it risk management report
TRANSCRIPT
-
8/4/2019 IT Risk Management Report
1/52
IT Risk Management
Report
Trends through December 2006Volume 1, Published February, 2007
IT
RISK
M
ANAGEM
ENT
-
8/4/2019 IT Risk Management Report
2/52
Greg Hughes, Executive Vice President
Worldwide Services and Support, Symantec Corporation
As IT becomes the cornerstone of
our connections with customers, suppliers,
partners, and business information,
identifying and managing IT Risk
becomes a core business capability.
-
8/4/2019 IT Risk Management Report
3/52
Table of Contents
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1 Understanding IT Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
As the role of IT grows, IT Risk is emerging as a major component of organizational risk. IT Risks span Security,
Availability, Performance and Compliance each with its own drivers and potential impacts.
2 Process and technology effectiveness in Managing IT Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Technology controls to manage IT Risk are often deployed more effectively than process controls.
Yet organizations that manage IT Risk effectively deploy people and process controls equally well.
3 Aligning IT and business risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
IT has moved from the glass house to the front lines and perceptions of IT Risk often differ by role and
function within organizations.These misalignments are barriers to effective IT Risk management.
4 Understanding effective Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Effective IT Risk Management demands a disciplined, structured program to develop awareness, quantify costs
and impacts, and design and implement a solution that adapts to organizational requirements.
5 Risk Mitigation: process and payoff . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
The good news is that theres a substantial upside to IT Risk Management a more effective organization,
with better control of its costs, technology, and future.
Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
In a connected world, we share a responsibility to identify and manage risk so our customers, suppliers and
partners can work with us confidently toward our common goals.
Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
-
8/4/2019 IT Risk Management Report
4/52
2
Executive SummaryInformation Technology (IT) Risk is a growing component of total Operational Risk. As businesses
increasingly depend on IT to automate processes and store information, IT Risk Management is
emerging as a separate practice. Organizations across sectors and industries have begun to
consolidate functions to develop a more comprehensive, focused approach to IT Risk. IT Risk
includes security, availability, performance and compliance elements, each with its own drivers
and capacity for harm.
This study examined IT Risk, along with the technology and process controls used to mitigate
it, in a year-long study based on in-depth structured interviews with more than 500 IT profes-
sionals around the world. The study determined that across industries, regions, and job roles,
IT professionals:
rate themselves more effective in their deployments of technology than of process controls
see management of IT assets and configuration and change processes as particular problem
areas
see people and process improvements as holding the greatest opportunities for them to move
from good to great
Data from high-performance organizations yielded a surprising and very encouraging result.
More-effective organizations even though they often face higher risk levels expect fewer
incidents than less-effective organizations. More detailed analysis into the specific controls
deployed by these companies revealed that best-in-class organizations perform with high effec-
tiveness across most controls, including process controls, while lower-performing organizations
typically focus on a small number of more tactical controls.
The study identified substantial differences in the ways IT operational personnel and executives
view their IT Risk exposure, and examined these in detail. Differing internal viewpoints on IT
Risk, and poor alignment between IT Risk Management programs and overall business objec-
tives, may themselves create risk. This appears to occur when Risk Management programs are
not tailored to the specific risk profile of the business or coordinated across functional and
business unit lines leading to areas of both under- and over-investment. Poor organizational
support for IT Risk awareness and training is both a compelling example of poor alignment,
and a major cause.
Best-in-class IT Risk management requires a disciplined approach that includes IT Risk aware-
ness, quantification of business impacts, solution design and implementation across people,
process, and technology, and creation of a sustained IT Risk Management program complete
with performance measurement and a model for continuous improvement. A staged program
helps balance benefits, risks and costs at every step of implementation.
-
8/4/2019 IT Risk Management Report
5/52
3
Highlights
This report is intended for executives with responsibilities for general, financial and IT manage-
ment anyone concerned with IT Risk and its management. With a broad cross-section of
experience from IT professionals across industries, geographies and organization types, the
report should provide context for Risk Management programs at your own organization.
Be sure to check these IT Risk Management Report highlights:
Finance and CRM processes introduce the highest IT Risk: see What Drives IT Risk in Section 1
Best-in-class managers of IT Risk frequently face more IT Risk exposure, but expect fewer
incidents: see Effective IT Risk Management performance in Section 2
Asset Management is the least-effective IT process: see Process effectiveness in Section 2
Poor alignment between IT Risk strategy and the risk profile of the business can actually
create higher business risk: see Why alignment on IT Risk matters in Section 3
High performance across most process and technology controls, versus a few targeted areas,
typically separates great from at-risk organizations: see Effective mitigation in Section 5
-
8/4/2019 IT Risk Management Report
6/52
Your customers connect to their
financial future through your
systems and networks.
-
8/4/2019 IT Risk Management Report
7/52
Section 1
Risk is potential damage to an organizations value, often from
inadequate management of processes and events. IT Risk is
emerging as a significant component of total business risk as
IT assumes a more prominent role in organizations, and can
account for more than 50% of total capital expenditure at
some companies. Individual IT Risks may be classified as:
Security risks of unauthorized access, alteration or use of
information
Availability risks of inaccessible business processes or data
Performance risks of delayed access to business processesor data
Compliance risks of violating legal, regulatory or IT policy
requirements
Understanding IT Risk
5
-
8/4/2019 IT Risk Management Report
8/52
6
Understanding IT Risk
What is IT Risk?
Business risks range from everyday operational shortcomings to rare cataclysmic failures.
The types and levels of risk organizations face vary with their business and preferred risk pro-
file. For example, an entertainment company with many customer-facing systems and a strong
brand image might have a very different risk profile than a manufacturer with few externally-
facing systems but significant trade and design information to protect. And a high-growth
financial organization in a developing nation might be more concerned about availability and
performance risks as it scales up operations than a financial organization in a more mature
market where security and compliance concerns prevail.
Business risk is often split into financial and operational components. Financial risk is well un-
derstood, and established markets help organizations manage or transfer their credit, currency,
pricing, and other types of financial risk.
Operational risk results from operations rather than transactions, and may include risks from
external events such as natural disasters or changes in government regulation, or internal
processes associated with product quality, organization and plant performance, loss of intellec-tual property, or supervisory or legal controls.
As IT has become widely and deeply interconnected with business operations, IT Risk has grown
to prominence as a component of total operational risk. More than just a specialty area of
Operational Risk Management, IT Risk Management is emerging as a separate practice because
of the unique role IT plays in todays organizations:
IT is now integral to many business operations and transactions. In Financial Services and
Online Retail, for example, virtually the entire business may be carried out across IT systems
and networks.
IT Risk evolves as fast as technology changes. For example, online phishing fraud and
legal and regulatory requirements for IT countermeasures were virtually unknown just three
years ago.
Lifes risks extend from poor mobile-phone connections through war, famine and
disease. Different risks affect different individuals and organizations in differentways and as the world changes, so do the origins and types of risk we face.
-
8/4/2019 IT Risk Management Report
9/52
7
Identification, measurement, analysis, and management of IT Risk requires specialized
knowledge and skills. Aligning IT skills and processes including IT Risk Management to
organizational goals is a constant challenge.
