it risk management report

8/4/2019 IT Risk Management Report

1/52

IT Risk Management

Report

Trends through December 2006Volume 1, Published February, 2007

IT

RISK

M

ANAGEM

ENT


2/52

Greg Hughes, Executive Vice President

Worldwide Services and Support, Symantec Corporation

As IT becomes the cornerstone of

our connections with customers, suppliers,

partners, and business information,

identifying and managing IT Risk

becomes a core business capability.


3/52

Table of Contents

Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1 Understanding IT Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

As the role of IT grows, IT Risk is emerging as a major component of organizational risk. IT Risks span Security,

Availability, Performance and Compliance each with its own drivers and potential impacts.

2 Process and technology effectiveness in Managing IT Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Technology controls to manage IT Risk are often deployed more effectively than process controls.

Yet organizations that manage IT Risk effectively deploy people and process controls equally well.

3 Aligning IT and business risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

IT has moved from the glass house to the front lines and perceptions of IT Risk often differ by role and

function within organizations.These misalignments are barriers to effective IT Risk management.

4 Understanding effective Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Effective IT Risk Management demands a disciplined, structured program to develop awareness, quantify costs

and impacts, and design and implement a solution that adapts to organizational requirements.

5 Risk Mitigation: process and payoff . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

The good news is that theres a substantial upside to IT Risk Management a more effective organization,

with better control of its costs, technology, and future.

Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

In a connected world, we share a responsibility to identify and manage risk so our customers, suppliers and

partners can work with us confidently toward our common goals.

Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44


4/52

2

Executive SummaryInformation Technology (IT) Risk is a growing component of total Operational Risk. As businesses

increasingly depend on IT to automate processes and store information, IT Risk Management is

emerging as a separate practice. Organizations across sectors and industries have begun to

consolidate functions to develop a more comprehensive, focused approach to IT Risk. IT Risk

includes security, availability, performance and compliance elements, each with its own drivers

and capacity for harm.

This study examined IT Risk, along with the technology and process controls used to mitigate

it, in a year-long study based on in-depth structured interviews with more than 500 IT profes-

sionals around the world. The study determined that across industries, regions, and job roles,

IT professionals:

rate themselves more effective in their deployments of technology than of process controls

see management of IT assets and configuration and change processes as particular problem

areas

see people and process improvements as holding the greatest opportunities for them to move

from good to great

Data from high-performance organizations yielded a surprising and very encouraging result.

More-effective organizations even though they often face higher risk levels expect fewer

incidents than less-effective organizations. More detailed analysis into the specific controls

deployed by these companies revealed that best-in-class organizations perform with high effec-

tiveness across most controls, including process controls, while lower-performing organizations

typically focus on a small number of more tactical controls.

The study identified substantial differences in the ways IT operational personnel and executives

view their IT Risk exposure, and examined these in detail. Differing internal viewpoints on IT

Risk, and poor alignment between IT Risk Management programs and overall business objec-

tives, may themselves create risk. This appears to occur when Risk Management programs are

not tailored to the specific risk profile of the business or coordinated across functional and

business unit lines leading to areas of both under- and over-investment. Poor organizational

support for IT Risk awareness and training is both a compelling example of poor alignment,

and a major cause.

Best-in-class IT Risk management requires a disciplined approach that includes IT Risk aware-

ness, quantification of business impacts, solution design and implementation across people,

process, and technology, and creation of a sustained IT Risk Management program complete

with performance measurement and a model for continuous improvement. A staged program

helps balance benefits, risks and costs at every step of implementation.


5/52

3

Highlights

This report is intended for executives with responsibilities for general, financial and IT manage-

ment anyone concerned with IT Risk and its management. With a broad cross-section of

experience from IT professionals across industries, geographies and organization types, the

report should provide context for Risk Management programs at your own organization.

Be sure to check these IT Risk Management Report highlights:

Finance and CRM processes introduce the highest IT Risk: see What Drives IT Risk in Section 1

Best-in-class managers of IT Risk frequently face more IT Risk exposure, but expect fewer

incidents: see Effective IT Risk Management performance in Section 2

Asset Management is the least-effective IT process: see Process effectiveness in Section 2

Poor alignment between IT Risk strategy and the risk profile of the business can actually

create higher business risk: see Why alignment on IT Risk matters in Section 3

High performance across most process and technology controls, versus a few targeted areas,

typically separates great from at-risk organizations: see Effective mitigation in Section 5


6/52

Your customers connect to their

financial future through your

systems and networks.


7/52

Section 1

Risk is potential damage to an organizations value, often from

inadequate management of processes and events. IT Risk is

emerging as a significant component of total business risk as

IT assumes a more prominent role in organizations, and can

account for more than 50% of total capital expenditure at

some companies. Individual IT Risks may be classified as:

Security risks of unauthorized access, alteration or use of

information

Availability risks of inaccessible business processes or data

Performance risks of delayed access to business processesor data

Compliance risks of violating legal, regulatory or IT policy

requirements

Understanding IT Risk

5


8/52

6

Understanding IT Risk

What is IT Risk?

Business risks range from everyday operational shortcomings to rare cataclysmic failures.

The types and levels of risk organizations face vary with their business and preferred risk pro-

file. For example, an entertainment company with many customer-facing systems and a strong

brand image might have a very different risk profile than a manufacturer with few externally-

facing systems but significant trade and design information to protect. And a high-growth

financial organization in a developing nation might be more concerned about availability and

performance risks as it scales up operations than a financial organization in a more mature

market where security and compliance concerns prevail.

Business risk is often split into financial and operational components. Financial risk is well un-

derstood, and established markets help organizations manage or transfer their credit, currency,

pricing, and other types of financial risk.

Operational risk results from operations rather than transactions, and may include risks from

external events such as natural disasters or changes in government regulation, or internal

processes associated with product quality, organization and plant performance, loss of intellec-tual property, or supervisory or legal controls.

As IT has become widely and deeply interconnected with business operations, IT Risk has grown

to prominence as a component of total operational risk. More than just a specialty area of

Operational Risk Management, IT Risk Management is emerging as a separate practice because

of the unique role IT plays in todays organizations:

IT is now integral to many business operations and transactions. In Financial Services and

Online Retail, for example, virtually the entire business may be carried out across IT systems

and networks.

IT Risk evolves as fast as technology changes. For example, online phishing fraud and

legal and regulatory requirements for IT countermeasures were virtually unknown just three

years ago.

Lifes risks extend from poor mobile-phone connections through war, famine and

disease. Different risks affect different individuals and organizations in differentways and as the world changes, so do the origins and types of risk we face.


9/52

7

Identification, measurement, analysis, and management of IT Risk requires specialized

knowledge and skills. Aligning IT skills and processes including IT Risk Management to

organizational goals is a constant challenge.

