Symantec issued its second annual report on IT risk management. Key findings from "IT Risk Management Report" that surveyed 405 IT professionals include:
- IT professionals are adopting a more balanced, less security-centric view of IT risk—more of them now see availability risk as critical or serious than any other element.
- Compliance risk is more than security risk formalized by law: data breaches, outages and disasters may cause irrecoverable losses of customer loyalty, revenue, and company value.
- Reactive or annual project-oriented IT risk management is better than nothing. But IT professionals’ expectations of monthly incidents in a constantly-changing global and regional business and technology environment call for a continuous, process-oriented approach.
- Best-in-class organizations deploy controls balanced across strategic, support, delivery, and security categories, positioning themselves to correct the missing or faulty processes that cause most incidents.
- Over the past year, survey participants saw no improvement in asset inventory classification and management controls, and a decline in data lifecycle management.
- IT risk management builds on operational risk management and manufacturing quality disciplines, spurred on by Sarbanes-Oxley and other regulations affecting corporate governance, and supported by its own emerging frameworks, standards, and best practices.
The report also took the pulse of those survey regarding how they view their exposure to high impact events:
- 66 percent of participants expect a regulatory non-compliance event at least once every five years
- 59 percent expect a major loss-of-information event at least once every five years
- 63 percent expect a major IT failure at least once a year
- 69 percent expect a minor IT failure at least ten times a year
The report offers the usual recommendations to lessen risk, such as have one person in charge, use an event as a catalyst for change, perform initial risk assessments and start dialogs at the executive and board level.
One of the findings that stood out is the root cause of incidents that increase risk to the business. A lack of process frameworks, environmental issues and staffing lapses accounted the large percentage of incidents among those surveyed. Those three areas would be the right places to start directed efforts to reduce risk profiles.