K IT Risk Management A Report N EMENT -...
Transcript of K IT Risk Management A Report N EMENT -...
IT Risk ManagementReport
Trends through December 2006Volume 1, Published February, 2007
ITR
ISK
MA
NA
GE
ME
NT
– Greg Hughes, Executive Vice PresidentWorldwide Services and Support, Symantec Corporation
“As IT becomes the cornerstone of
our connections with customers, suppliers,
partners, and business information,
identifying and managing IT Risk
becomes a core business capability.”
Table of Contents
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1 – Understanding IT Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5As the role of IT grows, IT Risk is emerging as a major component of organizational risk. IT Risks span Security,
Availability, Performance and Compliance – each with its own drivers and potential impacts.
2 – Process and technology effectiveness in Managing IT Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Technology controls to manage IT Risk are often deployed more effectively than process controls.
Yet organizations that manage IT Risk effectively deploy people and process controls equally well.
3 – Aligning IT and business risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23IT has moved from the glass house to the front lines – and perceptions of IT Risk often differ by role and
function within organizations.These misalignments are barriers to effective IT Risk management.
4 – Understanding effective Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Effective IT Risk Management demands a disciplined, structured program to develop awareness, quantify costs
and impacts, and design and implement a solution that adapts to organizational requirements.
5 – Risk Mitigation: process and payoff . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37The good news is that there’s a substantial upside to IT Risk Management – a more effective organization,
with better control of its costs, technology, and future.
Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42In a connected world, we share a responsibility to identify and manage risk so our customers, suppliers and
partners can work with us confidently toward our common goals.
Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
2
Executive SummaryInformation Technology (IT) Risk is a growing component of total Operational Risk. As businesses
increasingly depend on IT to automate processes and store information, IT Risk Management is
emerging as a separate practice. Organizations across sectors and industries have begun to
consolidate functions to develop a more comprehensive, focused approach to IT Risk. IT Risk
includes security, availability, performance and compliance elements, each with its own drivers
and capacity for harm.
This study examined IT Risk, along with the technology and process controls used to mitigate
it, in a year-long study based on in-depth structured interviews with more than 500 IT profes-
sionals around the world. The study determined that across industries, regions, and job roles,
IT professionals:
• rate themselves more effective in their deployments of technology than of process controls
• see management of IT assets and configuration and change processes as particular problem
areas
• see people and process improvements as holding the greatest opportunities for them to move
from good to great
Data from high-performance organizations yielded a surprising – and very encouraging – result.
More-effective organizations – even though they often face higher risk levels – expect fewer
incidents than less-effective organizations. More detailed analysis into the specific controls
deployed by these companies revealed that best-in-class organizations perform with high effec-
tiveness across most controls, including process controls, while lower-performing organizations
typically focus on a small number of more tactical controls.
The study identified substantial differences in the ways IT operational personnel and executives
view their IT Risk exposure, and examined these in detail. Differing internal viewpoints on IT
Risk, and poor alignment between IT Risk Management programs and overall business objec-
tives, may themselves create risk. This appears to occur when Risk Management programs are
not tailored to the specific risk profile of the business or coordinated across functional and
business unit lines – leading to areas of both under- and over-investment. Poor organizational
support for IT Risk awareness and training is both a compelling example of poor alignment,
and a major cause.
Best-in-class IT Risk management requires a disciplined approach that includes IT Risk aware-
ness, quantification of business impacts, solution design and implementation across people,
process, and technology, and creation of a sustained IT Risk Management program complete
with performance measurement and a model for continuous improvement. A staged program
helps balance benefits, risks and costs at every step of implementation.
3
Highlights
This report is intended for executives with responsibilities for general, financial and IT manage-
ment – anyone concerned with IT Risk and its management. With a broad cross-section of
experience from IT professionals across industries, geographies and organization types, the
report should provide context for Risk Management programs at your own organization.
Be sure to check these IT Risk Management Report highlights:
• Finance and CRM processes introduce the highest IT Risk: see What Drives IT Risk in Section 1
• Best-in-class managers of IT Risk frequently face more IT Risk exposure, but expect fewer
incidents: see Effective IT Risk Management performance in Section 2
• Asset Management is the least-effective IT process: see Process effectiveness in Section 2
• Poor alignment between IT Risk strategy and the risk profile of the business can actually
create higher business risk: see Why alignment on IT Risk matters in Section 3
• High performance across most process and technology controls, versus a few targeted areas,
typically separates great from at-risk organizations: see Effective mitigation in Section 5
Section 1
Risk is potential damage to an organization’s value, often from
inadequate management of processes and events. IT Risk is
emerging as a significant component of total business risk as
IT assumes a more prominent role in organizations, and can
account for more than 50% of total capital expenditure at
some companies. Individual IT Risks may be classified as:
• Security risks – of unauthorized access, alteration or use of
information
• Availability risks – of inaccessible business processes or data
• Performance risks – of delayed access to business processes
or data
• Compliance risks – of violating legal, regulatory or IT policy
requirements
Understanding IT Risk
5
6
Understanding IT Risk
What is IT Risk?
