Professional Documents
Culture Documents
IT Risk Management is more than using technology to solve security problems. With proper planning and broad support, it can give an organization the confidence to innovate, using IT to outdistance competitors.
Greg Hughes, Chief Strategy Officer Symantec Corporation
Table of Contents
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Risk Management concepts guide an increasing number of IT decisions, but myths about IT Risk persist. Recent information helps correct misunderstandings about IT Risk, and direct attention to emerging areas of concern.
Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
With IT at the core of many critical business processes, IT Risk Management is a business imperative. Effective management not only protects information and infrastructure, but unlocks resources for the pursuit of strategic business initiatives.
Appendix.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Executive Summary
IT Riskencompassing Security, Availability, Performance, and Compliance elementshas become a critical issue for executives and boards of directors. In this second volume of the IT Risk Management Report, Symantec extends its analysis of IT professionals insights into the nature of IT Risk and the most effective ways to manage it, with added focus on Availability and Performance Risk. The Report addresses persistent myths about IT Risk, concluding that: IT professionals are adopting a more balanced, less Security-centric view of IT Riskmore of them now see Availability Risk as critical or serious than any other element Compliance Risk is more than Security Risk formalized by law: data breaches, outages and disasters may cause irrecoverable losses of customer loyalty, revenue, and company value Reactive or annual project-oriented IT Risk Management is better than nothing. But IT professionals expectations of monthly incidents in a constantly-changing global and regional business and technology environment call for a continuous, process-oriented approach Best-in-class organizations deploy controls balanced across strategic, support, delivery, and security categories, positioning themselves to correct the missing or faulty processes that cause most incidents Over the past year, survey participants saw no improvement in Asset Inventory Classification and Management controls, and a decline in Data Lifecycle Management IT Risk Management builds on Operational Risk Management and manufacturing quality disciplines, spurred on by Sarbanes-Oxley and other regulations affecting Corporate Governance, and supported by its own emerging frameworks, standards, and best practices Symantec recommends a continuous IT Risk Management process starting with risk assessment, paying close attention to cultural and training issues, and addressing long-term structural improvements as well as early wins. Most implementations will focus on Security Risk and associated controls in the early stages, but should follow up with Availability Risk and delivery controls, and include Compliance and Performance Risk with strategic controls for an integrated, effective program over the long term.
Highlights
This report is intended for executives with responsibilities at the intersection of IT and business risk, including CISOs and vice-presidents of Risk Management, Data Center Operations, and Compliance/Audit. Report insights are based on the collective experience of IT professionals worldwide, and Symantecs deep expertise in every element of IT Risk Management. Be sure to check these highlights: Although IT professionals agree with consumers about the severity of Data Leakage incidents, they may underestimate their frequency: see Security Risk and data leakage under Myth 1 IT professionals expect IT incidents to occur about once per month: see Incident rates and reactions under Myth 2 Process issues cause 53 percent of IT incidentsmost often because no process is in place to manage the incident: see The importance of process controls under Myth 3 IT Risk Management is more than a defensive exerciseit identifies tradeoffs among risks, costs, and controls for confident, risk-aware pursuit of opportunities: see Process improvement disciplines under Myth 4
Introduction
Why IT Risk is important now. IT Risk: definition, elements, and controls. What weve learned so farand why some myths still endure.
As IT grew from a back-office specialty to the core of financial, telecommunications and other modern businesses, exposures to IT Risk have grown to match. Not long ago, IT Risk occupied a small corner of Operational Riskthe opportunity loss from a missed IT development deadline. Today, the success of organizations and even nations may hinge on mastering a broad landscape of IT risks. The World Economic Forum provides a sense of scale. They rank a breakdown of critical information infrastructure among the most likely core global risks, with 10 to 20 percent likelihood over the next 10 years and potential worldwide impact of $250 billion.1 Sustained investment in ITalmost $1.2 trillion or 29 percent of 2006 private-sector capital investment in the U.S. alone2fuels growing exposure to IT Risk. As the world grows more dependent on IT systems and processes, management of IT Risk becomes a practical necessity. Those who neglect this emerging discipline may squander opportunities from fear of trivial or imagined threats, or fail to take elementary precautions against significant threats.
