A five-step process can help organizations assess their levels of IT Risk. The field is still emerging. quantification. and cost. 32 . the challenge includes understanding their portfolio of IT Risks. How can organizations advance from good IT Risk Management practice to great? For organizations trying to manage IT Risks effectively. with significant impact to revenue. is compelling: organizations are experiencing rising incident rates across the areas of security. quantifying and prioritizing them against the organization’s risk profile. however. a broadly-applicable assessment. and system downtime costs reached tens of thousands of dollars per hour. and linkages between phases help maintain focus and continuity of organizational commitment. performance. often while reducing IT infrastructure and process complexity and cost. and developing an effective program of remediation activities. According to the Computer Security Institute and the FBI. and compliance. develop remediation roadmaps. detailed in Figure 11.Understanding effective IT Risk Management How can an organization build its capabilities for IT Risk Management? While there is no single formula or protocol. per-incident costs of unauthor8 ized access to information averaged over $85. continuous IT Risk Management Programs. may seem familiar.9 It doesn’t take long for incidents of this scale to create significant drag on an organization.
availability. Critical assets include the technology infrastructure underlying corporate operations. A common question at this stage is. often by evaluating the risk profile and assessment against IT best practices. The search for vulnerabilities and weaknesses should cover applications. and organizing the dozens or hundreds of IT Risks of which they are already acutely aware. contracts. vulnerabilities. the challenge of discovery includes both identifying new areas of risk. and weaknesses.IT Risk Assessment and Management Process Step 1 Step 2 Step 3 Step 4 Step 5 Develop Awareness of IT Risks Quantify Business Impacts Design Solution Align IT / Business Value & Implement Solution Build & Manage Unified Capability Figure 11: Five-step IT Risk Mitigation process. and service level agreements. Requirements include legal obligations such as regulations. as well as business requirements such as the privacy. structured framework I can assess and prioritize?” A clear framework requires identifying critical IT assets and understanding how they support critical business processes. and organizations. including: • establishing the program’s scope (how expansive a view of IT Risk is appropriate?) • constructing a risk profile for the organization based on its overall priorities • identifying key areas of IT Risk For many companies. “How do I take the issues I already know about and assemble them into a comprehensive. operations. and the organization’s IT operational processes. issues. Finally. and integrity of business information. 33 . infrastructure. capabilities and vulnerabilities. staff with privileged access to information. Assessment should also consider the organization’s current requirements. this stage involves identifying and classifying threats. assigning each a priority according to risk. Step 1 – Develop awareness of IT Risks IT Risk mitigation begins with comprehensive discovery.
Step 2 – Quantify business impacts Quantifying business impacts is typically the most challenging step – and the most important. or the funds needed for mitigation. Step 3 – Design solution At this point. and technology. the full portfolio of risks is coarsely prioritized based on potential business impacts according to the organization’s risk profile and the ease or difficulty of risk mitigation. Until they have quantified the impact. and so on. and functions. process. across the classic elements of people. and it should be periodic. This is especially true when risks have been introduced by dense or poorly-followed processes. Solutions that reduce risk frequently also reduce complexity and cost. specifications. for others a longer-term program with sequenced waves of initiatives. The next step is to design a set of remediation solutions. This phase also includes detailed costing analysis to keep costs and benefits of proposed initiatives aligned to organizational goals. goals. The key is to build a case that makes sense in the local currency. For example. negative brand impact or lost viewers for a media company. In the first. For some organizations this will be a narrowly-focused activity to address the most imminent areas of risk. misaligned organizational models. The “currency” of the business case varies according to the business and the area of risk. The second phase builds detailed business arguments for only those risks identified as high-impact areas. its current status. or unclear requirements or policies. whatever it may be. measured in time. lost productivity for a manufacturer. Quantification of business impacts typically follows a two-phased approach. staff resources. 34 . A Web site crash will mean lost revenue or sales for a retailer. and investment. positive or negative. a model might be designed to provide tiered levels of service based on the priorities for different types of data and portions of the business. The model can be iterative. and the priority and quantification of each area of IT Risk. linked to the organizational and IT planning cycles. each with requirements. IT leadership may be unable to attract their colleagues’ attention to it. of addressing an area of IT Risk. the organization knows the scope and components of its Risk Management program.