Business risks range from everyday operational shortcomings to rare cataclysmic failures.
The types and levels of risk organizations face vary with their business and preferred risk pro-
file. For example, an entertainment company with many customer-facing systems and a strong
brand image might have a very different risk profile than a manufacturer with few externally-
facing systems but significant trade and design information to protect. And a high-growth
financial organization in a developing nation might be more concerned about availability and
performance risks as it scales up operations than a financial organization in a more mature
market where security and compliance concerns prevail.
Business risk is often split into financial and operational components. Financial risk is well un-
derstood, and established markets help organizations manage or transfer their credit, currency,
pricing, and other types of financial risk.
Operational risk results from operations rather than transactions, and may include risks from
external events such as natural disasters or changes in government regulation, or internal
processes associated with product quality, organization and plant performance, loss of intellec-
tual property, or supervisory or legal controls.
As IT has become widely and deeply interconnected with business operations, IT Risk has grown
to prominence as a component of total operational risk. More than just a specialty area of
Operational Risk Management, IT Risk Management is emerging as a separate practice because
of the unique role IT plays in today’s organizations:
• IT is now integral to many business operations and transactions. In Financial Services and
Online Retail, for example, virtually the entire business may be carried out across IT systems
and networks.
• IT Risk evolves as fast as technology changes. For example, online “phishing” fraud – and
legal and regulatory requirements for IT countermeasures – were virtually unknown just three
years ago.
Life’s risks extend from poor mobile-phone connections through war, famine and
disease. Different risks affect different individuals and organizations in different
ways – and as the world changes, so do the origins and types of risk we face.
7
• Identification, measurement, analysis, and management of IT Risk requires specialized
knowledge and skills. Aligning IT skills and processes – including IT Risk Management – to
organizational goals is a constant challenge.
Figure 1: IT Risk spans four areas, each with its own set of drivers and potential impacts.
Classifying IT Risk
To help organizations understand and analyze IT Risk and organize their mitigation strategies,
Figure 1 outlines a framework for classifying risks according to their impact on the organization.
The framework classifies IT Risks as:
• Security risk – that information will be altered, accessed or used by unauthorized parties
• Availability risk – that information or applications will be inaccessible due to system failure or
natural disaster, including any recovery period
• Performance risk – that underperformance of systems, applications, or personnel – or IT as a
whole – will diminish business productivity or value
• Compliance risk – that information handling or processing will fail to meet regulatory, IT or
business policy requirements
These four categories classify all elements of IT Risk that we have seen in organizations. Table 1
(next page) provides further information and examples of sources and potential impacts of risks
in each category.
Although the survey on which this report is based concentrated on Security and Compliance
areas of risk, this implies no prioritization of the four elements of IT Risk. As we will see, every
organization has its own unique IT Risk profile, and prioritization of these elements is an impor-
tant early step in establishing an effective IT Risk Management program.
Secu
rity
Availability
Perform
ance
Compliance
ITRisk
Keep Bad Things OutKeep Important Things In
Internal and ExternalMalicious Threats
IT Policy andExternal Regulations
Application Performanceand IT Performance
Natural Disasters and System Failures
Ensure Adequate ControlsAutomate Evidence Collection
Optimize ResourcesEnsure Correct Configuration
Keep Systems UpEnsure Rapid Recovery
Table 1: Categories of IT Risk, with examples of the sources and potential impacts associated with each.
8
Risk Category
Security
Compromise of information, confidence in it and technology and processes for managing it
Availability
Failure or delay in delivering ITprocesses or information needed forbusiness transactions and operations
Performance
Slow or inefficient operation of ITprocesses supporting business trans-actions and operations
Compliance
Penalties, fines and loss of reputationfrom failure to comply with laws andregulations, or consequences of non-compliance with IT policies
Source
- External attacks
- Malicious code
- Physical destruction
- Inappropriate access
- Disgruntled employees
- Proliferation of platform
and messaging types
- Hardware failures
- Network outages
- Poor change management
processes
- Data center failures
- Force majeure
- Poor system architectures
- Network congestion
- Inefficient code
- Inadequate capacity
- Regulations unique to each jurisdic-
tion, including:
• Graham-Leach-Bliley Act
• EU Data Protection
Directive
• Health Insurance Portability
and Accountability Act
(HIPAA)
• Sarbanes-Oxley Act
- Legal actions
- Internal IT safeguards supporting
compliance
- Inadequate third-party compliance
standards
- Expansion from central to end-point
compliance
Potential Impact
- Corruption of information
- External fraud
- Identity theft
- Theft of financial assets
- Damage to reputation & brand
- Damage to assets
- Abandoned transactions and lost
sales
- Reduced customer, partner, em-
ployee confidence
- Interruption or delay of business-
critical processes
- Reduced IT staff productivity
- Reduced client satisfaction
- Reduced client or partner loyalty
- Reduced user productivity
- Interruption or delay of business-
critical process
- Lost IT productivity
- Damage to reputation
- Breach of client
confidentiality
- Litigation
- Executive productivity
What drives IT Risk?