Figure 1: IT Risk spans four areas, each with its own set of drivers and potential impacts.
Classifying IT Risk
To help organizations understand and analyze IT Risk and organize their mitigation strategies,
Figure 1 outlines a framework for classifying risks according to their impact on the organization.
The framework classifies IT Risks as:
Security risk that information will be altered, accessed or used by unauthorized parties
Availability risk that information or applications will be inaccessible due to system failure or
natural disaster, including any recovery period
Performance risk that underperformance of systems, applications, or personnel or IT as a
whole will diminish business productivity or value
Compliance risk that information handling or processing will fail to meet regulatory, IT or
business policy requirements
These four categories classify all elements of IT Risk that we have seen in organizations. Table 1
(next page) provides further information and examples of sources and potential impacts of risks
in each category.
Although the survey on which this report is based concentrated on Security and Compliance
areas of risk, this implies no prioritization of the four elements of IT Risk. As we will see, every
organization has its own unique IT Risk profile, and prioritization of these elements is an impor-
tant early step in establishing an effective IT Risk Management program.
Secur
ity
Availability
Perf
orm
an
ceCom
plian
ce
IT
Risk
Keep Bad Things Out
Keep Important Things In
Internal and External
Malicious Threats
IT Policy and
External Regulations
Application Performance
and IT Performance
Natural Disasters and
System Failures
Ensure Adequate Controls
Automate Evidence Collection
Optimize Resources
Ensure Correct Configuration
Keep Systems Up
Ensure Rapid Recovery
-
8/4/2019 IT Risk Management Report
10/52
Table 1: Categories of IT Risk, with examples of the sources and potential impacts associated with each.
8
Risk Category
Security
Compromise of information,
confidence in it and technologyand processes for managing it
Availability
Failure or delay in delivering IT
processes or information needed for
business transactions and operations
Performance
Slow or inefficient operation of IT
processes supporting business trans-
actions and operations
Compliance
Penalties, fines and loss of reputation
from failure to comply with laws and
regulations, or consequences of non-
compliance with IT policies
Source
- External attacks
- Malicious code
- Physical destruction
- Inappropriate access
- Disgruntled employees
- Proliferation of platform
and messaging types
- Hardware failures
- Network outages
- Poor change management
processes- Data center failures
- Force majeure
- Poor system architectures
- Network congestion
- Inefficient code
- Inadequate capacity
- Regulations unique to each jurisdic-
tion, including:
Graham-Leach-Bliley Act
EU Data Protection
Directive
Health Insurance Portability
and Accountability Act
(HIPAA)
Sarbanes-Oxley Act
- Legal actions
- Internal IT safeguards supportingcompliance
- Inadequate third-party compliance
standards
- Expansion from central to end-point
compliance
Potential Impact
- Corruption of information
- External fraud
- Identity theft
- Theft of financial assets
- Damage to reputation & brand
- Damage to assets
- Abandoned transactions and lost
sales
- Reduced customer, partner, em-
ployee confidence
- Interruption or delay of business-
critical processes
- Reduced IT staff productivity
- Reduced client satisfaction
- Reduced client or partner loyalty
- Reduced user productivity
- Interruption or delay of business-
critical process
- Lost IT productivity
- Damage to reputation
- Breach of client
confidentiality
- Litigation
- Executive productivity
-
8/4/2019 IT Risk Management Report
11/52
What drives IT Risk?
From October 2005 through October 2006, Symantec surveyed 528 individuals on topics related
to IT Risk. Participants held a range of professional responsibilities in organizations of different
sizes, industries and geographies the Appendix provides demographic details.
To assess the magnitude of IT Risk associated with core business processes, we asked a subset
of respondents (n = 310)* to rate the IT Risk associated with each of seven key businesses
processes in their organization.1 The results are shown in Figure 2.
Figure 2: IT Risk associated with each of seven key business processes. IT Risk associated with Finance and Administra-
tion processes (leftmost column) led participants ratings for High or Critical risk, followed by those associated with
critical customer-facing and operational tasks. Research and Supply-chain processes received the lowest risk ratings.
9
LowNil Moderate High Cr itical
IT Risk by Business Process
0%
20%
40%
60%
80%
100%
%
ofrespo
ndents
Finance,
Admin.
CRM Operations Business
Intel.
Corp.
Resources
R&D Supply Chain
Customer Relationship Management (CRM) sales and electronic commerce
Supply Chain Management (SCM) the entire product value chain from source to end-user
Operations Management operational control of continuous service and product processes
Research & Development the development cycle of products and service offerings
Business Intelligence the corporate ability to make timely, informed business judgments
Finance & Administration the process of financial and administrative management
Corporate Resources business functions supporting the organization as a whole
Business-process definitions
* This study used two separate survey instruments some questions were repeated on both; others not. Numbers in parentheses (n= ) report the number ofsurveys supporting each graph or data comparison. Please see the Appendix, Survey instrumentsfor details.
-
8/4/2019 IT Risk Management Report
12/52
Systems and processes supporting Finance and Administrative were associated with the great-
est IT Risk, with over 66% of the respondents rating it High or Critical. Sales, Operations and
Business Intelligence processes ranked second, with 53% giving Critical or High ratings for all
three measures. Research & Development and Supply Chain Management systems and pro-
cesses introduced the least amount of IT Risk; only 27% of those surveyed rated SCM risks as
High or Critical, and just 33% rated R&D risks this way.
These results highlight two important points. First, IT Risk affects every major business process
category: for even the lowest-ranked business process, nearly a third of professionals ranked IT
Risk High or Critical. Second, IT Risk is highest for critical operational functions or those that
manage critical and proprietary or confidential information, and lower only for functions further
removed from revenue generation and the customer experience.
Our analysis also explored the components of compliance risk. Participants were asked how
much risk each of six categories of regulations introduced into their organization. The resultsare illustrated in Figure 3 (n = 528 except for Data Retention, n = 310).
Figure 3: IT Risk index ratings associated with six areas of Regulatory Compliance. Data Protection and Retention show
the highest proportion of High and Critical ratings, followed by Corporate Governance.
Respondents saw Data Protection and Retention introducing the greatest amount of compliance
risk into their organizations, with a very substantial 66% and 70% of respondents rating these
risks as High and Critical, respectively. Compliance with Corporate Governance policies ranked
third, with 55% High or Critical ratings. About half the respondents rated Intellectual Property
risk as High or Critical, while National Security and Criminal and Civil Laws were seen to intro-
duce the least risk only 36% and 44% of respondents, respectively, rating these either High
or Critical.
10
LowNil Moderate High Critical
IT Risk by Compliance Area
0%
20%
40%
60%
80%
100%
%
ofrespondents
Data
Retention
Data
Protection
Corp.
Governance
IP Civil,
Criminal
National
Security
-
8/4/2019 IT Risk Management Report
13/52
As with Business Processes, respondents expressed strong concerns about IT Risk in every Com-
pliance area risks in even the lowest-ranked areas were seen as significant by a third to half of
the respondents. More significantly, more than half the respondents saw High or Critical IT Risk
in areas governing the proper operation of their organizations and protection of critical informa-
tion. This level of concern across so broad a range of roles and industries underscores how
poorly managed these risks may be judged by those best-positioned to know.