Figure 1: IT Risk spans four areas, each with its own set of drivers and potential impacts.

Classifying IT Risk

To help organizations understand and analyze IT Risk and organize their mitigation strategies,

Figure 1 outlines a framework for classifying risks according to their impact on the organization.

The framework classifies IT Risks as:

Security risk that information will be altered, accessed or used by unauthorized parties

Availability risk that information or applications will be inaccessible due to system failure or

natural disaster, including any recovery period

Performance risk that underperformance of systems, applications, or personnel or IT as a

whole will diminish business productivity or value

Compliance risk that information handling or processing will fail to meet regulatory, IT or

business policy requirements

These four categories classify all elements of IT Risk that we have seen in organizations. Table 1

(next page) provides further information and examples of sources and potential impacts of risks

in each category.

Although the survey on which this report is based concentrated on Security and Compliance

areas of risk, this implies no prioritization of the four elements of IT Risk. As we will see, every

organization has its own unique IT Risk profile, and prioritization of these elements is an impor-

tant early step in establishing an effective IT Risk Management program.

Secur

ity

Availability

Perf

orm

an

ceCom

plian

ce

IT

Risk

Keep Bad Things Out

Keep Important Things In

Internal and External

Malicious Threats

IT Policy and

External Regulations

Application Performance

and IT Performance

Natural Disasters and

System Failures

Ensure Adequate Controls

Automate Evidence Collection

Optimize Resources

Ensure Correct Configuration

Keep Systems Up

Ensure Rapid Recovery


10/52

Table 1: Categories of IT Risk, with examples of the sources and potential impacts associated with each.

8

Risk Category

Security

Compromise of information,

confidence in it and technologyand processes for managing it

Availability

Failure or delay in delivering IT

processes or information needed for

business transactions and operations

Performance

Slow or inefficient operation of IT

processes supporting business trans-

actions and operations

Compliance

Penalties, fines and loss of reputation

from failure to comply with laws and

regulations, or consequences of non-

compliance with IT policies

Source

- External attacks

- Malicious code

- Physical destruction

- Inappropriate access

- Disgruntled employees

- Proliferation of platform

and messaging types

- Hardware failures

- Network outages

- Poor change management

processes- Data center failures

- Force majeure

- Poor system architectures

- Network congestion

- Inefficient code

- Inadequate capacity

- Regulations unique to each jurisdic-

tion, including:

Graham-Leach-Bliley Act

EU Data Protection

Directive

Health Insurance Portability

and Accountability Act

(HIPAA)

Sarbanes-Oxley Act

- Legal actions

- Internal IT safeguards supportingcompliance

- Inadequate third-party compliance

standards

- Expansion from central to end-point

compliance

Potential Impact

- Corruption of information

- External fraud

- Identity theft

- Theft of financial assets

- Damage to reputation & brand

- Damage to assets

- Abandoned transactions and lost

sales

- Reduced customer, partner, em-

ployee confidence

- Interruption or delay of business-

critical processes

- Reduced IT staff productivity

- Reduced client satisfaction

- Reduced client or partner loyalty

- Reduced user productivity

- Interruption or delay of business-

critical process

- Lost IT productivity

- Damage to reputation

- Breach of client

confidentiality

- Litigation

- Executive productivity


11/52

What drives IT Risk?

From October 2005 through October 2006, Symantec surveyed 528 individuals on topics related

to IT Risk. Participants held a range of professional responsibilities in organizations of different

sizes, industries and geographies the Appendix provides demographic details.

To assess the magnitude of IT Risk associated with core business processes, we asked a subset

of respondents (n = 310)* to rate the IT Risk associated with each of seven key businesses

processes in their organization.1 The results are shown in Figure 2.

Figure 2: IT Risk associated with each of seven key business processes. IT Risk associated with Finance and Administra-

tion processes (leftmost column) led participants ratings for High or Critical risk, followed by those associated with

critical customer-facing and operational tasks. Research and Supply-chain processes received the lowest risk ratings.

9

LowNil Moderate High Cr itical

IT Risk by Business Process

0%

20%

40%

60%

80%

100%

%

ofrespo

ndents

Finance,

Admin.

CRM Operations Business

Intel.

Corp.

Resources

R&D Supply Chain

Customer Relationship Management (CRM) sales and electronic commerce

Supply Chain Management (SCM) the entire product value chain from source to end-user

Operations Management operational control of continuous service and product processes

Research & Development the development cycle of products and service offerings

Business Intelligence the corporate ability to make timely, informed business judgments

Finance & Administration the process of financial and administrative management

Corporate Resources business functions supporting the organization as a whole

Business-process definitions

* This study used two separate survey instruments some questions were repeated on both; others not. Numbers in parentheses (n= ) report the number ofsurveys supporting each graph or data comparison. Please see the Appendix, Survey instrumentsfor details.


12/52

Systems and processes supporting Finance and Administrative were associated with the great-

est IT Risk, with over 66% of the respondents rating it High or Critical. Sales, Operations and

Business Intelligence processes ranked second, with 53% giving Critical or High ratings for all

three measures. Research & Development and Supply Chain Management systems and pro-

cesses introduced the least amount of IT Risk; only 27% of those surveyed rated SCM risks as

High or Critical, and just 33% rated R&D risks this way.

These results highlight two important points. First, IT Risk affects every major business process

category: for even the lowest-ranked business process, nearly a third of professionals ranked IT

Risk High or Critical. Second, IT Risk is highest for critical operational functions or those that

manage critical and proprietary or confidential information, and lower only for functions further

removed from revenue generation and the customer experience.

Our analysis also explored the components of compliance risk. Participants were asked how

much risk each of six categories of regulations introduced into their organization. The resultsare illustrated in Figure 3 (n = 528 except for Data Retention, n = 310).

Figure 3: IT Risk index ratings associated with six areas of Regulatory Compliance. Data Protection and Retention show

the highest proportion of High and Critical ratings, followed by Corporate Governance.

Respondents saw Data Protection and Retention introducing the greatest amount of compliance

risk into their organizations, with a very substantial 66% and 70% of respondents rating these

risks as High and Critical, respectively. Compliance with Corporate Governance policies ranked

third, with 55% High or Critical ratings. About half the respondents rated Intellectual Property

risk as High or Critical, while National Security and Criminal and Civil Laws were seen to intro-

duce the least risk only 36% and 44% of respondents, respectively, rating these either High

or Critical.

10

LowNil Moderate High Critical

IT Risk by Compliance Area

0%

20%

40%

60%

80%

100%

%

ofrespondents

Data

Retention

Data

Protection

Corp.

Governance

IP Civil,

Criminal

National

Security


13/52

As with Business Processes, respondents expressed strong concerns about IT Risk in every Com-

pliance area risks in even the lowest-ranked areas were seen as significant by a third to half of

the respondents. More significantly, more than half the respondents saw High or Critical IT Risk

in areas governing the proper operation of their organizations and protection of critical informa-

tion. This level of concern across so broad a range of roles and industries underscores how

poorly managed these risks may be judged by those best-positioned to know.