As in most change-management programs. implement solution Although quantification is the most difficult step. With a coherent system of metrics and performance management capabilities.Step 4 – Align IT and business value. organizations can avoid or overcome the most common implementation challenges. including: • replacing guesswork with quantification and prioritization of IT Risk Management efforts and investments • replacing intermittent. performance tracking. IT Risk Management follows a maturity model that begins with tactical basics and evolves to Best-in-Class performance. By adapting their efforts as their experience and effectiveness grow toward maturity. process. most programs’ success lies in the effectiveness of implementation. process. and technological change before reaching its goal. Step 5 – Build and manage unified capability Once implementation of the first wave of IT Risk solutions is underway. Closed-loop measurement and continuous improvement are essential. or devolve into local IT projects measured narrowly by software and gear implemented and administrators trained. organizations set the stage for collection of baseline data. their position in this maturity model depends on their IT Risk profile and progresses through several waves of organizational. and assessment of program effectiveness against the original business case. and technology with close involvement of organizational stakeholders. Implementation determines whether risk-mitigation initiatives are deployed successfully across people. organizations should institute programs for continuous improvement and ongoing governance of their IT Risk Management program. reactive projects with a program that delivers consistent improvements over the long run • replacing speculation with clear progress against consensus goals to secure the long-term investments needed for mitigation of IT Risks 35 . For most organizations.
Connections bring both opportunities and risks – managing them is everyone’s job. .
Section 5 Risk Mitigation: process and payoff In order to understand organizations’ IT Risk strategies better. we classified respondents into profiles based on their level of IT Risk and IT Risk Management effectiveness. 37 . While there are many ways to manage risk successfully. to focus attention and resources where they matter most. the resulting levels of risk and the costs to the organization can vary greatly. The best companies align investment to exposure.
The analysis revealed three groups in which respondents are similar to one another. • IT Risk Mitigators (23%) maintain effective IT Risk Management programs. Instead. and missed opportunities elsewhere. signaling excessive costs. These organizations are frequently Best in Class. effectiveness of mitigation efforts. Figure 12 shows the performance of the three groups revealed by the cluster analysis. and expectation of IT incidents. but demonstrate poor effectiveness in addressing it through mitigating process and technology measures. and its own path.IT Risk mitigation profiles The way an organization manages the challenges in its environment can make the difference between a defensive. but at high costs. displaying all five underlying measurements instead of the single composite score used to create the clusters. effective actions. The most interesting results are from the IT Risk Mitigator cluster. Nothing in their underlying demographics separates Mitigators from Balancers. reactive position and an active posture that gives it the freedom to choose appropriate risks. 38 . show high process and technology effectiveness – yet they face the lowest IT Risk levels of any group. Mitigators expect to enjoy low incident rates. it appears that these organizations have chosen IT Risk Management strategies that meet comparatively low levels of IT Risk with investments that keep their mitigation processes and technologies highly effective. Mitigators. but actually experience low levels of IT Risk. meeting their organizations’ high levels of IT Risk exposure with highly-effective mitigation processes and technologies. Effective mitigation To explore the limits of risk mitigation. Organizations in this category seem to address IT Risk through overinvestment. like Balancers. • IT Risk Balancers (42%) pursue a matching strategy. Organizations with this profile typically expect a high rate of incidents. but different from those in the two other segments: • At-Risk respondents (35%) struggle to cope with IT risk: they see their organizations facing medium to high levels of IT Risk. but it is possible that the Discovery and Quantification steps of a well-planned IT Risk mitigation program would identify over-investments. we performed a cluster analysis (n=310) to identify consistent patterns in survey respondents’ risk exposure. ensuring mitigation.
IT Risk Exposure. The cluster analysis did not identify a fourth group. We suspect that such organizations are underrepresented in our sample because they are less likely than others to participate in surveys about IT Risk Management or attend industry events with IT Risk Management prominent on the agenda. occupying the lower-left quadrant and combining low levels of IT Risk and poor implementation of IT Risk Management programs. Control Effectiveness and Incident Experience by Performance Cluster Compliance Risk Index Technology Effectiveness Operating Risk Index Process Effectiveness Index Incident Index At Risk Balancer Mitigator Figure 12: Organizational clusters. showing all five underlying measurements. Figure 13 shows how the groups identified by the cluster analysis would map onto a two-factor grid of IT Risk exposure (bottom axis) and IT Risk Management effectiveness (side axis): Risk Management Patterns – Cluster Analysis IT RIsk Management Effectiveness High IT Risk Mitigators IT Risk Balancer Low IT Risk Low-Mid IT Risk Exposure High Figure 13: Data from the cluster analysis grouped according to IT Risk exposure and IT Risk Management effectiveness. showing that both Balancers and Mitigators deploy highly effective controls despite different levels of risk. 39 . Mitigators deploy high technology and process effectiveness despite comparatively low levels of compliance and business-process IT Risk.