IT Risk elements
IT Risk encompasses the full spectrum of risks that may affect or result from IT operations: external natural disasters or changes in government regulation, internal processes that affect product or service quality, IT organizational and datacenter performance, loss of intellectual property, supervisory or legal controls, and much more. Symantec differentiates among the four classes of IT Risk elements illustrated in Figure 1 according to their source and potential impact on organizations, specifically: Security Riskthat information will be accessed, manipulated or used by unauthorized parties Availability Riskthat information or applications will be made inaccessible by process, people or systems failures, or natural disasters Performance Riskthat underperforming systems, applications, staff, or organizations will diminish business productivity or value Compliance Riskthat information handling or processing will fail to meet regulatory, IT or business policy requirements
Se cu
rit
Ava il a
y lit bi
Natural Disasters and System Failures Keep Systems Up Ensure Rapid Recovery
IT Risk
m
IT Policy and External Regulations Ensure Adequate Controls Automate Evidence Collection
ce
r fo Per
lia nc e
Figure 1: IT Risk encompasses four types of element, each with its own drivers and potential impacts.
Detailed descriptions of these risk elements, with sources and potential impacts, may be found in an earlier report.3
p m Co
an
Against the array of external and internal IT risks, organizations deploy controlsIT processes and technologies designed to close vulnerabilities, maintain continuity of operation at specified performance levels, and achieve and document compliance with external and internal policy requirements.
A look back
The initial IT Risk Management Report, Volume 1 was published in February 2007 and is available at www.symantec.com/about/leadership. From more than 500 in-depth surveys, it determined that IT professionals: See their organizations as more effective deploying technology than process controls Consider IT asset inventory, classification and management, and secure application development processes to be significant problem areas Target people and process improvements over technologies as their best opportunities to move from good to great Identify areas of misalignment between levels of their IT organizations about sources of IT Risk The most encouraging result was that best-in-class organizationseven though they faced higher risk levelsexperienced fewer incidents than less-effective organizations. Their effective defense against more intense attack may be attributable to the balanced investments across a range of controls to mitigate the full spectrum of IT risks.
This report
From February to October 2007, Symantec surveyed 405 IT Professionals about various aspects of IT Risk Management. Methodology and sampling were generally comparable with those of the first survey; please see the Appendix for details. This report of its findings complements Volume 1 in several ways, specifically by: Increasing emphasis on Availability and Performance Risks, to balance the Security and Compliance emphasis of Volume 1 Balancing recurring and new survey material to assess changes in the IT Risk environment since collection of earlier information
New survey questions addressed emerging issues with important implications for IT Risk Management, specifically: Data leakagerisks to an organizations information assets from both external malicious activity and internal errors Endpoint managementthe need to extend policy-based control over fixed and mobile endpoints in sprawling, porous, worldwide networks Data center virtualizationIT Risk Management implications of adopting virtualization technologies to improve utilization and productivity of storage and servers Zero-day exploitsthe need for new defenses as the time needed to create and disseminate malicious code that exploits a published vulnerability converges on zero The second survey extends and further defines key issues and trends raised in the first. This report will compare results against those of the first survey to identify trends and differences, and explore new insights from the latest research.
IT Risk covers more than IT Securityand even Security Risk presents new challenges.
Security is important, but not the whole story. Compliance: law and policy. How Availability and Performance are different, and why they cant be ignored.
No myth about IT Risk Management is more persistent than the idea that it is concerned primarily with identifying and mitigating security risks. It may be that the word risk seems to apply more easily to security than performance, availability, or compliance. Or IT professionals consumer and early career experience may have conditioned them to anticipate IT Security risks over others. Regardless of the cause, overestimating Security Risk can cause misallocation of time and resources, and significant exposure to other IT risks. Even when Security risks remain top-of-mind, they need to be considered in balance with the full range of IT Risk elements. This section reviews some critical relationships among IT Risk elements, and points out the value of a balanced approach.
Although focus on Security Risks persists, survey results document emergence of a broader view. Figure 2 shows that slightly more survey participants gave Critical or Serious ratings to Availability Risk than to any other element: 78 percent, against 70 percent for second-place Security, 68 percent for Performance, and a low of 63 percent for Compliance Risk. This result may reflect a focus on availability among survey participants who are directly accountable for it, and underestimates the impact of Performance risks thatas we will seeare often businesscritical. The data also support two important conclusions. First, a majority of participants rates every area of IT Risk either Critical or Serious. Second, only 15 points separate the top- and bottom-rated categories. IT Professionals are adopting a more balanced view of IT risks.