To help understand the impact of IT Risk associated with compliance processes, we compiled an

index to measure the relative importance of each of the six compliance measures above, and

applied it to organizations with different demographics.

Results show that organization size is a significant determinant of perceived compliance risk.

For example, while 33% of organizations with more than 20,000 employees see compliance riskas critical to their organizations, only 15% of organizations with fewer employees do. Although

a definitive explanation for this requires further investigation, the data are consistent with

larger organizations greater complexity, number of business processes and operations, and

geographic span of operations, exposing them to more regulations and requiring greater com-

pliance with internal policies to monitor and govern organizational behavior.

The Aerospace and Defense industry segment was the only industry in which a majority of

respondents rated compliance risk as critical. And despite the stringent regulations they face,

only 28% of Financial Services and 4% of Healthcare organizations rated compliance risk as

critical. Respondents from Europe, the Middle East and Africa generally saw less risk associated

with compliance than their counterparts in the United States. In Section 5, we will explore

reasons for low risk ratings by organizations operating in high-risk environments.

11

Data Protection securing confidentiality of private and personal information, for example against identity theft

Data Retention ensuring that enterprise data is stored securely and retained for access by legitimate users

Corporate Governance assuring that public disclosures accurately reflect corporate performance

National Security protecting citizens and national infrastructure from terrorism, war, or national disaster

Civil & Criminal Legal Framework assuring that IT systems and networks systems support legal infrastructure

through electronic signatures, data movement and use of IT resources

Intellectual Property Protection protecting individual and corporate intellectual property

Compliance definitions


14/52

Patient health and privacy

connect when medical records

are transmitted or stored.


15/52

Section 2

Effective IT Risk Management requires competence and invest-

ment in processes and technologies. Professionals surveyed

at all levels of organizations across industries, scale, and

geographic reach, see their organizations capabilities to

deploy IT Risk Management technologies as more effective

than their capabilities deploying processes.

Process and technology effectiveness in

Managing IT Risk

13


16/52

IT Risk Management processes andtechnology

Controls for IT Risk ManagementAlthough Risk Management principles have received wide attention, few organizations have for-

malized their IT Risk Management programs until recently. In the past few years, however, more

organizations have added Chief Risk Officers and other executive positions with responsibilities

for IT Risk management, or have adopted formalized service-management standards such as

the IT Infrastructure Library (ITIL), ISO 17799, and COBIT to help them manage IT Risk.

The most effective IT Risk Management programs use well-defined controls that combine well-

chosen technologies and best-practice processes. We have identified eight technology and eight

process controls that represent best practices for managing IT Risk (see sidebar, Process and

Technology Controls for IT Risk Management, for details). They are derived from best practices

defined by international standards including the code of practice for information security man-

agement (ISO/IEC 17799:20052), COBIT3 and ITIL, published by the United Kingdoms Office of

Government Commerce,4 refined by Symantec experience in dealing with highly effective organi-

zations, and expanded to encompass availability and performance in addition to security and

compliance.

We asked survey participants to rate their success implementing each of the defined IT Risk

Management controls both process and technology. We also asked them to rate the amount of

risk their organizations face, to determine whether organizations facing high levels of risk are

more likely to have implemented highly-effective controls.

14

While acknowledging the relevance of Risk Management to IT, organizations

often struggle to put its principles into practice. Participants ratings of their

organizations effectiveness deploying processes and technologies for IT Risk

Management depend not only on their organizations industry, size, range of

operation and other demographic factors, but on the differing perceptions of

professionals within the organizations.


17/52

15

Process Controls

IT and Security Strategic Management, Policy andArchitecture architectures, policies and strategies

defined to run IT services

Organizational Structure, Roles and Responsibili-

ties standards for interactions between groups;

authority for security and external security-related

communications

Training and Awareness processes to increase

visibility and knowledge of security risks

Assessment and Auditing processes to assess the

environment, controls, policies and processes used to

implement strategy

Authentication, Authorization and Access Manage-

ment processes and technology to verify users

identities and control access to resources

Operational Design, Workflows and Automation

design and implementation of automated solutions;

workflow and resource management

Asset Inventory, Classification and Management

processes to identify and classify assets, supporting

execution of asset-class-based policies

Incident Readiness and Response standards for

preparation for and response to incidents

Technology Controls

Application Design, Development and Testing processes, procedures, and methodologies to ensure

that new and updated applications are appropriate,

efficient and secure

Systems Build and Deployment systems and tech-

nologies to assure effective, secure deployment of new

and updated systems

Data Life Cycle Management technology to move,

replicate and protect data

Configuration and Change Management tools and

processes to regulate change

Resilient Infrastructure technology to detect and

correct vulnerabilities related to availability (e.g.,redundancy and failover)

Performance Management technology to monitor

and manage system performance

Network, Protocol and Host Security network

design and infrastructure including segmentation,

protocols, perimeter defense and availability

Physical Security technologies governing access to

IT infrastructure and facilities

Process and Technology Controls for IT Risk Management


18/52

Process effectiveness

We surveyed our sample of IT professionals (n=310) to understand how effective they thought

their organizations were in deploying eight key process-based controls. The results are shown in

Figure 4.

Figure 4: Ratings of organizations effectiveness at IT Risk Management processes, ordered left-to-right in decreasing

order of perceived effectiveness.

Authentication, Authorization and Access was rated highest for effectiveness, with 68% of

respondents rating their organizations more than 75% effective. Asset Inventory Classification

and Management was lowest, with only 38% rating their organizations more than 75% effective.

The findings show that most IT professionals feel their organizations are most effective deploying

tactical controls for which they are accountable: organizational structure, and authentication,

authorization, and access. They rate themselves moderately effective at policy-setting and com-

pliance, assessment and audit, and incident response. And few felt they performed effectively in

employee and IT staff training and awareness, operational design, or asset management.

The data show that the path from basic performance to best practice requires moving IT Risk

Management programs away from a reactive posture, designed for protection against malicious

external threats. Instead, programs should raise IT Risk awareness and spread avoidance and

mitigation efforts throughout their organizations.

Respondents rated Asset Inventory Classification and Management least effective of all their

deployments. Yet this discipline is fundamental to build an IT Risk Management program that

reflects the organizations priorities. Without careful risk assessment, all assets are likely to be

treated equally, so that some will be overprotected and others underprotected.