absorbing incident costs when that reaction is missing. without constraining business performance. and new external and internal threats to information and infrastructure crop up every day. A changing IT Risk landscape demands consistent. Their improved IT Risk Management capacity gives them latitude to innovate and explore a wider range of business options. Organizations that manage their risk portfolios effectively create opportunity: they can make educated. informed decisions on how and when to take on additional risk. Some may self-insure against IT Risks by maintaining reserves of financial assets to help with recovery from incidents. inadequate or too late. And as organizations evolve over time. programmatic management to adapt to and mediate new forms of IT Risk. and implements IT Risk Management programs poorly. new regulations are enacted. minimizing risk and cost in areas most vital to the organization. might be to react to risks one by one as they arise. which may not be articulated. Risk mitigation: how far? Can highly-effective IT Risk Management programs ever eliminate IT Risk? Research and common sense suggest not – and certainly not at a reasonable cost. Their IT Risk strategy. if at all. IT’s support of this capacity for flexible innovation is among its greatest contributions to business value. 40 . IT Risk must be managed.We speculate that this group faces low levels of risk. business priorities change. The five-step approach described in Section 4 emphasized the importance of iteration and management to address risk as part of a program of continuous improvement.
and success. these disciplines have positive impacts.Operational efficiency – the same path to a different goal We undertook this study to understand IT Risk and the effectiveness of technology and process controls in managing that risk. Risk-management investments pay off by reducing incidents and freeing organizations to compete with greater confidence. agility. Our results don’t speak to their motivations. We assumed Balancer and Mitigator organizations worked primarily to reduce organizational risk – and while true. Lower risk levels in the Mitigator cluster and lower incident rates among the Best-in-Class would then be by-products of investments made for operational effectiveness. 41 . Organizations may also choose to invest in process and technology improvements with a primary goal of increasing operational efficiency. But regardless of the motivations. it may not be the full story.
due to careful investments that maintain high effectiveness over the entire range of technology and process controls. everyone should share a common understanding of IT Risks. and overinvestment in areas of low organizational priority. Managing IT Risk – in service of your organization’s mission – is the subject of this report. internal and business alignment assures appropriate resource allocation and operational efficiencies. geographies. longterm programs in place.Conclusions An organization’s assets. IT professionals reported significant gaps and shortcomings in their organizations’ deployments of controls to help them manage IT Risk. and the purpose of this series. avoiding over. In combination. Best-in-class organizations – even though they face higher levels of IT Risk – anticipate fewer incidents. Managing IT Risk is everyone’s job.and under-investment. and achieving steady improvements measured against consensus goals. From the CIO to the backup administrator. and identify serious problems aligning and coordinating IT Risk Management with the broader goals of their organizations. Misalignment is itself a source of IT Risk. from risk exposures created by gaps between IT and organizational perceptions and priorities. Respondents also displayed different perspectives on risk based on their individual responsibilities. The report outlines a five-step process to help organizations put consistent. 42 . and how they relate to their individual areas of responsibility. Respondents rated their organizations more effective at implementing risk-management technology than processes across the full range of industries. And they saw particular problems in managing IT assets and configuration and change control – both areas of critical importance in bringing IT Risks under control. In a major year-long study. their priorities. measurable. operations. organization size and professional responsibilities. IT management must work closely with their business clients to assure those priorities reflect the goals and objectives of the business as a whole. sapping resources more effectively deployed elsewhere. and personnel may be brought to harm by internal or external threats carried out or weaknesses exposed across IT networks and systems.