To help understand the impact of IT Risk associated with compliance processes, we compiled an
index to measure the relative importance of each of the six compliance measures above, and
applied it to organizations with different demographics.
Results show that organization size is a significant determinant of perceived compliance risk.
For example, while 33% of organizations with more than 20,000 employees see compliance riskas critical to their organizations, only 15% of organizations with fewer employees do. Although
a definitive explanation for this requires further investigation, the data are consistent with
larger organizations greater complexity, number of business processes and operations, and
geographic span of operations, exposing them to more regulations and requiring greater com-
pliance with internal policies to monitor and govern organizational behavior.
The Aerospace and Defense industry segment was the only industry in which a majority of
respondents rated compliance risk as critical. And despite the stringent regulations they face,
only 28% of Financial Services and 4% of Healthcare organizations rated compliance risk as
critical. Respondents from Europe, the Middle East and Africa generally saw less risk associated
with compliance than their counterparts in the United States. In Section 5, we will explore
reasons for low risk ratings by organizations operating in high-risk environments.
11
Data Protection securing confidentiality of private and personal information, for example against identity theft
Data Retention ensuring that enterprise data is stored securely and retained for access by legitimate users
Corporate Governance assuring that public disclosures accurately reflect corporate performance
National Security protecting citizens and national infrastructure from terrorism, war, or national disaster
Civil & Criminal Legal Framework assuring that IT systems and networks systems support legal infrastructure
through electronic signatures, data movement and use of IT resources
Intellectual Property Protection protecting individual and corporate intellectual property
Compliance definitions
-
8/4/2019 IT Risk Management Report
14/52
Patient health and privacy
connect when medical records
are transmitted or stored.
-
8/4/2019 IT Risk Management Report
15/52
Section 2
Effective IT Risk Management requires competence and invest-
ment in processes and technologies. Professionals surveyed
at all levels of organizations across industries, scale, and
geographic reach, see their organizations capabilities to
deploy IT Risk Management technologies as more effective
than their capabilities deploying processes.
Process and technology effectiveness in
Managing IT Risk
13
-
8/4/2019 IT Risk Management Report
16/52
IT Risk Management processes andtechnology
Controls for IT Risk ManagementAlthough Risk Management principles have received wide attention, few organizations have for-
malized their IT Risk Management programs until recently. In the past few years, however, more
organizations have added Chief Risk Officers and other executive positions with responsibilities
for IT Risk management, or have adopted formalized service-management standards such as
the IT Infrastructure Library (ITIL), ISO 17799, and COBIT to help them manage IT Risk.
The most effective IT Risk Management programs use well-defined controls that combine well-
chosen technologies and best-practice processes. We have identified eight technology and eight
process controls that represent best practices for managing IT Risk (see sidebar, Process and
Technology Controls for IT Risk Management, for details). They are derived from best practices
defined by international standards including the code of practice for information security man-
agement (ISO/IEC 17799:20052), COBIT3 and ITIL, published by the United Kingdoms Office of
Government Commerce,4 refined by Symantec experience in dealing with highly effective organi-
zations, and expanded to encompass availability and performance in addition to security and
compliance.
We asked survey participants to rate their success implementing each of the defined IT Risk
Management controls both process and technology. We also asked them to rate the amount of
risk their organizations face, to determine whether organizations facing high levels of risk are
more likely to have implemented highly-effective controls.
14
While acknowledging the relevance of Risk Management to IT, organizations
often struggle to put its principles into practice. Participants ratings of their
organizations effectiveness deploying processes and technologies for IT Risk
Management depend not only on their organizations industry, size, range of
operation and other demographic factors, but on the differing perceptions of
professionals within the organizations.
-
8/4/2019 IT Risk Management Report
17/52
15
Process Controls
IT and Security Strategic Management, Policy andArchitecture architectures, policies and strategies
defined to run IT services
Organizational Structure, Roles and Responsibili-
ties standards for interactions between groups;
authority for security and external security-related
communications
Training and Awareness processes to increase
visibility and knowledge of security risks
Assessment and Auditing processes to assess the
environment, controls, policies and processes used to
implement strategy
Authentication, Authorization and Access Manage-
ment processes and technology to verify users
identities and control access to resources
Operational Design, Workflows and Automation
design and implementation of automated solutions;
workflow and resource management
Asset Inventory, Classification and Management
processes to identify and classify assets, supporting
execution of asset-class-based policies
Incident Readiness and Response standards for
preparation for and response to incidents
Technology Controls
Application Design, Development and Testing processes, procedures, and methodologies to ensure
that new and updated applications are appropriate,
efficient and secure
Systems Build and Deployment systems and tech-
nologies to assure effective, secure deployment of new
and updated systems
Data Life Cycle Management technology to move,
replicate and protect data
Configuration and Change Management tools and
processes to regulate change
Resilient Infrastructure technology to detect and
correct vulnerabilities related to availability (e.g.,redundancy and failover)
Performance Management technology to monitor
and manage system performance
Network, Protocol and Host Security network
design and infrastructure including segmentation,
protocols, perimeter defense and availability
Physical Security technologies governing access to
IT infrastructure and facilities
Process and Technology Controls for IT Risk Management
-
8/4/2019 IT Risk Management Report
18/52
Process effectiveness
We surveyed our sample of IT professionals (n=310) to understand how effective they thought
their organizations were in deploying eight key process-based controls. The results are shown in
Figure 4.
Figure 4: Ratings of organizations effectiveness at IT Risk Management processes, ordered left-to-right in decreasing
order of perceived effectiveness.
Authentication, Authorization and Access was rated highest for effectiveness, with 68% of
respondents rating their organizations more than 75% effective. Asset Inventory Classification
and Management was lowest, with only 38% rating their organizations more than 75% effective.
The findings show that most IT professionals feel their organizations are most effective deploying
tactical controls for which they are accountable: organizational structure, and authentication,
authorization, and access. They rate themselves moderately effective at policy-setting and com-
pliance, assessment and audit, and incident response. And few felt they performed effectively in
employee and IT staff training and awareness, operational design, or asset management.
The data show that the path from basic performance to best practice requires moving IT Risk
Management programs away from a reactive posture, designed for protection against malicious
external threats. Instead, programs should raise IT Risk awareness and spread avoidance and
mitigation efforts throughout their organizations.
Respondents rated Asset Inventory Classification and Management least effective of all their
deployments. Yet this discipline is fundamental to build an IT Risk Management program that
reflects the organizations priorities. Without careful risk assessment, all assets are likely to be
treated equally, so that some will be overprotected and others underprotected.
16
IT Risk Management Process Effectiveness
%
ofrespondents
100%
80%
60%
40%
20%
0%Authent.,
Authorization,
Access
Organizational
Structure
Incident
Response
IT Policy
Management,
Architecture
Assessment,
Audit
Training,
Awareness
Operational
Design
Asset Inv.,
Classification,
Management
90% effective
-
8/4/2019 IT Risk Management Report
19/52
Technology effectiveness
Figure 5 below represents how effective organizations are in deploying technology controls:
Figure 5: Ratings of organizations technology effectiveness, ordered left-to-right in decreasing order of perceived
effectiveness.