16

IT Risk Management Process Effectiveness

%

ofrespondents

100%

80%

60%

40%

20%

0%Authent.,

Authorization,

Access

Organizational

Structure

Incident

Response

IT Policy

Management,

Architecture

Assessment,

Audit

Training,

Awareness

Operational

Design

Asset Inv.,

Classification,

Management

90% effective


19/52

Technology effectiveness

Figure 5 below represents how effective organizations are in deploying technology controls:

Figure 5: Ratings of organizations technology effectiveness, ordered left-to-right in decreasing order of perceived

effectiveness.

Network Protocol and Host Security and Physical Security were the top-rated technology

control deployments, with 80% and 77% of respondents, respectively, rating their organiza-

tions more than 75% effective. These are the strongest ratings of all controls, process or

technology. Configuration and Change Management received such ratings from only 55%

of respondents, and Performance Management from just 52%. Secure Application Develop-

ment was least-frequently rated effective, with only 43% rating their deployments 75%effective or higher.

The low ratings of configuration and change and performance management deployments are

significant. Organizations use these technologies to understand the configurations and per-

formance levels of IT assets so they can minimize service disruptions and increase throughput.

These deployments are critical in keeping systems stable, performing effectively, and up to date.

Poor configuration and change management also constrains efforts to adapt and modernize

systems for new opportunities or threats.

Although the survey identifies change management as a problem area, there are recent signs

of improvement. In their ITIL Change Management Maturity Benchmark Study,5 Evergreen

Systems noted that, IT executives are increasingly integrating and internalizing change manage-

ment procedures, processes and tools as core components of the organization. We will see

in Section 4 that these disciplines are important drivers of performance improvements in IT

organizations.

17

IT Risk Management Technology Effectiveness

90% effective

0%

20%

40%

60%

80%

100%

%

ofrespondents

Network,

Protocol,

Host Security

Physical

Security

Resilient

Infrastructure

Secure Data

Lifecycle

Management

Secure

Systems

Config.

and Change

Management

Perform.

Management

Secure

Application

Development


20/52

The role of secure application development is growing, as IT professionals recognize its effec-

tiveness in preventing exploitation of application vulnerabilities by eliminating them at the

source. The technology requires substantial early investments in tools and skills, so while

secure application development proves very cost-effective over time, it remains in an early

stage of adoption at most organizations.

Technology and Process effectiveness index

To compare organizations effectiveness deploying IT Risk Management processes and technol-

ogy by industry, geography, organization size and respondent job role, we defined two indexes.

The first averages ratings for eight process controls, the second for eight technology controls.

We set levels to classify organizations as Strong, Good, Weak or Poor at implementing and

deploying these controls.

Figure 6 compares these effectiveness ratings. It shows that organizations are generally moreeffective implementing technology than they are processes: 33% rated Strong on the Technol-

ogy Effectiveness Index; only 25% on the Process Effectiveness Index.

Figure 6: Effectiveness indexes of organizations, rating implementation effectiveness of technology and process

controls; each index averages eight individual factors. Organizations implementations are generally stronger for

technology controls.

Process effectiveness lags behind technology despite the recent industry focus on processes,

using frameworks such as ITIL, ISO and COBIT.6 For a closer look, we analyzed the data according

to demographic categories.

The relative strength of technology over process effectiveness was robust across industry,

organization size, operating region, and professional role of respondents, with just a few varia-

tions, specifically:

18

Poor Weak Good Strong

IT Risk Management Process vs. Technology EffectivenessEffectiveness Index

100%

80%

60%

40%

20%

0%

%

ofrespondents

Process Technology


21/52

only in Government, Healthcare and Manufacturing did effectiveness deploying process

controls even approach parity with effectiveness deploying technology controls; in no case

were process controls rated more effective.

large organizations and global organizations (often the same) were more effective deployingboth technology and process controls, but every classification showed greater effectiveness

with technology controls than with process controls.

ratings of overall effectiveness from Managers were higher than those from either Directors

or Executives; again, all groups rated their organizations more effective with technology than

with process controls for IT Risk Management.

Best in Class: IT Risk and incident expectations

To help understand what makes organizations stand out as Best in Class at IT Risk Management,

we divided 310 respondents into quartiles according to their overall effectiveness in the 16process and technology controls identified earlier. The classifications were:

Best in Class top quartile (76th or better percentile, n=77)

Better second (51st to 75th, n=78)

Good third (26th to 50th, n=77)

Worst fourth (25th or worse n=78)

For each quartile, we calculated and plotted separate indexes for regulatory and operational

IT Risk (across 6 compliance and 7 business-process IT Risk areas), together with the rates at

which respondents expected IT incidents. Results appear in Figure 7.

Figure 7: Expected IT incident rates and two categories of IT Risk for organizations in each IT Risk Management perform-

ance quartile. IT incident expectations decline with effectiveness, despite increasing perception of IT Risk.

19

Perceived IT Risks and Incidents by IT Risk Management Effectivenessby Quartile

1

2

3

4

5

Worst

Index

Good BestBetter

Compliance Risk Business Process Risk Incidents


22/52

These results show that organizations rated more effective at managing IT Risk also experience

higher levels of both Regulatory and Operational Risk. We had anticipated higher incident

rates at high risk levels, either because negative impacts are more likely where risk exposure is

higher, or because organizations base their perceptions of risk on incident expectations. The

data show the opposite: effective organizations expect fewer incidents despite operating

in riskier environments.

This result suggests that by building awareness of exposure to IT Risks and improving technol-

ogy and processes for mitigating them, organizations may actually reduce incident rates below

the levels experienced by less-effective firms operating in safer environments. The result also

cautions organizations not to count on a low-exposure operating environment to protect them

from incidents without effective technical and process controls.

Effective IT Risk Management performance

The relationship between organizations IT Risk Management controls and expected incident

rates deserves a close look. For example, weve seen that despite facing the studys highest

levels of risk, best-in-class organizations expect the lowest realization of IT Risk, measured as

incidents. Clearly, they are doing something right what is it?

When we fielded the research, we believed that the 16 process and technology controls identi-

fied in earlier sections would prove to be effective defenses or countermeasures, reducing an

organizations exposure to both external and internal IT Risks. To test this hypothesis, we used

data from performance quartiles identified in the preceding section to plot organizations effec-

tiveness in deploying each individual process or technology control.

In the radar graphs of Figure 8, gaps between the concentric polygons reveal differences in

effectiveness from one performance quartile to another for example, the jump in Training

and Awareness process effectiveness between the Worst and Good groups in Figure 7.

Asymmetries in the polygons reveal imbalances in effectiveness for example, the high esti-

mates of Network Protocol, Host Security technology effectiveness for all quartiles in Figure 8.

The lowest-performing quartile shows modest performance in two process areas (organization

and authentication/authorization/access) and two technology areas (network and physical

security). These areas are the most tactical in scope and straightforward in implementation, and

therefore where most organizations get started. They have deployed other controls lightly or not

at all, and assess their deployments as fairly ineffective.