* In this Report, stacked-bar graphs show risk levels in ascending order from top to bottom. This is a change from Volume 1, to help readers combine top risk levels by reading from the scale instead of calculating. Colors assigned to risk levels are unchanged. Variation in the number of data points represented in the graphs reflects differences in the survey items presented to and completed by participants.
10
11
Not applicable
Not considered
Minimal impact
Some impact
Serious impact
Figure 3: Impact severity estimates for data leakage from corporate information systems. (n=277)
But our survey participants judged that the probability of major data leakage incidents at their organizations is comparatively small: only 46 percent of them expect incidents as often as once a year (see Figure 4); a slight majority expects an incident only once every five years. Is this a realistic assessment, or are survey participants underestimating this riskand overestimating the effectiveness of their mitigation efforts? Incident rates for data leakage are notoriously complicated, due to: Lack of consistency in reporting standards across organizations and jurisdictions Strong points of view held by organizations that report incident data, e.g. consumer-privacy advocacy groups and banking industry organizations An understandable reluctance of victimized organizations to disclose incidents except to their customers and as required by law A twofold threshold problem: smaller incidents may not be widely reported, so incident rates seem lower, but average impacts seem higher A misguided focus on criminal activity, although most breaches are due to employee error14 Because of these factors, data leakage incident information may be reported in fragmented, inconsistent fashion, leading to lower predictions of incident frequency. Survey participants confidence in data protection may be misplaced, given the broad availability of stolen data for sale on the Internet. Identities, complete with U.S. bank account, credit card, government-issued identification numbers and birthdates, are available for purchase online from U.S. $14 to $18.
12
And with large impacts possible from even a single data-security breach, Symantec recommends: Careful analysis of security event logs using technology and services available from Managed Security Service Providers (MSSPs) Monitoring of trends across the security threat landscape, using the Symantec Internet Security Threat Report and other sources At a minimum, a quick review of network endpoints, considering vulnerabilities to both internal error and external malfeasance Evaluation of some of the new, information-focused security tools developed specifically to help organizations address data leakage
Figure 4: Estimated frequency of data leakage from corporate information systems. (n=277)
Compliance
Compliance Risk stems from failure to meet regulatory or business requirements for information handling or processing. In highly regulated industries, compliance failure may compromise the organizations reputation, profitability, or even existence. Since many regulations govern privacy and information security, Compliance is sometimes seen as derivative of Security. But Compliance Risk is more than Security Risk formalized by law. Regulations including new U.S. Federal rules for legal discovery broaden the scope of Compliance Risk beyond security concerns. And even regulations unrelated to IT may require dramatic changes to IT infrastructure and processes, adding complexity and competing for scarce IT resources with mitigation of other risks. The U.S. Sarbanes-Oxley Act of 200215 and the EU Markets in Financial Instruments Directive16 are just two recent examples of regulatory initiatives not aimed at Security Risk, but with far-reaching consequences for IT.
13
The compliance obligations of organizations subject to local, regional, and national regulations include the costs of maintaining and reporting compliance to the satisfaction of external regulators, the challenges of setting and meeting internal policies and standards to assure that external requirements are met, and obligations governing the security, availability and performance of their IT services for internal clients. Compliance impacts The IT Policy Compliance Group examined financial impacts of IT compliance in 2007. After finding an association between compliance and lower rates of data loss and theft, the study determined that after loss and theft incidents, public companies experienced eight-percent declines in stock price, active customer base, and short-term revenues. In addition, the study found that firms spent an average of $100 per lost record in litigation, settlements, restoration, and improvements.17 Noncompliance with standards and internal policies introduces risks even when regulatory controls are moderate. Combining these direct and indirect impacts with intangibles losses of reputation, loyalty and employee morale justifies the ranking of Compliance as a critical IT Risk. IT Risk: Value and Vulnerability
IT Risk element Compromised core values Risk origins External attacks, malicious code, physical destruction, inappropriate access, disgruntled employees Changing or misunderstood regulations, missing or poorly-defined IT policies, insufficient auditing capability Poor system architectures, network congestion, inefficient code, inadequate capacity, ineffective process design Network failures, inadequate change management, data center failures, regional disasters
Security
Compliance
Performance
Availability
14
15
But the reciprocal relationship Security and Compliance have with Availability and Performance extends to the middle ground. Every improvement in distribution of information raises the risk it will fall into the wrong hands, or violate principles governing its use. Likewise, attempts to secure information often make it less available, and may compromise the performance of systems that process it. This reciprocal relationship is at the core of many tough decisions in IT Risk Management.
