Study finds weak link in IT security

Companies in a recent study said they expect to be hit by at least one major IT incident that disrupts business, and business process controls are still lacking in many organizations.

According to the Symantec IT risk management report, more than 60 percent of respondents expect at least one major IT incident per year that could halt or disrupt a critical part of the business. Conducted over a 12-month period ended October 2006, the study sheds light on the critical elements involved in an effective IT risk management strategy.

Specifically, 66 percent of respondents expect a major regulatory incident at least once every five years. Additionally, 58 percent of respondents expect a major data loss caused by events such as data center outage, corruption of data, or breach of security systems, at least once every five years.

According to Symantec, effective IT risk management requires a combination of strong expertise and investment in process and technology controls.

However, Symantec found that process controls lag behind technology controls in mitigating IT risk. The security company noted that survey respondents mostly view their organizations' capabilities with technology controls as more effective than process controls.

Only 38 percent of respondents rated themselves more than 75 percent effective in implementing asset inventory, classification, and management process controls. According to Symantec, these controls are important in building an IT risk management program which reflects the organization's priorities.

"Without careful risk assessment, all assets are likely to be treated equally, where some may be over-protected and others under-protected," Symantec cautioned.

Jon Oltsik, a senior analyst at Enterprise Strategy Group, said: "Organizations are beginning to see the value in taking a proactive, rather than reactive approach to their IT risk management strategy."

He added: "Effective IT risk management requires organizations to assess both their technology and processes, as well as have clear understanding and agreement about different risks that may impact their systems and their overall business."

The survey also revealed a difference in the way IT workers and IT managers viewed their organization's IT risk exposure.

For example, eight percent of IT workers rated business process risk as critical to their IT operations compared to 22 percent of IT directors. Twenty-three percent of IT workers also rated compliance risk as critical to their IT operations, compared to 16 percent of IT directors.

Symantec noted that such differing internal viewpoints on IT could create risk by producing poor coordination within an organization. This may result in over- or under- investment in controls, leading to wasted resources and ineffective IT risk management programs.

"As organizations are growing more and more dependent on their IT systems to conduct business, IT risk has become a primary concern for business leaders and one that should be addressed as part of a larger business risk management strategy," said Greg Hughes, executive vice president of Symantec Global Services.

Symantec collected information from more than 500 respondents, including IT managers and senior IT executives in organizations with worldwide operations and across several vertical sectors.