20


23/52

Effectiveness with Controls for Managing IT RIsk

Figure 8: Process (top) and technology (bottom) control effectiveness scores for organizations in each performancequartile. Organizations with higher performance show effective performance across most or all measures (shown as

distance from the graphs center), rather than heavy emphasis on a few.

Moving from the lowest quartile to the highest reveals a clear trend. More-effective organizations

increase the number of controls they deploy, and raise the effectiveness of deployment of each

control. Organizations in the top two quartiles begin to experience diminishing returns in areas

such as physical security and authentication, authorization, and access, and much better returns

on measures such as configuration and change management, data lifecycle management,

operational design, training and awareness, and others. The path from good to great IT Risk

Management, then, involves moving from tactical, technical, and reactive to strategic, expansive,

and proactive measures. It also requires a balanced program to evaluate all 16 measures and

optimize incremental investments of people and dollars to achieve the greatest impact.

21

Process Controls

by Quartile

Assesment, Audit

Training, Awareness

Operational Design

Incident Response

Asset Inv., Classify, Mgmt.

IT Policy Mgmt., Architect

Authent., Author., Access 1

2

3

4

5

Org. Structure

Technology Controlsby Quartile

Secure Systems

Secure Appl. Development

Config. and Change Mgmt.

Secure Data Lifecycle Mgmt.

Perform. Mgmt.

Resilient Infra.

Physical Security

Network, Protocol, Host Security

Worst Good Better Best Mean


24/52

Critical connections face unique

risks, and require special defenses.


25/52

Section 3

Organizations manage risks so that they can pursue opportu-

nities while keeping costs under control. Aligning differing

perspectives on and activities toward IT Risk among technical

staff, managers and executives, and across departments and

regions is critical to avoid gaps, duplication, and waste.

Aligning IT and business risks

23


26/52


27/52

Our survey data identified lack of alignment on assessments of IT Risk within IT departments

themselves, and between IT departments and the organizations they serve.

Achieving internal alignment on IT Risk

The survey classified respondents jobs into Executive, Director, Manager, and Professional cate-

gories. Since the latter group includes non-IT employees, consultants, and third parties, the

analysis concentrates on the first three groups. Respondents reported the level of IT Risk they

perceived, first in complying with regulatory and policy requirements, and second in carrying

out business operations.

Figure 9 shows the level of compliance risk perceived across the range of professional responsi-

bilities in the survey. The results show an organizational chasm between the ranks of Managers

who implement IT programs and therefore bear responsibility for the internal risk exposures

and shortcomings of the organization and senior Executives who set direction for the organi-zation, and bear responsibility for its exposure to external risks. The chasm appears in the

assessment of Critical risks at the Director level. Directors were least likely to perceive compli-

ance risk as Critical: only 16% did so, against 22% for Executives and Managers. Assessments

of High risks were close to parity: 44% of Directors rated their compliance risk as High, the

same as Managers and two percentage points below Executives.

Figure 9: Ratings of organizations compliance IT Risk by respondents in four job categories. Directors reported lower

levels of compliance risk than Executives or Managers.

25

Low Moderate High Cr it ical

100%

80%

60%

40%

20%

0%

Perception of Compliance IT Risk by Professional Responsibilityby Job Role

Executive Director Manager Professional

%

ofrespondents


28/52

Figure 10 repeats the analysis for IT Risk introduced by Business Processes. Misalignment of IT

Risk perceptions was even more dramatic, but in the opposite direction: 22% of Directors per-

ceived Business Process Risk as Critical, against only 8% of Executives and 12% of Managers.

Figure 10: Rating of organizations' business process IT Risk by respondents in four job categories. Directors reported

lower levels than either Executives or Managers.

Disagreements among the ranks continued with process and technology effectiveness ratings.

Section 2 revealed different effectiveness ratings for deployment of process and technology

capabilities. A closer look shows that while 39% of IT managers report their organizations 75%

or more effective in implementing technology capabilities, only 27% of executives agreed.

Again, IT professionals differ by job role in assessing their risk-management environments.

Of course, since these respondents were drawn from different organizations, alignment may be

better within organizations than the job-role analysis suggests. But the systematic differences

seen among Executive, Director and Manager perceptions were outside expectations based on

differences in experience with a regulation or technology.

The survey data, as well as discussions with respondents, revealed that the operational staff

closest to implementation of IT programs may be the most inwardly-focused, and have the high-

est awareness of specific weaknesses. Senior executives most removed from day-to-day opera-

tions may share a high perception of IT Risk, but with perceptions based on awareness of

external factors and concern for the unknown. The Director level which would ideally bridge

these operational and strategic viewpoints to facilitate alignment may be biased toward tacti-

cal operational risks over external or regulatory risks, due to their direct accountability for

operational IT Risks.

26

0%

20%

40%

60%

80%

100%

Low Moderate High Critical

Perceptions of Business Process IT Risk by Professional ResponsibilityJob Role

%

ofrespondents

Executive Director Manager Professional


29/52

Why alignment on IT Risk matters

Misalignment of perceptions and actions is more than just a source of internal disagreement

about IT Risk Management policy; it can itself become a source of IT Risk. Misalignment occurs

in two ways, either of which may elevate risk.

The first type of misalignment is internal to IT, causing gaps in the way systems and processesare developed, deployed and managed. Invisible until something goes wrong, these gaps may

cause sudden unexpected service-level shortfalls, system downtime, and security breaches.

Today this disconnect often occurs along organizational lines for example, in the seams

between the executives and functions responsible for security, compliance, and operational

business continuity and availability. Solutions such as messaging typically require all these

functions to converge on a solution that is secure, available, and compliant, yet organizational

alignments make convergence difficult to achieve.

27

Collecting data for this study at IT conferences and roundtables, we heard a recurring theme about alignment.

Respondents told us that training users about IT and security risks, for example, ranked among their greatest

challenges. Recall that in Figure 4 of Section 2, we saw that Training and Awareness ranked third from thebottom in effectiveness among eight process controls. They insisted that technology-based controls can only

go so far, and that effective mitigation of IT Risk requires behavioral changes by end users throughout the

organization.

Two elements were frequently cited as necessary to encourage behavioral change. The first was quantification

of value to the organization as a whole. Until an organizations stakeholders understand the impact of lost infor-

mation, unavailable systems, and non-compliant processes in terms that are meaningful to them lost sales,

dissatisfied customers or reduced productivity, for example sustained focus will remain out of reach. Dramatic

examples of extreme but infrequent events such as major failures and 100-year natural disasters provide insuffi-

cient motivation to do more than the minimum.

The second element is culture. Organizations have different risk profiles to which IT Risk programs should be

tuned. But they may also incorporate different workforces and cultures that will accept different levels of IT pol-

icy awareness and compliance. For example, a company with tens of thousands of employees averaging 24 years

of age may require a very different policy for IM use and Web access on company systems and time than smaller

companies with older workforces. Selective enforcement and highly visible actions may be more effective than

stringent policies that are unenforceable because they fail to align with the organizations culture.