Network Protocol and Host Security and Physical Security were the top-rated technology
control deployments, with 80% and 77% of respondents, respectively, rating their organiza-
tions more than 75% effective. These are the strongest ratings of all controls, process or
technology. Configuration and Change Management received such ratings from only 55%
of respondents, and Performance Management from just 52%. Secure Application Develop-
ment was least-frequently rated effective, with only 43% rating their deployments 75%effective or higher.
The low ratings of configuration and change and performance management deployments are
significant. Organizations use these technologies to understand the configurations and per-
formance levels of IT assets so they can minimize service disruptions and increase throughput.
These deployments are critical in keeping systems stable, performing effectively, and up to date.
Poor configuration and change management also constrains efforts to adapt and modernize
systems for new opportunities or threats.
Although the survey identifies change management as a problem area, there are recent signs
of improvement. In their ITIL Change Management Maturity Benchmark Study,5 Evergreen
Systems noted that, IT executives are increasingly integrating and internalizing change manage-
ment procedures, processes and tools as core components of the organization. We will see
in Section 4 that these disciplines are important drivers of performance improvements in IT
organizations.
17
IT Risk Management Technology Effectiveness
90% effective
0%
20%
40%
60%
80%
100%
%
ofrespondents
Network,
Protocol,
Host Security
Physical
Security
Resilient
Infrastructure
Secure Data
Lifecycle
Management
Secure
Systems
Config.
and Change
Management
Perform.
Management
Secure
Application
Development
-
8/4/2019 IT Risk Management Report
20/52
The role of secure application development is growing, as IT professionals recognize its effec-
tiveness in preventing exploitation of application vulnerabilities by eliminating them at the
source. The technology requires substantial early investments in tools and skills, so while
secure application development proves very cost-effective over time, it remains in an early
stage of adoption at most organizations.
Technology and Process effectiveness index
To compare organizations effectiveness deploying IT Risk Management processes and technol-
ogy by industry, geography, organization size and respondent job role, we defined two indexes.
The first averages ratings for eight process controls, the second for eight technology controls.
We set levels to classify organizations as Strong, Good, Weak or Poor at implementing and
deploying these controls.
Figure 6 compares these effectiveness ratings. It shows that organizations are generally moreeffective implementing technology than they are processes: 33% rated Strong on the Technol-
ogy Effectiveness Index; only 25% on the Process Effectiveness Index.
Figure 6: Effectiveness indexes of organizations, rating implementation effectiveness of technology and process
controls; each index averages eight individual factors. Organizations implementations are generally stronger for
technology controls.
Process effectiveness lags behind technology despite the recent industry focus on processes,
using frameworks such as ITIL, ISO and COBIT.6 For a closer look, we analyzed the data according
to demographic categories.
The relative strength of technology over process effectiveness was robust across industry,
organization size, operating region, and professional role of respondents, with just a few varia-
tions, specifically:
18
Poor Weak Good Strong
IT Risk Management Process vs. Technology EffectivenessEffectiveness Index
100%
80%
60%
40%
20%
0%
%
ofrespondents
Process Technology
-
8/4/2019 IT Risk Management Report
21/52
only in Government, Healthcare and Manufacturing did effectiveness deploying process
controls even approach parity with effectiveness deploying technology controls; in no case
were process controls rated more effective.
large organizations and global organizations (often the same) were more effective deployingboth technology and process controls, but every classification showed greater effectiveness
with technology controls than with process controls.
ratings of overall effectiveness from Managers were higher than those from either Directors
or Executives; again, all groups rated their organizations more effective with technology than
with process controls for IT Risk Management.
Best in Class: IT Risk and incident expectations
To help understand what makes organizations stand out as Best in Class at IT Risk Management,
we divided 310 respondents into quartiles according to their overall effectiveness in the 16process and technology controls identified earlier. The classifications were:
Best in Class top quartile (76th or better percentile, n=77)
Better second (51st to 75th, n=78)
Good third (26th to 50th, n=77)
Worst fourth (25th or worse n=78)
For each quartile, we calculated and plotted separate indexes for regulatory and operational
IT Risk (across 6 compliance and 7 business-process IT Risk areas), together with the rates at
which respondents expected IT incidents. Results appear in Figure 7.
Figure 7: Expected IT incident rates and two categories of IT Risk for organizations in each IT Risk Management perform-
ance quartile. IT incident expectations decline with effectiveness, despite increasing perception of IT Risk.
19
Perceived IT Risks and Incidents by IT Risk Management Effectivenessby Quartile
1
2
3
4
5
Worst
Index
Good BestBetter
Compliance Risk Business Process Risk Incidents
-
8/4/2019 IT Risk Management Report
22/52
These results show that organizations rated more effective at managing IT Risk also experience
higher levels of both Regulatory and Operational Risk. We had anticipated higher incident
rates at high risk levels, either because negative impacts are more likely where risk exposure is
higher, or because organizations base their perceptions of risk on incident expectations. The
data show the opposite: effective organizations expect fewer incidents despite operating
in riskier environments.
This result suggests that by building awareness of exposure to IT Risks and improving technol-
ogy and processes for mitigating them, organizations may actually reduce incident rates below
the levels experienced by less-effective firms operating in safer environments. The result also
cautions organizations not to count on a low-exposure operating environment to protect them
from incidents without effective technical and process controls.
Effective IT Risk Management performance
The relationship between organizations IT Risk Management controls and expected incident
rates deserves a close look. For example, weve seen that despite facing the studys highest
levels of risk, best-in-class organizations expect the lowest realization of IT Risk, measured as
incidents. Clearly, they are doing something right what is it?
When we fielded the research, we believed that the 16 process and technology controls identi-
fied in earlier sections would prove to be effective defenses or countermeasures, reducing an
organizations exposure to both external and internal IT Risks. To test this hypothesis, we used
data from performance quartiles identified in the preceding section to plot organizations effec-
tiveness in deploying each individual process or technology control.
In the radar graphs of Figure 8, gaps between the concentric polygons reveal differences in
effectiveness from one performance quartile to another for example, the jump in Training
and Awareness process effectiveness between the Worst and Good groups in Figure 7.
Asymmetries in the polygons reveal imbalances in effectiveness for example, the high esti-
mates of Network Protocol, Host Security technology effectiveness for all quartiles in Figure 8.
The lowest-performing quartile shows modest performance in two process areas (organization
and authentication/authorization/access) and two technology areas (network and physical
security). These areas are the most tactical in scope and straightforward in implementation, and
therefore where most organizations get started. They have deployed other controls lightly or not
at all, and assess their deployments as fairly ineffective.
20
-
8/4/2019 IT Risk Management Report
23/52
Effectiveness with Controls for Managing IT RIsk
Figure 8: Process (top) and technology (bottom) control effectiveness scores for organizations in each performancequartile. Organizations with higher performance show effective performance across most or all measures (shown as
distance from the graphs center), rather than heavy emphasis on a few.