Appendix Methodology Data collection Between October 2005 and October 2006. As a result. Symantec collected 528 responses from IT professionals attending IT events worldwide. Wholesale and Energy. Retail. The second added a section on Business Process Risk and additional questions about Compliance Risk. Construction. covered Compliance Risk. The “Other” industry group comprises Agriculture. with 218 respondents. Technology Effectiveness and Process Effectiveness. Respondents completed survey questionnaires and submitted results in person. The first. Symantec contracted a third party. aggregate. 44 . To ensure candid responses and protect participants’ privacy. number of employees. Industry was classified into 37 segments. Additions and improvements to the second survey prevented use of the full record set for every analysis. These demographics provided the variables for much of our analytical work. Mining. Demographics We fielded both versions of the survey to a broad demographic group. An additional 310 individuals responded to the expanded survey. and identified the industry. Respondents were offered and received a report comparing their responses to a benchmark group. assembled into seven groups. Incident Rate. and protect the confidentiality of survey results on behalf of Symantec. Technology Effectiveness and Process Effectiveness. so we combined those results for a sample size of 528. process. respondent job role and global or regional coverage of the respondent’s business operations. Survey instruments Symantec collected 528 records using two survey instruments. Ecosystems LLC of Vienna VA to collect. much of the report reflects the 310 responses from the second survey. with the larger sample size and more complete set of questions. Most questions were identical on both surveys.
Respondents by Industry Public Sector Financial Services Services Manufacturing Other Telecom. Respondents by Professional Responsibility Executive Director Manager Professional 0 20 40 60 80 100 120 Number of Respondents Survey 1 Survey 2 Figure A2: Breakdown of responses by respondents’ professional responsibilities. The “Professional” role includes business. 45 . respectively. Media Healthcare 0 10 20 30 40 50 Number of Respondents Survey 2 60 70 80 90 Survey 1 Figure A1: Breakdown of 528 responses by industry. Please see the text for details. We attribute the lower response rate for job roles in Survey 1 to privacy concerns among European respondents. We collected 161 and 308 job-role classifications from Surveys 1 and 2. Please see the text for details. consultant and other non-IT job functions.
We measured organization size according to number of employees. As seen below. We can. This question allowed respondents to pick multiple geographic regions.000 employees 1.000 employees 5. 46 . Please see the text for details.001 to 20. specific attribution of responses to geographic regions is not possible.001 to 5. 215 respondents from Survey 1 and 299 respondents from Survey 2 reported the total employee count at their organization. understand risk-management behavior in terms of geographic scale of operations and globalization. however.000 employees 0 10 20 30 40 50 Number of Respondents Survey 1 60 70 80 90 100 Survey 2 Figure A3: Breakdown of responses by organization size. Please see the text for details. so the number of responses exceeds the number of respondents. Respondents by organization operating regions Asia Pacific EMEA Latin America North America 0 50 100 150 200 250 300 350 Number of Respondents Survey 1 Survey 2 Figure A4: Breakdown of 528 responses by respondent organizations’ operating region. Since we did not identify headquarters country. Respondents by organization size > 20.000 employees < 1. We asked respondents to indicate the major areas of the globe in which their organizations had operations.
as described on page 19. • Incident Rate Index – incident expectations. • Technology Effectiveness Index – effectiveness of organizations at implementing technology capabilities listed on page 18. we used the data to create six indexes summarizing the average response to a set of questions.We collected 92 of the 528 total responses during events conducted in Europe and South Africa. During the analysis phase. We used each index to compare means across organization demographics or respondent group. • Overall Effectiveness Index – combination of the previous two indexes. effectiveness measure. Answers to the Self-Test To score your responses against incident expectations reported by 310 respondents in Survey 2. Add the four scores. “2” for the next. to a maximum of “5” for the most-frequent alternative. we compared these to the rest of the data set. most during events based in the United Kingdom. The six indexes used in the analysis are: • Compliance Index – compliance risks listed on page 11. or incident rate across respondents. • Process Effectiveness Index – effectiveness of organizations at implementing process capabilities listed on page 18. and then compare them to the survey sample using this table: Best in Class = fewer than 6 points Good performance = 6 to 10 points Underperforming = more than 10 points 47 . and for correlation and comparative analysis. assign a value of “1” if you selected the least-frequent alternative. Where appropriate. Please see the report text for details. • Business Process Index – business process risks listed on page 19. Use of Indexes Indexes used in the report measured total importance or impact of a risk.