Alignment the business side


30/52

The second type of misalignment is between the IT function and the rest of the organization.

The IT Risk program may not fully reflect or respond to the needs of the organization as a whole,

resulting in loss of agility and increased risk. Alternately, organizational units and functions

may not have sufficient awareness of their own IT Risk exposures. These disconnects result in

ivory tower IT programs that over-invest in risk areas relevant to IT but not necessarily high

organizational priorities, or under-invest in areas critical to organizational goals. Both result in

lower contributions to the organizations overall success.

Active management and mitigation of IT Risk requires IT departments to avoid risks created by

misalignment. First, they must make sure their departments are aligned internally. From the CIO

to the backup administrator, everyone in the department should share an understanding of IT

Risks and priorities, and how they relate to their own areas of responsibility. Second, IT man-

agement must work closely with clients and stakeholders in the organization as a whole, enlist-

ing their help to assure that IT priorities reflect the organizations goals and objectives, and to

drive compliance with IT Risk Management programs where necessary. In combination, internal

and business alignment assures appropriate resource allocation and operational efficiency.

Companies following best practices in managing IT Risk incorporate the IT Risk strategy within

the organizations annual planning process to ensure alignment within IT and across the

organization, and then track performance at an executive level as part of a corporate balanced

scorecard.

28


31/52

29

How do your incident expectations measure up to those of the organizations in the survey? Answer these four

questions, and check your results against survey norms on the last page of the report:

Context: What reflects the expected frequency of the following incidents in your organization?

1. Regulatory Your enterprise is found to be out of compliance with one or more governing

Non-Compliance regulations:

Never

Once every 5 years

Once every 2 years

Once a year

More than once a year

2. Major Information Service impact to your organization, caused by a loss of information, confidential-

Loss ity, integrity or availability (e.g. data center outage, data corruption, full breach of

security):

Never

Once every 5 years

Once a year

Twice a year

More than twice a year

3. Major IT Impact Severe impact to your IT organization affecting more than 10% of your clients

and/or servers halting operations of some critical part of your operations:

Once every 5 years

Once a year

Twice a year

5 times a year

More than 5 times a year

4. Minor IT Impact Minor impact to your IT systems affecting less than 10% of your clients and/or

servers, hinders the work of individuals or groups:

Once a year

10 times a year

20 times a year

Every day

More than once a day

Sample questions

Answers to self-test on page 47.


32/52

Your business depends on reliable

connections with suppliers,

distributors, and customers.


33/52

Section 4

Organizations achieve effective IT Risk Management by deploy-

ing a broad range of IT technology and process controls. The

transition from good to great IT Risk Management is achieved

primarily by increasing effectiveness across the full range of

measures in a structured, disciplined program that proceeds

from a broad assessment of IT Risks to a closed-loop process of

continuous improvement.

Understanding effective Risk Management

31


34/52

Understanding effective IT RiskManagement

Achieving Best in Class IT Risk ManagementFew organizations have achieved the level of IT Risk Management performance achieved by

Best in Class organizations in this survey. The field is still emerging, and not all organizations

are yet organized to deal with IT Risk in an integrated fashion. Nor do all companies face the

same levels of IT Risk or share similar risk profiles. The case for change, however, is compelling:

organizations are experiencing rising incident rates across the areas of security, availability,

performance, and compliance, with significant impact to revenue, reputation, productivity, and

cost. According to the Computer Security Institute and the FBI, per-incident costs of unauthor-

ized access to information averaged over $85,000 in 2006,8 and system downtime costs reached

tens of thousands of dollars per hour.9

It doesnt take long for incidents of this scale to createsignificant drag on an organization.

How can organizations advance from good IT Risk Management practice to great? For organiza-

tions trying to manage IT Risks effectively, the challenge includes understanding their portfolio

of IT Risks, quantifying and prioritizing them against the organizations risk profile, and devel-

oping an effective program of remediation activities.

A five-step process can help organizations assess their levels of IT Risk, develop remediation

roadmaps, and ultimately build effective, continuous IT Risk Management Programs. While the

steps themselves, detailed in Figure 11, may seem familiar, the specific tools and tasks support-

ing them are very valuable, and linkages between phases help maintain focus and continuity of

organizational commitment.

32

How can an organization build its capabilities for IT Risk Management? While

there is no single formula or protocol, a broadly-applicable assessment, quan-

tification, design, alignment and measurement program can help organizations

marshal their resources effectively to achieve real, lasting improvements in

IT Risk Management, often while reducing IT infrastructure and process com-

plexity and cost.


35/52

Figure 11: Five-step IT Risk Mitigation process.

Step 1 Develop awareness of IT Risks

IT Risk mitigation begins with comprehensive discovery, including:

establishing the programs scope (how expansive a view of IT Risk is appropriate?)

constructing a risk profile for the organization based on its overall priorities

identifying key areas of IT Risk

For many companies, the challenge of discovery includes both identifying new areas of risk,

often by evaluating the risk profile and assessment against IT best practices, and organizing the

dozens or hundreds of IT Risks of which they are already acutely aware.

A common question at this stage is, How do I take the issues I already know about and assem-

ble them into a comprehensive, structured framework I can assess and prioritize? A clear

framework requires identifying critical IT assets and understanding how they support criticalbusiness processes. Critical assets include the technology infrastructure underlying corporate

operations, staff with privileged access to information, and the organizations IT operational

processes.

Assessment should also consider the organizations current requirements, capabilities and

vulnerabilities. Requirements include legal obligations such as regulations, contracts, and

service level agreements, as well as business requirements such as the privacy, availability,

and integrity of business information.

Finally, this stage involves identifying and classifying threats, issues, vulnerabilities, and

weaknesses, assigning each a priority according to risk. The search for vulnerabilities and

weaknesses should cover applications, infrastructure, operations, and organizations.

33

DevelopAwarenessof IT Risks

QuantifyBusinessImpacts

DesignSolution

Align IT /Business Value& ImplementSolution

Build &ManageUnifiedCapability

Step 1 Step 2 Step 3 Step 4 Step 5

IT Risk Assessment and Management Process


36/52

Step 2 Quantify business impacts

Quantifying business impacts is typically the most challenging step and the most important.

Until they have quantified the impact, positive or negative, of addressing an area of IT Risk,

IT leadership may be unable to attract their colleagues attention to it, or the funds needed formitigation.

The currency of the business case varies according to the business and the area of risk. A Web

site crash will mean lost revenue or sales for a retailer, negative brand impact or lost viewers for

a media company, lost productivity for a manufacturer, and so on. The key is to build a case that

makes sense in the local currency, whatever it may be.