Availability impacts
When business processes dependsometimes completelyon IT systems and processes, IT failures cause business failures. Researchers at Dartmouth and the University of Virginia investigated one example: hypothetical failure of the Supervisory Control and Data Acquisition (SCADA) network at an oil refinery. SCADA failure would immediately shut down production because of safety concerns. The researchers estimated economic impact of $405 million from a hypothetical ten-day outage at a supplier that contributed 10 percent of the U.S. gasoline supply. The affected supplier would bear only $255 million of the impact; others in the supply chain would assume the remaining $180 million loss.19 The example highlights two important facts: First, IT system availability is often equivalent to business availability. Second, in a connected world of global supply chains and collaboration networks, availability failures in one business cascade directly into others.
Performance impacts
Performance risk compromises business efficiency. A thought experiment illustrates the point: 1 percent loss in labor productivity is just five minutes of an eight-hour day. But for a U.S. or Western European organization of 10,000 employees, that same loss costs approximately $4.25 million in wages every year. * How many organizations can say that they lose no more than 25 minutes of productive time (about 5 percent) from slow system response time, inefficient application design, poor integration, or misaligned IT and business priorities? Figure 5 estimates the annual costs of productivity losses on that scale and less, for organizations of different sizes. Figure 2 showed that 68 percent of survey participants rated Performance Risk a critical or serious threat. Add to the direct impacts of Performance Risk on productivity follow-on effects on customer satisfaction and supply-chain efficiency, and it becomes clear why Performance Risk is an important target for IT Risk Managers.
* Assumes 60 percent of employees in the United States and 40 percent in Western Europe, all earning their national average hourly wages: $18.58 for the U.S. and $23.31 for the UK. U.S. average wage per U.S. Social Security Administration, October 2007; UK per National Statistics Office, November 2007.
16
Figure 5: Hypothetical annual cost of unproductive time, expressed as millions of dollars per minutes lost each day, for organizations of different sizes.
17
IT Risk Management is a continuous process, to address constantlychanging IT Risk and business environments.
IT change outpaces point-in-time planning IT Risk Management is adaptive and continuous. Start with policy, and deploy the right controls.
19
Already involved in hundreds of projects, busy Enterprise IT departments may see the assessment of IT Risk as a one-off project, followed by adjustments to remediate specific deficiencies. But this is unsatisfactory in a world where risks are constantly changing. Organizations must monitor IT risks continuously, and make frequent changes to their management strategy. And while its certainly true that the initial stages of IT Risk assessment will resemble other projects, and that the process can profit from the same discipline and focus that make any IT project a success, the project perceptionlike the firefighting mentality that preceded itcan defeat even the best intentions and efforts. Annual projects or random acts of risk management,20 are better than nothing at all. But organizations put themselves at risk when the cadence of their IT Risk Management programs fails to match the rate of change in their risk environment. Effective, continuous IT Risk Management processes may be introduced to an organization without compromising the discipline and sense of mission surrounding the launch of major initiatives. This section reviews some of the ways that business and technology change affects the risk environment, and outlines some ways leading organizations have introduced IT Risk Management into their core business processes.
20
Figure 7: Participants expected incidence of severe impacts from loss of information confidentiality, availability, or integrity. (n=405)
21
Figure 8: Participants expected incidence of severe impacts to their IT organizations that interrupt critical business operations. (n=405)
Figure 9: Participants expected incidence of minor impacts to their IT organizations that impair the work of individuals or groups. (n=405)
22
weather. Performance Risk shows long-term trends based on the availability and affordability of high-performance systems, applications, and personnel. But it also shows seasonal variations based on demand cycles that vary from one organization to another, and the resources available to meet them.