2004) 2 3 4 5 6 7 8 9 General References Adner. ITIL Penetration is Moving Faster than You Might Think: Some Results of the System Management Software Strategies Study.” http://www. Framingham. Sunny Gupta. (Geneva: International Organization for Standardization. CIO Guide to Sarbanes Oxley. http://www. Craig. Macauley. Tyson. Lawrence Gordon. Top 10 Predictions for Security in 2006: Countering Crafty Criminals and Insidious Insiders. and Tim Grieser. Lassiter. Vijayan. Oct 13. UK: Office of Government Commerce). Martin Loeb. 2005). 2005). David Scharfstein. 2006. (New York: The Free Press. Rasmussen. “A Framework for Risk Management. Brian E. Hughes. 2006. (Boston: International Data Group. MA: TechTarget. “Enterprise Application Trends. Framingham. March 2006. Allan Carey. William Lucyshyn and Robert Richardson. Edgewater. 2006). February 10.” http://www. Fall 2006: 4-13. Needham. (London: Infoconomy. Greg. May 11.cio. March 2006. ITIL Change Management Maturity Benchmark Study. Framingham. Broussard. 2006). http://www. IT Infrastructure Library.com/state. (Rolling Meadows. Inc. January 2005. Lee.computerworld. “From Contingency to Continuity. Kenneth.” McKinsey on IT. 2006 CSI/ FBI Computer Crime and Security Survey.com. Christiansen. MA: IDC. “Defending Data will be IT Manager 2007 Focus. Measuring and Gaining Control of Risk. and Ranjit Tinaikar. http://www. “ITIL Adoption. (Norwich. (Sterling. Kolodgy.D. MA: CXO Media.. “Four Steps to Successful IT/Business Alignment” SearchCIO. META Group. David. 2005. J. (Los Angeles: Line56. “Five Steps to IT Risk Management Best Practices. Rose Ryan. UK: Office of Government Commerce. Stamford. Sally Hudson.. 2004.com. Champy. Frederick. Stephen Elliot. http://www.com. 1985). CIO Magazine.csoonline.uk. and Jeremy Stein. http://www.References Notes 1 Michael Porter. Christian A. (San Francisco: Computer Security Institute. A tale of five risk management characters and how they fit into your organization.” META Trends 2005/2006. ITIL and ISO 17799 for Business Benefit. “Operational Risk and Resiliency Frameworks. Michael..” Risk Management Magazine.goCSI. Framingham. November 8. MA: IDG Network.com. April 2006: reprint.com. CT: Gartner. Jaikumar. November-December 1994: reprint. December 29.” Harvard Business Review. Froot.itil. MD: ReymannGroup. IL: IT Governance Institute and Norwich. Inc.” Information Age.. (ISO/IEC 17799:2005(E). 2007). State of the CIO Survey. Competitive Advantage: Creating and Sustaining Superior Performance. Inc.line56. July 2006: 34-40. October 30. Charles J. MA: IDC. July 2006). Information Technology – Security Techniques – Code of Practice for Information Security Management.com. Ltd.information-age.” E-Business Blog. “Divide and Conquer: Rethinking IT Strategy. Aligning COBIT. MA: Forrester Research.” Harvard Business Review. Enterprise Risk Management. James. Inc. Burke. “Match Your Innovation Strategy to Your Innovation Ecosystem. VA: Evergreen Systems. Cambridge. Ron. 48 .com. 2005.co.
and INFORM are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U. The information provided in this document is being delivered to you “AS IS” and Symantec Corporation makes no warranty as to its accuracy or use. and other countries. Symantec. Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice. Copyright © 2007 Symantec Corporation. All rights reserved.S. Other names may be trademarks of their respective owners. Any use of the information contained herein is at the risk of the user. . the Symantec Logo.NO WARRANTY.
compliance. More information is available at www.S.S.com Copyright © 2007 Symantec Corporation. 1/07 11859849 . call toll-free 1 (800) 745 6054.symantec. enabling businesses and consumers to have confidence in a connected world. Calif. and other countries.. and performance. For product information in the U. Headquartered in Cupertino. information.symantec.com Confidence in a connected world.About Symantec Symantec is a global leader in infrastructure software. All rights reserved. Symantec Corporation World Headquarters 20330 Stevens Creek Boulevard Cupertino. Symantec has operations in 40 countries. Symantec and the Symantec logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U. availability. and interactions by delivering software and services that address risks to security.. The company helps customers protect their infrastructure. For specific country offices and contact numbers please visit our Web site. CA 95014 USA 1 (408) 517 8000 1 (800) 721 3934 www. Other names may be trademarks of their respective owners.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue listening from where you left off, or restart the preview.