Moving from the lowest quartile to the highest reveals a clear trend. More-effective organizations
increase the number of controls they deploy, and raise the effectiveness of deployment of each
control. Organizations in the top two quartiles begin to experience diminishing returns in areas
such as physical security and authentication, authorization, and access, and much better returns
on measures such as configuration and change management, data lifecycle management,
operational design, training and awareness, and others. The path from good to great IT Risk
Management, then, involves moving from tactical, technical, and reactive to strategic, expansive,
and proactive measures. It also requires a balanced program to evaluate all 16 measures and
optimize incremental investments of people and dollars to achieve the greatest impact.
21
Process Controls
by Quartile
Assesment, Audit
Training, Awareness
Operational Design
Incident Response
Asset Inv., Classify, Mgmt.
IT Policy Mgmt., Architect
Authent., Author., Access 1
2
3
4
5
Org. Structure
Technology Controlsby Quartile
Secure Systems
Secure Appl. Development
Config. and Change Mgmt.
Secure Data Lifecycle Mgmt.
Perform. Mgmt.
Resilient Infra.
Physical Security
Network, Protocol, Host Security
Worst Good Better Best Mean
-
8/4/2019 IT Risk Management Report
24/52
Critical connections face unique
risks, and require special defenses.
-
8/4/2019 IT Risk Management Report
25/52
Section 3
Organizations manage risks so that they can pursue opportu-
nities while keeping costs under control. Aligning differing
perspectives on and activities toward IT Risk among technical
staff, managers and executives, and across departments and
regions is critical to avoid gaps, duplication, and waste.
Aligning IT and business risks
23
-
8/4/2019 IT Risk Management Report
26/52
-
8/4/2019 IT Risk Management Report
27/52
Our survey data identified lack of alignment on assessments of IT Risk within IT departments
themselves, and between IT departments and the organizations they serve.
Achieving internal alignment on IT Risk
The survey classified respondents jobs into Executive, Director, Manager, and Professional cate-
gories. Since the latter group includes non-IT employees, consultants, and third parties, the
analysis concentrates on the first three groups. Respondents reported the level of IT Risk they
perceived, first in complying with regulatory and policy requirements, and second in carrying
out business operations.
Figure 9 shows the level of compliance risk perceived across the range of professional responsi-
bilities in the survey. The results show an organizational chasm between the ranks of Managers
who implement IT programs and therefore bear responsibility for the internal risk exposures
and shortcomings of the organization and senior Executives who set direction for the organi-zation, and bear responsibility for its exposure to external risks. The chasm appears in the
assessment of Critical risks at the Director level. Directors were least likely to perceive compli-
ance risk as Critical: only 16% did so, against 22% for Executives and Managers. Assessments
of High risks were close to parity: 44% of Directors rated their compliance risk as High, the
same as Managers and two percentage points below Executives.
Figure 9: Ratings of organizations compliance IT Risk by respondents in four job categories. Directors reported lower
levels of compliance risk than Executives or Managers.
25
Low Moderate High Cr it ical
100%
80%
60%
40%
20%
0%
Perception of Compliance IT Risk by Professional Responsibilityby Job Role
Executive Director Manager Professional
%
ofrespondents
-
8/4/2019 IT Risk Management Report
28/52
Figure 10 repeats the analysis for IT Risk introduced by Business Processes. Misalignment of IT
Risk perceptions was even more dramatic, but in the opposite direction: 22% of Directors per-
ceived Business Process Risk as Critical, against only 8% of Executives and 12% of Managers.
Figure 10: Rating of organizations' business process IT Risk by respondents in four job categories. Directors reported
lower levels than either Executives or Managers.
Disagreements among the ranks continued with process and technology effectiveness ratings.
Section 2 revealed different effectiveness ratings for deployment of process and technology
capabilities. A closer look shows that while 39% of IT managers report their organizations 75%
or more effective in implementing technology capabilities, only 27% of executives agreed.
Again, IT professionals differ by job role in assessing their risk-management environments.
Of course, since these respondents were drawn from different organizations, alignment may be
better within organizations than the job-role analysis suggests. But the systematic differences
seen among Executive, Director and Manager perceptions were outside expectations based on
differences in experience with a regulation or technology.
The survey data, as well as discussions with respondents, revealed that the operational staff
closest to implementation of IT programs may be the most inwardly-focused, and have the high-
est awareness of specific weaknesses. Senior executives most removed from day-to-day opera-
tions may share a high perception of IT Risk, but with perceptions based on awareness of
external factors and concern for the unknown. The Director level which would ideally bridge
these operational and strategic viewpoints to facilitate alignment may be biased toward tacti-
cal operational risks over external or regulatory risks, due to their direct accountability for
operational IT Risks.
26
0%
20%
40%
60%
80%
100%
Low Moderate High Critical
Perceptions of Business Process IT Risk by Professional ResponsibilityJob Role
%
ofrespondents
Executive Director Manager Professional
-
8/4/2019 IT Risk Management Report
29/52
Why alignment on IT Risk matters
Misalignment of perceptions and actions is more than just a source of internal disagreement
about IT Risk Management policy; it can itself become a source of IT Risk. Misalignment occurs
in two ways, either of which may elevate risk.
The first type of misalignment is internal to IT, causing gaps in the way systems and processesare developed, deployed and managed. Invisible until something goes wrong, these gaps may
cause sudden unexpected service-level shortfalls, system downtime, and security breaches.
Today this disconnect often occurs along organizational lines for example, in the seams
between the executives and functions responsible for security, compliance, and operational
business continuity and availability. Solutions such as messaging typically require all these
functions to converge on a solution that is secure, available, and compliant, yet organizational
alignments make convergence difficult to achieve.
27
Collecting data for this study at IT conferences and roundtables, we heard a recurring theme about alignment.
Respondents told us that training users about IT and security risks, for example, ranked among their greatest
challenges. Recall that in Figure 4 of Section 2, we saw that Training and Awareness ranked third from thebottom in effectiveness among eight process controls. They insisted that technology-based controls can only
go so far, and that effective mitigation of IT Risk requires behavioral changes by end users throughout the
organization.
Two elements were frequently cited as necessary to encourage behavioral change. The first was quantification
of value to the organization as a whole. Until an organizations stakeholders understand the impact of lost infor-
mation, unavailable systems, and non-compliant processes in terms that are meaningful to them lost sales,
dissatisfied customers or reduced productivity, for example sustained focus will remain out of reach. Dramatic
examples of extreme but infrequent events such as major failures and 100-year natural disasters provide insuffi-
cient motivation to do more than the minimum.
The second element is culture. Organizations have different risk profiles to which IT Risk programs should be
tuned. But they may also incorporate different workforces and cultures that will accept different levels of IT pol-
icy awareness and compliance. For example, a company with tens of thousands of employees averaging 24 years
of age may require a very different policy for IM use and Web access on company systems and time than smaller
companies with older workforces. Selective enforcement and highly visible actions may be more effective than
stringent policies that are unenforceable because they fail to align with the organizations culture.