23
Controls
Once underway, a successful IT Risk Management program needs to monitor controls to assess the internal environment, and appropriate sources of information to monitor the external environment. More frequent monitoring of internal controls helps cut incidents and associated losses. The IT Policy Compliance Group determined in 2007 that organizations that monitor IT controls more frequently experience fewer incidents: Organizations with the fewest unreported data losses and compliance deficiencies are monitoring and measuring controls once every one to three weeks, and on average at least once every two weeksfirms with most IT compliance deficiencies and the highest latent data losses are monitoring and measuring controls once every 6.8 to 8.5 months.21
24
Information
Conversations with business managers provide valuable insights into strategic direction and go-to-market initiatives; IT vendors can help predict system upgrades and other operational information. IT analysts can help identify IT trends and emerging issues to help managers assess the external environment. One valuable source is the Symantec Internet Security Threat Report, which offers a six-month update of internet threat activity that includes analysis of attacks, vulnerabilities, malicious code, and trends in phishing and spam.
25
Peopleexecuting processes supported by technologyare your most valuable resource to manage IT Risk
Process effectiveness is a known weakness. Frameworks, controls, and the road to improvement. Key process controls and the critical role of training
27
Organizations manage IT risks by deploying controls. These span a wide variety of activities, and typically involve people executing processes with technological support, for example by using compliance management software to create policies mapped against regulations and best practices, and then monitor and document compliance. The February, 2007 IT Risk Management Report, Volume 1 examined relationships in the use of eight technology controls and eight process controls. In a technology discipline populated by many specialists with engineering backgrounds, it was no surprise to find attempts to solve persistent problems framed in Engineering terms. IT professionals rated their organizations more effective deploying technology controls to address IT Risk than they did process controls. The analysis also determined that best-in-class organizations followed a more balanced approach in deploying technology and process controls. For the 2008 study, we expanded the analysis to cover a larger set of controls, each with elements of people, process, and technology.
Figure 11: Expected incident rates and ratings for two categories of IT Risk in organizations in each IT Risk Management performance quartile. Professionals from better-rated organizations see themselves facing more IT Risk, but expect fewer incidents. (n=405)
28
As they did in Volume 1, these results show that participants who rated their organizations effective in managing IT Risk saw them facing greater compliance and business process risk but expected fewer IT incidents. The relationship suggests that organizations more effective at deploying controls are rewarded with lower rates of incidents.
Figure 12: Effectiveness ratings for four categories of controlsstrategic, support, delivery and security by performance quartile. (n=405)
29
Process-based issues caused 53 percent of incidents. In 63 percent of these cases, no predefined process existed to manage the incidentin only 22 percent did an existing process fail to manage it. Environmental configuration issues accounted for 51 percent of incident root causes; and staff skills for 41 percent.
Figure 13: Root causes of IT incidents. (Total exceeds 100 percent: 63 percent of the incidents had multiple root causes). (n=85)
30
Standardization of IT infrastructure and processes, to reduce costs, complexity, and time-tovalue of IT investments And as we will see in the next section, investments in training and staff development are among the most productive paths to improved performance.
Process trends
While interviewing for last years study, we observed that several organizations were making large investments in secure application development processes. Participants explained that they were building more secure IT operating environments by eliminating security problems at the source. Comparing this years results with those, we have seen a 10 percent improvement in the number of participants rating secure application development over 75 percent effective. This indicates that organizations are making thoughtful, effective investments to manage IT Risk. We predict that Problem Management will be the next area to improve as Secure Application Design did. ITIL helps align IT initiatives with business goals, using Problem Management to minimize the adverse impact of Incidents and Problems on the business that are caused by errors within the IT Infrastructure, and to get to the root cause of Incidents and then initiate actions to improve or correct the situation.24 Our research with MIT showed that IT incidents share root causes. We expect that as IT Risk Management programs mature, they will begin to deploy more robust Problem Management processes to eliminate root causes of IT incidents, using or modifying technology as needed, but relying primarily on processes to manage specific, identified root causes. In Volume 1 we noted concern over the low rating of the Asset Inventory Classification and Management control. Participants in the current survey reported a negligible increase in effectiveness for this control, still the most poorly rated in the study. In addition, the current survey shows a decline of 17 percent in the number of participants who rate Data Lifecycle Management over 75 percent effective. The combination of these two trends is a concern. Both of these controls classify systems and information, applying unique policies to each class. This process aligns the treatment of each class with business objectives. Weakness of these controls suggests that assets will be treated equally, so that some systems, processes, and objects will be overprotected and others underprotected from IT Risk, resulting in cost and service inefficiencies.