Quantification of business impacts typically follows a two-phased approach. In the first, the full

portfolio of risks is coarsely prioritized based on potential business impacts according to the

organizations risk profile and the ease or difficulty of risk mitigation, measured in time, staff

resources, and investment. The second phase builds detailed business arguments for only those

risks identified as high-impact areas. The model can be iterative, and it should be periodic,

linked to the organizational and IT planning cycles.

Step 3 Design solution

At this point, the organization knows the scope and components of its Risk Management pro-

gram, its current status, and the priority and quantification of each area of IT Risk.

The next step is to design a set of remediation solutions, across the classic elements of people,

process, and technology, each with requirements, specifications, goals, and functions. For some

organizations this will be a narrowly-focused activity to address the most imminent areas of

risk; for others a longer-term program with sequenced waves of initiatives.

This phase also includes detailed costing analysis to keep costs and benefits of proposed initia-

tives aligned to organizational goals. For example, a model might be designed to provide tiered

levels of service based on the priorities for different types of data and portions of the business.

Solutions that reduce risk frequently also reduce complexity and cost. This is especially true

when risks have been introduced by dense or poorly-followed processes, misaligned organiza-

tional models, or unclear requirements or policies.

34


37/52

Step 4 Align IT and business value; implement solution

Although quantification is the most difficult step, most programs success lies in the effective-

ness of implementation. Implementation determines whether risk-mitigation initiatives are

deployed successfully across people, process, and technology with close involvement of organi-zational stakeholders, or devolve into local IT projects measured narrowly by software and gear

implemented and administrators trained.

Closed-loop measurement and continuous improvement are essential. With a coherent system

of metrics and performance management capabilities, organizations set the stage for collection

of baseline data, performance tracking, and assessment of program effectiveness against the

original business case.

Step 5 Build and manage unified capability

Once implementation of the first wave of IT Risk solutions is underway, organizations shouldinstitute programs for continuous improvement and ongoing governance of their IT Risk Man-

agement program.

As in most change-management programs, IT Risk Management follows a maturity model that

begins with tactical basics and evolves to Best-in-Class performance. For most organizations,

their position in this maturity model depends on their IT Risk profile and progresses through

several waves of organizational, process, and technological change before reaching its goal. By

adapting their efforts as their experience and effectiveness grow toward maturity, organizations

can avoid or overcome the most common implementation challenges, including:

replacing guesswork with quantification and prioritization of IT Risk Management efforts and

investments

replacing intermittent, reactive projects with a program that delivers consistent improve-

ments over the long run

replacing speculation with clear progress against consensus goals to secure the long-term

investments needed for mitigation of IT Risks

35


38/52

Connections bring both opportu-

nities and risks managing them

is everyones job.


39/52

37

Section 5

In order to understand organizations IT Risk strategies better,

we classified respondents into profiles based on their level of

IT Risk and IT Risk Management effectiveness. While there are

many ways to manage risk successfully, the resulting levels of

risk and the costs to the organization can vary greatly. The best

companies align investment to exposure, to focus attention

and resources where they matter most.

Risk Mitigation: process and payoff

37


40/52

IT Risk mitigation profiles

Effective mitigation

To explore the limits of risk mitigation, we performed a cluster analysis (n=310) to identify con-

sistent patterns in survey respondents risk exposure, effectiveness of mitigation efforts, and

expectation of IT incidents. The analysis revealed three groups in which respondents are similar

to one another, but different from those in the two other segments:

At-Risk respondents (35%) struggle to cope with IT risk: they see their organizations facing

medium to high levels of IT Risk, but demonstrate poor effectiveness in addressing it through

mitigating process and technology measures. Organizations with this profile typically expect a

high rate of incidents.

IT Risk Mitigators (23%) maintain effective IT Risk Management programs, but actually

experience low levels of IT Risk. Organizations in this category seem to address IT Risk

through overinvestment, ensuring mitigation, but at high costs.

IT Risk Balancers (42%) pursue a matching strategy, meeting their organizations high levels

of IT Risk exposure with highly-effective mitigation processes and technologies. These organi-

zations are frequently Best in Class.

Figure 12 shows the performance of the three groups revealed by the cluster analysis, display-

ing all five underlying measurements instead of the single composite score used to create the

clusters. The most interesting results are from the IT Risk Mitigator cluster. Mitigators, like Bal-

ancers, show high process and technology effectiveness yet they face the lowest IT Risk levels

of any group. Nothing in their underlying demographics separates Mitigators from Balancers.

Instead, it appears that these organizations have chosen IT Risk Management strategies that

meet comparatively low levels of IT Risk with investments that keep their mitigation processes

and technologies highly effective. Mitigators expect to enjoy low incident rates, but it is possible

that the Discovery and Quantification steps of a well-planned IT Risk mitigation program would

identify over-investments, signaling excessive costs, and missed opportunities elsewhere.

38

The way an organization manages the challenges in its environment can make

the difference between a defensive, reactive position and an active posturethat gives it the freedom to choose appropriate risks, effective actions, and its

own path.


41/52

Figure 12: Organizational clusters, showing all five underlying measurements. Mitigators deploy high technology and

process effectiveness despite comparatively low levels of compliance and business-process IT Risk.

Figure 13 shows how the groups identified by the cluster analysis would map onto a two-factor

grid of IT Risk exposure (bottom axis) and IT Risk Management effectiveness (side axis):

Figure 13: Data from the cluster analysis grouped according to IT Risk exposure and IT Risk Management effectiveness,

showing that both Balancers and Mitigators deploy highly effective controls despite different levels of risk.

The cluster analysis did not identify a fourth group, occupying the lower-left quadrant and

combining low levels of IT Risk and poor implementation of IT Risk Management programs.We suspect that such organizations are underrepresented in our sample because they are less

likely than others to participate in surveys about IT Risk Management or attend industry events

with IT Risk Management prominent on the agenda.

39

ITRIskManagementEffectiveness

Low

High

Low-Mid High

IT Risk Exposure

IT Risk

Mitigators

IT Risk

Balancer

IT Risk

Risk Management Patterns Cluster Analysis

IT Risk Exposure, Control Effectiveness and Incident Experience by Performance Cluster

Operating Risk Index

Incident Index

Compliance Risk Index

Process Effectiveness Index

Technology Effectiveness

At Risk Balancer Mitigator


42/52

We speculate that this group faces low levels of risk, and implements IT Risk Management

programs poorly, if at all. Their IT Risk strategy, which may not be articulated, might be to react

to risks one by one as they arise, absorbing incident costs when that reaction is missing, inade-

quate or too late. Some may self-insure against IT Risks by maintaining reserves of financial

assets to help with recovery from incidents.

Risk mitigation: how far?