Alignment the business side
-
8/4/2019 IT Risk Management Report
30/52
The second type of misalignment is between the IT function and the rest of the organization.
The IT Risk program may not fully reflect or respond to the needs of the organization as a whole,
resulting in loss of agility and increased risk. Alternately, organizational units and functions
may not have sufficient awareness of their own IT Risk exposures. These disconnects result in
ivory tower IT programs that over-invest in risk areas relevant to IT but not necessarily high
organizational priorities, or under-invest in areas critical to organizational goals. Both result in
lower contributions to the organizations overall success.
Active management and mitigation of IT Risk requires IT departments to avoid risks created by
misalignment. First, they must make sure their departments are aligned internally. From the CIO
to the backup administrator, everyone in the department should share an understanding of IT
Risks and priorities, and how they relate to their own areas of responsibility. Second, IT man-
agement must work closely with clients and stakeholders in the organization as a whole, enlist-
ing their help to assure that IT priorities reflect the organizations goals and objectives, and to
drive compliance with IT Risk Management programs where necessary. In combination, internal
and business alignment assures appropriate resource allocation and operational efficiency.
Companies following best practices in managing IT Risk incorporate the IT Risk strategy within
the organizations annual planning process to ensure alignment within IT and across the
organization, and then track performance at an executive level as part of a corporate balanced
scorecard.
28
-
8/4/2019 IT Risk Management Report
31/52
29
How do your incident expectations measure up to those of the organizations in the survey? Answer these four
questions, and check your results against survey norms on the last page of the report:
Context: What reflects the expected frequency of the following incidents in your organization?
1. Regulatory Your enterprise is found to be out of compliance with one or more governing
Non-Compliance regulations:
Never
Once every 5 years
Once every 2 years
Once a year
More than once a year
2. Major Information Service impact to your organization, caused by a loss of information, confidential-
Loss ity, integrity or availability (e.g. data center outage, data corruption, full breach of
security):
Never
Once every 5 years
Once a year
Twice a year
More than twice a year
3. Major IT Impact Severe impact to your IT organization affecting more than 10% of your clients
and/or servers halting operations of some critical part of your operations:
Once every 5 years
Once a year
Twice a year
5 times a year
More than 5 times a year
4. Minor IT Impact Minor impact to your IT systems affecting less than 10% of your clients and/or
servers, hinders the work of individuals or groups:
Once a year
10 times a year
20 times a year
Every day
More than once a day
Sample questions
Answers to self-test on page 47.
-
8/4/2019 IT Risk Management Report
32/52
Your business depends on reliable
connections with suppliers,
distributors, and customers.
-
8/4/2019 IT Risk Management Report
33/52
Section 4
Organizations achieve effective IT Risk Management by deploy-
ing a broad range of IT technology and process controls. The
transition from good to great IT Risk Management is achieved
primarily by increasing effectiveness across the full range of
measures in a structured, disciplined program that proceeds
from a broad assessment of IT Risks to a closed-loop process of
continuous improvement.
Understanding effective Risk Management
31
-
8/4/2019 IT Risk Management Report
34/52
Understanding effective IT RiskManagement
Achieving Best in Class IT Risk ManagementFew organizations have achieved the level of IT Risk Management performance achieved by
Best in Class organizations in this survey. The field is still emerging, and not all organizations
are yet organized to deal with IT Risk in an integrated fashion. Nor do all companies face the
same levels of IT Risk or share similar risk profiles. The case for change, however, is compelling:
organizations are experiencing rising incident rates across the areas of security, availability,
performance, and compliance, with significant impact to revenue, reputation, productivity, and
cost. According to the Computer Security Institute and the FBI, per-incident costs of unauthor-
ized access to information averaged over $85,000 in 2006,8 and system downtime costs reached
tens of thousands of dollars per hour.9
It doesnt take long for incidents of this scale to createsignificant drag on an organization.
How can organizations advance from good IT Risk Management practice to great? For organiza-
tions trying to manage IT Risks effectively, the challenge includes understanding their portfolio
of IT Risks, quantifying and prioritizing them against the organizations risk profile, and devel-
oping an effective program of remediation activities.
A five-step process can help organizations assess their levels of IT Risk, develop remediation
roadmaps, and ultimately build effective, continuous IT Risk Management Programs. While the
steps themselves, detailed in Figure 11, may seem familiar, the specific tools and tasks support-
ing them are very valuable, and linkages between phases help maintain focus and continuity of
organizational commitment.
32
How can an organization build its capabilities for IT Risk Management? While
there is no single formula or protocol, a broadly-applicable assessment, quan-
tification, design, alignment and measurement program can help organizations
marshal their resources effectively to achieve real, lasting improvements in
IT Risk Management, often while reducing IT infrastructure and process com-
plexity and cost.
-
8/4/2019 IT Risk Management Report
35/52
Figure 11: Five-step IT Risk Mitigation process.
Step 1 Develop awareness of IT Risks
IT Risk mitigation begins with comprehensive discovery, including:
establishing the programs scope (how expansive a view of IT Risk is appropriate?)
constructing a risk profile for the organization based on its overall priorities
identifying key areas of IT Risk
For many companies, the challenge of discovery includes both identifying new areas of risk,
often by evaluating the risk profile and assessment against IT best practices, and organizing the
dozens or hundreds of IT Risks of which they are already acutely aware.
A common question at this stage is, How do I take the issues I already know about and assem-
ble them into a comprehensive, structured framework I can assess and prioritize? A clear
framework requires identifying critical IT assets and understanding how they support criticalbusiness processes. Critical assets include the technology infrastructure underlying corporate
operations, staff with privileged access to information, and the organizations IT operational
processes.
Assessment should also consider the organizations current requirements, capabilities and
vulnerabilities. Requirements include legal obligations such as regulations, contracts, and
service level agreements, as well as business requirements such as the privacy, availability,
and integrity of business information.
Finally, this stage involves identifying and classifying threats, issues, vulnerabilities, and
weaknesses, assigning each a priority according to risk. The search for vulnerabilities and
weaknesses should cover applications, infrastructure, operations, and organizations.
33
DevelopAwarenessof IT Risks
QuantifyBusinessImpacts
DesignSolution
Align IT /Business Value& ImplementSolution
Build &ManageUnifiedCapability
Step 1 Step 2 Step 3 Step 4 Step 5
IT Risk Assessment and Management Process
-
8/4/2019 IT Risk Management Report
36/52
Step 2 Quantify business impacts
Quantifying business impacts is typically the most challenging step and the most important.
Until they have quantified the impact, positive or negative, of addressing an area of IT Risk,
IT leadership may be unable to attract their colleagues attention to it, or the funds needed formitigation.
The currency of the business case varies according to the business and the area of risk. A Web
site crash will mean lost revenue or sales for a retailer, negative brand impact or lost viewers for
a media company, lost productivity for a manufacturer, and so on. The key is to build a case that
makes sense in the local currency, whatever it may be.