31
32
Key Controls for Managing IT Risk The key controls listed below were derived from extensive study of published control standards for IT management, including the Information Technology Information Library (ITIL), CobiT, and ISO 17799, as well as from Symantecs experience in working with top-performing organizations throughout the world. Strategic Controls IT policy, strategy, and architecture Organizational structure, roles, and responsibilities Governance, compliance and continuous improvement Data lifecycle management Support Controls Asset inventory classification and management Physical and environmental management Configuration, change and release management Incident, response and problem management Delivery Controls Service level management Operational design, workflows and automation Secure application design, development and testing Systems build and deployment Capacity management Availability management Service continuity management Security Controls Authentication, authorization and access management Network, protocol and host security Training and awareness
33
An emerging business discipline, not a science. Origins of IT Risk Management. IT Risk Management in context: Risk Management, Business Strategy.
35
This last myth is more widespread within the practice of IT Risk Management than in the business community at large. As IT Risk Management becomes more widely practiced, disciplined, and documentedand especially as standards and frameworks encourage consistent practicespractitioners may come to see it as a set of fixed principles and relationships, universally applicable across industries and geographies.
36
A few pioneering companies demonstrated that these efficiencies could work even across company boundaries, in supply partner and distributor networks that combined with the communications efficiencies of the Internet to launch the e-commerce revolution. IT Risk Management is their natural successor. Too often viewed as a merely defensive exercise, IT Risk Management helps companies identify both risks and opportunities in their business environment, and trade-offs between risks and costs, or risks and opportunities. With trade-offs identified and measurement systems and controls in place, organizations can take appropriate risks confidently, to pursue opportunities they might otherwise forgo. Business and IT Governance Regulations governing business conductmost prominently Sarbanes-Oxley in the United Statesraised the accountability of corporate officers and disclosure standards for business information, with significant implications for IT. Sarbanes-Oxley was an external stimulus for many companies, the first that forcibly aligned business and IT strategies, and made IT Governance a top-of-mind issue for many chief executives. To meet the requirements of Sarbanes-Oxley, EU Privacy and Markets Directives, industryspecific regulations such as the Health Information Portability and Accountability Act (HIPAA) and the Payment Card Industry (PCI) Data Security Standards, IT needed a way to organize, evaluate, and balance these requirements systematically to guide effective actionand IT Risk Management was well adapted for the task.
37
38
1. Security risks and controlssurvey results suggest addressing security risk first: better security controls most strongly predicted improvement in incident expectations. And because information security is IT-centric, IT can act with less dependence on others to achieve easy wins and gain early momentum. 2. Availability risks and delivery controlsdelivery controls, closely associated with Availability Risk, had the second-strongest correlation with reduced incident expectations. Our research also indicates that organizations facing higher levels of business process risk deploy delivery controls most often. And because business managers easily grasp the benefits of reduced availability risk, delivery controls are an excellent step in meeting business objectives outside the glass house. 3. Compliance/performance risks and strategic controlsCompliance and Performance Risk most closely underpin business units daily use of IT services. Managing these risks requires collaboration to align the actions of IT with the requirements of its business clients. Laying a foundation with Security and Availability Risk elements prepares your organization for these more sophisticated conversations. Your organization may face a unique set of risks that calls for a different approach: for example an insurance company in an at-risk region may focus on Availability Risk first, or a company under regulatory review on Compliance Risk. As illustrated in Figure 14, alignment is critical throughout execution. And regardless of the order of deployment, use the four best practices as a guide.
Figure 14: Illustration showing how key elements of IT execution interact with the most important issues in IT/business alignment. Execution skills apply across multiple issues, justifying investments in skill development.
39
Conclusion
Technology drives the consolidation of industries, globalization of markets, and invention and reinvention of organizations worldwide. Technology supports collaboration and innovation at rates never seen before. But technology failures can bring entire segments of the economy to a halt, corrupt records or leave them inaccessible, and compromise employees productivity. Managing risks introduced by IT is a business imperative. In this report, we have observed that: IT failures in your organization ripple through customers, suppliers and partners IT risks come from multiple sources, change constantly, and require a continuous program of discovery, monitoring, and management IT risks are managed by the combination of people, process, and technology, balancing risks against business objectives IT Risk Management is a business process that adapts to organizational requirements, guided by best practices As you launch or expand your IT Risk Management program, keep in mind that managing IT Risk rarely means eliminating it. Instead, IT Risk Management disciplines and practices help keep IT services flexible, adaptive, and aligned to organizational goals in a constantly changing business climate. In addition, IT Risk Management can provide the insight that allows you to take calculated risks with confidence and use IT to drive competitive advantage.