Can highly-effective IT Risk Management programs ever eliminate IT Risk? Research and com-

mon sense suggest not and certainly not at a reasonable cost. IT Risk must be managed,

minimizing risk and cost in areas most vital to the organization, without constraining business

performance.

And as organizations evolve over time, business priorities change, new regulations are enacted,

and new external and internal threats to information and infrastructure crop up every day.

A changing IT Risk landscape demands consistent, programmatic management to adapt to and

mediate new forms of IT Risk. The five-step approach described in Section 4 emphasized the

importance of iteration and management to address risk as part of a program of continuous

improvement.

Organizations that manage their risk portfolios effectively create opportunity: they can make

educated, informed decisions on how and when to take on additional risk. Their improved IT

Risk Management capacity gives them latitude to innovate and explore a wider range of

business options. ITs support of this capacity for flexible innovation is among its greatest

contributions to business value.

40


43/52

41

We undertook this study to understand IT Risk and the effectiveness of technology and process controls in

managing that risk. We assumed Balancer and Mitigator organizations worked primarily to reduce organizational

risk and while true, it may not be the full story. Organizations may also choose to invest in process and technol-ogy improvements with a primary goal of increasing operational efficiency. Lower risk levels in the Mitigator

cluster and lower incident rates among the Best-in-Class would then be by-products of investments made for

operational effectiveness. Our results dont speak to their motivations.

But regardless of the motivations, these disciplines have positive impacts. Risk-management investments pay off

by reducing incidents and freeing organizations to compete with greater confidence, agility, and success.

Operational efficiency the same path to a different goal


44/52

ConclusionsAn organizations assets, operations, and personnel may be brought to harm by internal or

external threats carried out or weaknesses exposed across IT networks and systems. Managing

IT Risk in service of your organizations mission is the subject of this report, and the purpose

of this series.

In a major year-long study, IT professionals reported significant gaps and shortcomings in their

organizations deployments of controls to help them manage IT Risk. Respondents rated their

organizations more effective at implementing risk-management technology than processes

across the full range of industries, geographies, organization size and professional responsibili-

ties. And they saw particular problems in managing IT assets and configuration and change

control both areas of critical importance in bringing IT Risks under control.

Respondents also displayed different perspectives on risk based on their individual responsibili-ties, and identify serious problems aligning and coordinating IT Risk Management with the

broader goals of their organizations. Misalignment is itself a source of IT Risk, from risk expo-

sures created by gaps between IT and organizational perceptions and priorities, and over-

investment in areas of low organizational priority, sapping resources more effectively deployed

elsewhere.

Best-in-class organizations even though they face higher levels of IT Risk anticipate fewer

incidents, due to careful investments that maintain high effectiveness over the entire range of

technology and process controls.

The report outlines a five-step process to help organizations put consistent, measurable, long-

term programs in place, avoiding over- and under-investment, and achieving steady improve-

ments measured against consensus goals.

Managing IT Risk is everyones job. From the CIO to the backup administrator, everyone should

share a common understanding of IT Risks, their priorities, and how they relate to their individ-

ual areas of responsibility. IT management must work closely with their business clients to

assure those priorities reflect the goals and objectives of the business as a whole. In combina-

tion, internal and business alignment assures appropriate resource allocation and operational

efficiencies.

42


45/52

43


46/52

Appendix

Methodology

Data collection

Between October 2005 and October 2006, Symantec collected 528 responses from IT profes-

sionals attending IT events worldwide. Respondents completed survey questionnaires and sub-

mitted results in person. Respondents were offered and received a report comparing their

responses to a benchmark group. To ensure candid responses and protect participants privacy,

Symantec contracted a third party, Ecosystems LLC of Vienna VA to collect, process, aggregate,

and protect the confidentiality of survey results on behalf of Symantec.

Survey instruments

Symantec collected 528 records using two survey instruments. The first, with 218 respondents,

covered Compliance Risk, Incident Rate, Technology Effectiveness and Process Effectiveness.

The second added a section on Business Process Risk and additional questions about Compli-

ance Risk, Technology Effectiveness and Process Effectiveness. An additional 310 individuals

responded to the expanded survey.

Most questions were identical on both surveys, so we combined those results for a sample size

of 528. Additions and improvements to the second survey prevented use of the full record set

for every analysis. As a result, much of the report reflects the 310 responses from the second

survey, with the larger sample size and more complete set of questions.

Demographics

We fielded both versions of the survey to a broad demographic group, and identified the indus-

try, number of employees, respondent job role and global or regional coverage of the respon-

dents business operations. These demographics provided the variables for much of our

analytical work.

Industry was classified into 37 segments, assembled into seven groups. The Other industry

group comprises Agriculture, Mining, Construction, Retail, Wholesale and Energy.

44


47/52

Figure A1: Breakdown of 528 responses by industry. Please see the text for details.

We collected 161 and 308 job-role classifications from Surveys 1 and 2, respectively. We

attribute the lower response rate for job roles in Survey 1 to privacy concerns among European

respondents. The Professional role includes business, consultant and other non-IT job

functions.

Figure A2: Breakdown of responses by respondents professional responsibilities. Please see the text for details.

45

Respondents by Industry

Public Sector

Financial Services

Services

Manufacturing

Other

Telecom, Media

Healthcare

0 10 20 30 40 50 60 70 80 90

Survey 1 Survey 2

Number of Respondents

Professional

Executive

Director

Manager

0 20 40 60 80 100 120

Respondents by Professional Responsibility

Survey 1 Survey 2



48/52

We measured organization size according to number of employees. As seen below, 215 respon-

dents from Survey 1 and 299 respondents from Survey 2 reported the total employee count at

their organization.

Figure A3: Breakdown of responses by organization size. Please see the text for details.

We asked respondents to indicate the major areas of the globe in which their organizations had

operations. This question allowed respondents to pick multiple geographic regions, so the

number of responses exceeds the number of respondents. Since we did not identify headquar-

ters country, specific attribution of responses to geographic regions is not possible. We can,

however, understand risk-management behavior in terms of geographic scale of operations and

globalization.

Figure A4: Breakdown of 528 responses by respondent organizations operating region. Please see the text for details.

46

5,001 to 20,000

employees

> 20,000

employees

1,001 to 5,000

employees

< 1,000

employees

0 2010 40 5030 60 70 80 10090

Respondents by organization size

Survey 1 Survey 2


North America

Asia Pacific

EMEA

Latin America

0 50 100 150 200 250 350300

Respondents by organization operating regions

Survey 1 Survey 2



49/52


50/52


51/52

NO WARRANTY. The information provided in this document is being delivered to you AS IS and Symantec Corporation makes no warranty as to its accuracy or

use. Any use of the information contained herein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors.

Symantec reserves the right to make changes without prior notice.

Copyright 2007 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and INFORM are trademarks or registered trademarks of Symantec

Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.


52/52

it risk management report

Documents