Quantification of business impacts typically follows a two-phased approach. In the first, the full
portfolio of risks is coarsely prioritized based on potential business impacts according to the
organizations risk profile and the ease or difficulty of risk mitigation, measured in time, staff
resources, and investment. The second phase builds detailed business arguments for only those
risks identified as high-impact areas. The model can be iterative, and it should be periodic,
linked to the organizational and IT planning cycles.
Step 3 Design solution
At this point, the organization knows the scope and components of its Risk Management pro-
gram, its current status, and the priority and quantification of each area of IT Risk.
The next step is to design a set of remediation solutions, across the classic elements of people,
process, and technology, each with requirements, specifications, goals, and functions. For some
organizations this will be a narrowly-focused activity to address the most imminent areas of
risk; for others a longer-term program with sequenced waves of initiatives.
This phase also includes detailed costing analysis to keep costs and benefits of proposed initia-
tives aligned to organizational goals. For example, a model might be designed to provide tiered
levels of service based on the priorities for different types of data and portions of the business.
Solutions that reduce risk frequently also reduce complexity and cost. This is especially true
when risks have been introduced by dense or poorly-followed processes, misaligned organiza-
tional models, or unclear requirements or policies.
34
-
8/4/2019 IT Risk Management Report
37/52
Step 4 Align IT and business value; implement solution
Although quantification is the most difficult step, most programs success lies in the effective-
ness of implementation. Implementation determines whether risk-mitigation initiatives are
deployed successfully across people, process, and technology with close involvement of organi-zational stakeholders, or devolve into local IT projects measured narrowly by software and gear
implemented and administrators trained.
Closed-loop measurement and continuous improvement are essential. With a coherent system
of metrics and performance management capabilities, organizations set the stage for collection
of baseline data, performance tracking, and assessment of program effectiveness against the
original business case.
Step 5 Build and manage unified capability
Once implementation of the first wave of IT Risk solutions is underway, organizations shouldinstitute programs for continuous improvement and ongoing governance of their IT Risk Man-
agement program.
As in most change-management programs, IT Risk Management follows a maturity model that
begins with tactical basics and evolves to Best-in-Class performance. For most organizations,
their position in this maturity model depends on their IT Risk profile and progresses through
several waves of organizational, process, and technological change before reaching its goal. By
adapting their efforts as their experience and effectiveness grow toward maturity, organizations
can avoid or overcome the most common implementation challenges, including:
replacing guesswork with quantification and prioritization of IT Risk Management efforts and
investments
replacing intermittent, reactive projects with a program that delivers consistent improve-
ments over the long run
replacing speculation with clear progress against consensus goals to secure the long-term
investments needed for mitigation of IT Risks
35
-
8/4/2019 IT Risk Management Report
38/52
Connections bring both opportu-
nities and risks managing them
is everyones job.
-
8/4/2019 IT Risk Management Report
39/52
37
Section 5
In order to understand organizations IT Risk strategies better,
we classified respondents into profiles based on their level of
IT Risk and IT Risk Management effectiveness. While there are
many ways to manage risk successfully, the resulting levels of
risk and the costs to the organization can vary greatly. The best
companies align investment to exposure, to focus attention
and resources where they matter most.
Risk Mitigation: process and payoff
37
-
8/4/2019 IT Risk Management Report
40/52
IT Risk mitigation profiles
Effective mitigation
To explore the limits of risk mitigation, we performed a cluster analysis (n=310) to identify con-
sistent patterns in survey respondents risk exposure, effectiveness of mitigation efforts, and
expectation of IT incidents. The analysis revealed three groups in which respondents are similar
to one another, but different from those in the two other segments:
At-Risk respondents (35%) struggle to cope with IT risk: they see their organizations facing
medium to high levels of IT Risk, but demonstrate poor effectiveness in addressing it through
mitigating process and technology measures. Organizations with this profile typically expect a
high rate of incidents.
IT Risk Mitigators (23%) maintain effective IT Risk Management programs, but actually
experience low levels of IT Risk. Organizations in this category seem to address IT Risk
through overinvestment, ensuring mitigation, but at high costs.
IT Risk Balancers (42%) pursue a matching strategy, meeting their organizations high levels
of IT Risk exposure with highly-effective mitigation processes and technologies. These organi-
zations are frequently Best in Class.
Figure 12 shows the performance of the three groups revealed by the cluster analysis, display-
ing all five underlying measurements instead of the single composite score used to create the
clusters. The most interesting results are from the IT Risk Mitigator cluster. Mitigators, like Bal-
ancers, show high process and technology effectiveness yet they face the lowest IT Risk levels
of any group. Nothing in their underlying demographics separates Mitigators from Balancers.
Instead, it appears that these organizations have chosen IT Risk Management strategies that
meet comparatively low levels of IT Risk with investments that keep their mitigation processes
and technologies highly effective. Mitigators expect to enjoy low incident rates, but it is possible
that the Discovery and Quantification steps of a well-planned IT Risk mitigation program would
identify over-investments, signaling excessive costs, and missed opportunities elsewhere.
38
The way an organization manages the challenges in its environment can make
the difference between a defensive, reactive position and an active posturethat gives it the freedom to choose appropriate risks, effective actions, and its
own path.
-
8/4/2019 IT Risk Management Report
41/52
Figure 12: Organizational clusters, showing all five underlying measurements. Mitigators deploy high technology and
process effectiveness despite comparatively low levels of compliance and business-process IT Risk.
Figure 13 shows how the groups identified by the cluster analysis would map onto a two-factor
grid of IT Risk exposure (bottom axis) and IT Risk Management effectiveness (side axis):
Figure 13: Data from the cluster analysis grouped according to IT Risk exposure and IT Risk Management effectiveness,
showing that both Balancers and Mitigators deploy highly effective controls despite different levels of risk.
The cluster analysis did not identify a fourth group, occupying the lower-left quadrant and
combining low levels of IT Risk and poor implementation of IT Risk Management programs.We suspect that such organizations are underrepresented in our sample because they are less
likely than others to participate in surveys about IT Risk Management or attend industry events
with IT Risk Management prominent on the agenda.
39
ITRIskManagementEffectiveness
Low
High
Low-Mid High
IT Risk Exposure
IT Risk
Mitigators
IT Risk
Balancer
IT Risk
Risk Management Patterns Cluster Analysis
IT Risk Exposure, Control Effectiveness and Incident Experience by Performance Cluster
Operating Risk Index
Incident Index
Compliance Risk Index
Process Effectiveness Index
Technology Effectiveness
At Risk Balancer Mitigator
-
8/4/2019 IT Risk Management Report
42/52
We speculate that this group faces low levels of risk, and implements IT Risk Management
programs poorly, if at all. Their IT Risk strategy, which may not be articulated, might be to react
to risks one by one as they arise, absorbing incident costs when that reaction is missing, inade-
quate or too late. Some may self-insure against IT Risks by maintaining reserves of financial
assets to help with recovery from incidents.
Risk mitigation: how far?
Can highly-effective IT Risk Management programs ever eliminate IT Risk? Research and com-
mon sense suggest not and certainly not at a reasonable cost. IT Risk must be managed,
minimizing risk and cost in areas most vital to the organization, without constraining business
performance.