The future
Symantec will continue its research into IT Risk Management to discover additional practical recommendations and best practices to help organizations develop and implement their own programs. Future research will assess the state of deployment and maturity of IT Risk Management programs, including the prevalence of IT Risk Management initiatives and the use of programs-based best practices. Symantec will continue to explore the how the management of IT Risk contributes to business productivity, competitive advantage, and the spirit of innovation.
40
41
Appendix
Methodology
Data collection Between February 2007 and October 2007, Symantec collected 405 surveys from IT professionals attending IT events worldwide (approximately 85 percent), or online at www.symantec.com (approximately 15 percent). Each participant received a report comparing his or her responses to those of a benchmark group. To ensure candid responses and protect participants privacy, Symantec contracted a third party, Ecosystems, LLC of Vienna VA, to collect, process, and aggregate the survey results. Because participants occasionally skipped one or more survey questions, the number of responses may vary from one question to another. Differences in questions For comparison and trend analysis, the current report echoes several questions from the Symantec IT Risk Management Report, Volume 1, which reported responses from 528 participants last year. The current report also includes results from questions designed to extend data-set coverage or explore emerging issues.
42
Demographics
We fielded the survey to a broad group of IT professionals, across industries, sizes of organization, participant job role and global region. These demographics provided the variables for much of our analysis.
Figure A2: Participants by job role: professional includes business, consultants and other non-IT job functions. (n=405)
43
Figure A4: Participants by geographic region. This report includes participants from the Asia Pacific region, which was not represented in the previous report. (n=405)
Use of indexes
This report compiled seven indexes to measure the significance or impact of risks, effectiveness measures, or incident rates across participants, compare results across demographic or other categories, and for correlation and comparative analysis. Each index averages data across the relevant set of questions. The indexes are: Compliance Index Business Process Index Incident Rate Index Strategic Effectiveness Index Support Effectiveness Index Delivery Effectiveness Index Security Effectiveness Index
44
General References
Westerman, George and Hunter, Richard. IT Risk: Turning Business Threats into Competitive Advantage. (Boston: Harvard Business School Publishing, 2007). Business Roundtable. Growing Business Dependence on the InternetNew Risks Require CEO Action. (Washington DC: September, 2007). Lamy, Lionel. IT Risk Management: A Business Issue of Strategic Importance. (Framingham, MA: IDC, July, 2007). Finley, Ian. IT Risk Comes Into Fashion. (Boston: AMR Research, August, 2007). The Boston Consulting Group. Innovation 2007: A BCG Senior Management Survey. (Boston: August, 2007). IT Policy Compliance Group. Taking Action to Protect Sensitive Data. (February, 2007). Caldwell, French. The 2007 Compliance and Risk Management Planning Guidance: Governance Becomes Central. (Stamford, CT: Gartner, Inc. April, 2007). Kark, Khalid. 2007 Security Budgets Increase: The Transition to Information Risk Management. (Cambridge, MA: Forrester Research, Inc. January, 2007). Heisser, Jay. Choosing Risk Management Methods. (Stamford, CT: Gartner, Inc. June, 2006). Caldwell, French and Mogul, Rich, Risk Management and Business Performance Are Compatible. (Stamford, CT: Gartner, Inc. October, 2006). Rasmussen, Michael, Business Drivers for Enterprise Risk Management. (Cambridge, MA: Forrester Research, Inc. February, 2007).
45
End Notes
1
World Economic Forum. Global Risks 2007: A Global Risk Network Report. (Geneva. January, 2007), page 8. Bureau of Economic Analysis. National Economic Accounts: Private Fixed Investment in Equipment and Software by Type. (Washington DC. November, 2007), Table 5.5.5U.