And as organizations evolve over time, business priorities change, new regulations are enacted,
and new external and internal threats to information and infrastructure crop up every day.
A changing IT Risk landscape demands consistent, programmatic management to adapt to and
mediate new forms of IT Risk. The five-step approach described in Section 4 emphasized the
importance of iteration and management to address risk as part of a program of continuous
improvement.
Organizations that manage their risk portfolios effectively create opportunity: they can make
educated, informed decisions on how and when to take on additional risk. Their improved IT
Risk Management capacity gives them latitude to innovate and explore a wider range of
business options. ITs support of this capacity for flexible innovation is among its greatest
contributions to business value.
40
-
8/4/2019 IT Risk Management Report
43/52
41
We undertook this study to understand IT Risk and the effectiveness of technology and process controls in
managing that risk. We assumed Balancer and Mitigator organizations worked primarily to reduce organizational
risk and while true, it may not be the full story. Organizations may also choose to invest in process and technol-ogy improvements with a primary goal of increasing operational efficiency. Lower risk levels in the Mitigator
cluster and lower incident rates among the Best-in-Class would then be by-products of investments made for
operational effectiveness. Our results dont speak to their motivations.
But regardless of the motivations, these disciplines have positive impacts. Risk-management investments pay off
by reducing incidents and freeing organizations to compete with greater confidence, agility, and success.
Operational efficiency the same path to a different goal
-
8/4/2019 IT Risk Management Report
44/52
ConclusionsAn organizations assets, operations, and personnel may be brought to harm by internal or
external threats carried out or weaknesses exposed across IT networks and systems. Managing
IT Risk in service of your organizations mission is the subject of this report, and the purpose
of this series.
In a major year-long study, IT professionals reported significant gaps and shortcomings in their
organizations deployments of controls to help them manage IT Risk. Respondents rated their
organizations more effective at implementing risk-management technology than processes
across the full range of industries, geographies, organization size and professional responsibili-
ties. And they saw particular problems in managing IT assets and configuration and change
control both areas of critical importance in bringing IT Risks under control.
Respondents also displayed different perspectives on risk based on their individual responsibili-ties, and identify serious problems aligning and coordinating IT Risk Management with the
broader goals of their organizations. Misalignment is itself a source of IT Risk, from risk expo-
sures created by gaps between IT and organizational perceptions and priorities, and over-
investment in areas of low organizational priority, sapping resources more effectively deployed
elsewhere.
Best-in-class organizations even though they face higher levels of IT Risk anticipate fewer
incidents, due to careful investments that maintain high effectiveness over the entire range of
technology and process controls.
The report outlines a five-step process to help organizations put consistent, measurable, long-
term programs in place, avoiding over- and under-investment, and achieving steady improve-
ments measured against consensus goals.
Managing IT Risk is everyones job. From the CIO to the backup administrator, everyone should
share a common understanding of IT Risks, their priorities, and how they relate to their individ-
ual areas of responsibility. IT management must work closely with their business clients to
assure those priorities reflect the goals and objectives of the business as a whole. In combina-
tion, internal and business alignment assures appropriate resource allocation and operational
efficiencies.
42
-
8/4/2019 IT Risk Management Report
45/52
43
-
8/4/2019 IT Risk Management Report
46/52
Appendix
Methodology
Data collection
Between October 2005 and October 2006, Symantec collected 528 responses from IT profes-
sionals attending IT events worldwide. Respondents completed survey questionnaires and sub-
mitted results in person. Respondents were offered and received a report comparing their
responses to a benchmark group. To ensure candid responses and protect participants privacy,
Symantec contracted a third party, Ecosystems LLC of Vienna VA to collect, process, aggregate,
and protect the confidentiality of survey results on behalf of Symantec.
Survey instruments
Symantec collected 528 records using two survey instruments. The first, with 218 respondents,
covered Compliance Risk, Incident Rate, Technology Effectiveness and Process Effectiveness.
The second added a section on Business Process Risk and additional questions about Compli-
ance Risk, Technology Effectiveness and Process Effectiveness. An additional 310 individuals
responded to the expanded survey.
Most questions were identical on both surveys, so we combined those results for a sample size
of 528. Additions and improvements to the second survey prevented use of the full record set
for every analysis. As a result, much of the report reflects the 310 responses from the second
survey, with the larger sample size and more complete set of questions.
Demographics
We fielded both versions of the survey to a broad demographic group, and identified the indus-
try, number of employees, respondent job role and global or regional coverage of the respon-
dents business operations. These demographics provided the variables for much of our
analytical work.
Industry was classified into 37 segments, assembled into seven groups. The Other industry
group comprises Agriculture, Mining, Construction, Retail, Wholesale and Energy.
44
-
8/4/2019 IT Risk Management Report
47/52
Figure A1: Breakdown of 528 responses by industry. Please see the text for details.
We collected 161 and 308 job-role classifications from Surveys 1 and 2, respectively. We
attribute the lower response rate for job roles in Survey 1 to privacy concerns among European
respondents. The Professional role includes business, consultant and other non-IT job
functions.
Figure A2: Breakdown of responses by respondents professional responsibilities. Please see the text for details.
45
Respondents by Industry
Public Sector
Financial Services
Services
Manufacturing
Other
Telecom, Media
Healthcare
0 10 20 30 40 50 60 70 80 90
Survey 1 Survey 2
Number of Respondents
Professional
Executive
Director
Manager
0 20 40 60 80 100 120
Respondents by Professional Responsibility
Survey 1 Survey 2
Number of Respondents
-
8/4/2019 IT Risk Management Report
48/52
We measured organization size according to number of employees. As seen below, 215 respon-
dents from Survey 1 and 299 respondents from Survey 2 reported the total employee count at
their organization.
Figure A3: Breakdown of responses by organization size. Please see the text for details.
We asked respondents to indicate the major areas of the globe in which their organizations had
operations. This question allowed respondents to pick multiple geographic regions, so the
number of responses exceeds the number of respondents. Since we did not identify headquar-
ters country, specific attribution of responses to geographic regions is not possible. We can,
however, understand risk-management behavior in terms of geographic scale of operations and
globalization.
Figure A4: Breakdown of 528 responses by respondent organizations operating region. Please see the text for details.
46
5,001 to 20,000
employees
> 20,000
employees
1,001 to 5,000
employees
< 1,000
employees
0 2010 40 5030 60 70 80 10090
Respondents by organization size
Survey 1 Survey 2
Number of Respondents
North America
Asia Pacific
EMEA
Latin America
0 50 100 150 200 250 350300
Respondents by organization operating regions
Survey 1 Survey 2
Number of Respondents
-
8/4/2019 IT Risk Management Report
49/52
-
8/4/2019 IT Risk Management Report
50/52
-
8/4/2019 IT Risk Management Report
51/52
NO WARRANTY. The information provided in this document is being delivered to you AS IS and Symantec Corporation makes no warranty as to its accuracy or
use. Any use of the information contained herein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors.
Symantec reserves the right to make changes without prior notice.
Copyright 2007 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and INFORM are trademarks or registered trademarks of Symantec
Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
-
8/4/2019 IT Risk Management Report
52/52