Symantec Corporation. IT Risk Management Report, Volume 1. (Cupertino, CA. February, 2007), Table 1, page 8. Sharon Gaudin. T.J. Maxx Security Breach Costs Soar to 10 Times Earlier Estimate, Information Week. (Manhasset, NY: CMP Media LLC August 15, 2007). Jeremy Kirk. Estonia Recovers from Massive Denial-of-Service Attack, NetworkWorld. (Boston: IDG. May 17, 2007). Deborah Gage and Kim S. Nash. We Really Did Screw Up, Baseline. (New York: Ziff Davis. May 14, 2007). Tom Young. HMRC fiasco places data protection under the spotlight, Computing. (London: Incisive Media Ltd. November 29, 2007). Symantec Corporation. Internet Security Threat Report Volume XII. (Cupertino, CA. September, 2007). Symantec Corporation. Symantec Reports Rise in Data Theft, Data Leakage, and Targeted Attacks Leading to Hackers Financial Gain, press release. (Cupertino, CA. March 19, 2007). Dr. Larry Ponemon and Vontu, Inc. 2007 Consumer Survey on Data Security. (Traverse City, MI: Ponemon Institute. June 25, 2007). Infowatch. Global Data Leakage Survey 2006. http://www.infowatch.com/threats?chapter=162971949&id=20778462 6 (Moscow: February 15, 2007). Tom Young, op. cit. Ponemon and Vontu, op. cit. Symantec Corporation. Stop Data Leakage Now, article. (Cupertino, CA. April 17, 2007). http://www.symantec.com/ business/library/article.jsp?aid=stop_data_leakage Lawrence D. Dietz, Esq. International Implications of Sarbanes-Oxley: What every IT Professional Should Know. (Cupertino, CA: Symantec Corporation, October 13, 2006). A Balanced Approach to MiFID Compliance. (Cupertino, CA: Symantec Corporation, March, 2007). IT Policy Compliance Group. Why Compliance Pays: Reputation and Revenues at Risk. http://www.itpolicycompliance. com/research_reports/spend_management/read.asp?ID=10 (July, 2007), page 1. A Chronology of Data Breaches. (San Diego, CA: Privacy Rights Clearinghouse). www.privacyrights.org/ar/ ChronDataBreaches.htm Scott Dynes, Eva Andrijcic, and M. Eric Johnson. Cost to U.S. Economy of Information Infrastructure Failures, forthcoming in Proceedings of the Fifth Workshop on the Economics of Information Security. (Hanover, NH: Dartmouth College Institute for Security Technology Studies, 2007). http://www.ists.dartmouth.edu/library/207.pdf Jennie Grimes. IT Risk Management: Rising to the Top of CIO Agendas, CIO Magazine, insert. (Framingham, MA: IDG. December 1, 2007). IT Policy Compliance Group. op. cit., page 23.
10
11
12
13
14
15
16
17
18
19
20
21
46
22
Sunny Gupta. ITIL Adoption. E-business Blog. http://www.line56.com (Los Angeles: Line56.com, October 13, 2006). ONeill, P. ITIL Adoption Accelerating in IT Service Management, teleconference. (Cambridge, MA: Forrester Research, Inc. 2006). Office of Government Commerce. Best Practices for Service SupportITIL: the Key to Managing IT Services. (Norwich: The Stationary Office, 2002), page 95. Douglas G. Hoffman. Managing Operational Risk: 20 Firmwide Best Practice Strategies. (New York: John Wiley and Sons, Inc., 2002), page xxii. Cushing Anderson. Information Security and Availability: The Impact of Training on IT Organizational Performance. (Framingham, MA: IDC, sponsored by Symantec Corporation. June, 2007).
23
24
25
26
47
Notes
48
NO WARRANTY. The information provided in this document is being delivered to you AS IS and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the information contained herein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice. Copyright 2008 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and INFORM are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
49
About Symantec Symantec is a global leader in infrastructure software, enabling businesses and consumers to have confidence in a connected world. The company helps customers protect their infrastructure, information, and interactions by delivering software and services that address risks to security, availability, compliance, and performance. Headquartered in Cupertino, Calif., Symantec has operations in 40 countries. More information is available at www.symantec.com
For specific country offices and contact numbers please visit our Web site. For product information in the U.S., call toll-free 1 (800) 745 6054.
Symantec Corporation World Headquarters 20330 Stevens Creek Boulevard Cupertino, CA 95014 USA 1 (408) 517 8000 1 (800) 721 3934 www.symantec.com
Copyright 2008 Symantec Corporation. All rights reserved. Symantec and the Symantec logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 1/08 12818026
50