From October 2005 through October 2006, Symantec surveyed 528 individuals on topics related
to IT Risk. Participants held a range of professional responsibilities in organizations of different
sizes, industries and geographies – the Appendix provides demographic details.
To assess the magnitude of IT Risk associated with core business processes, we asked a subset
of respondents (n = 310)* to rate the IT Risk associated with each of seven key businesses
processes in their organization.1 The results are shown in Figure 2.
Figure 2: IT Risk associated with each of seven key business processes. IT Risk associated with Finance and Administra-
tion processes (leftmost column) led participants’ ratings for High or Critical risk, followed by those associated with
critical customer-facing and operational tasks. Research and Supply-chain processes received the lowest risk ratings.
9
LowNil Moderate High Critical
IT Risk by Business Process
0%
20%
40%
60%
80%
100%
%of
resp
ond
ents
Finance, Admin.
CRM Operations BusinessIntel.
Corp.Resources
R&D Supply Chain
Customer Relationship Management (CRM) – sales and electronic commerce
Supply Chain Management (SCM) – the entire product value chain from source to end-user
Operations Management – operational control of continuous service and product processes
Research & Development – the development cycle of products and service offerings
Business Intelligence – the corporate ability to make timely, informed business judgments
Finance & Administration – the process of financial and administrative management
Corporate Resources – business functions supporting the organization as a whole
Business-process definitions
* This study used two separate survey instruments – some questions were repeated on both; others not. Numbers in parentheses (“n= ”) report the number ofsurveys supporting each graph or data comparison. Please see the Appendix, “Survey instruments” for details.
Systems and processes supporting Finance and Administrative were associated with the great-
est IT Risk, with over 66% of the respondents rating it High or Critical. Sales, Operations and
Business Intelligence processes ranked second, with 53% giving Critical or High ratings for all
three measures. Research & Development and Supply Chain Management systems and pro-
cesses introduced the least amount of IT Risk; only 27% of those surveyed rated SCM risks as
High or Critical, and just 33% rated R&D risks this way.
These results highlight two important points. First, IT Risk affects every major business process
category: for even the lowest-ranked business process, nearly a third of professionals ranked IT
Risk High or Critical. Second, IT Risk is highest for critical operational functions or those that
manage critical and proprietary or confidential information, and lower only for functions further
removed from revenue generation and the customer experience.
Our analysis also explored the components of compliance risk. Participants were asked how
much risk each of six categories of regulations introduced into their organization. The results
are illustrated in Figure 3 (n = 528 except for Data Retention, n = 310).
Figure 3: IT Risk index ratings associated with six areas of Regulatory Compliance. Data Protection and Retention show
the highest proportion of High and Critical ratings, followed by Corporate Governance.
Respondents saw Data Protection and Retention introducing the greatest amount of compliance
risk into their organizations, with a very substantial 66% and 70% of respondents rating these
risks as High and Critical, respectively. Compliance with Corporate Governance policies ranked
third, with 55% High or Critical ratings. About half the respondents rated Intellectual Property
risk as High or Critical, while National Security and Criminal and Civil Laws were seen to intro-
duce the least risk – only 36% and 44% of respondents, respectively, rating these either High
or Critical.
10
LowNil Moderate High Critical
IT Risk by Compliance Area
0%
20%
40%
60%
80%
100%
%of
resp
ond
ents
DataRetention
DataProtection
Corp.Governance
IP Civil,Criminal
NationalSecurity
As with Business Processes, respondents expressed strong concerns about IT Risk in every Com-
pliance area – risks in even the lowest-ranked areas were seen as significant by a third to half of
the respondents. More significantly, more than half the respondents saw High or Critical IT Risk
in areas governing the proper operation of their organizations and protection of critical informa-
tion. This level of concern – across so broad a range of roles and industries – underscores how
poorly managed these risks may be judged by those best-positioned to know.
To help understand the impact of IT Risk associated with compliance processes, we compiled an
index to measure the relative importance of each of the six compliance measures above, and
applied it to organizations with different demographics.
Results show that organization size is a significant determinant of perceived compliance risk.
For example, while 33% of organizations with more than 20,000 employees see compliance risk
as critical to their organizations, only 15% of organizations with fewer employees do. Although
a definitive explanation for this requires further investigation, the data are consistent with
larger organizations’ greater complexity, number of business processes and operations, and
geographic span of operations, exposing them to more regulations and requiring greater com-
pliance with internal policies to monitor and govern organizational behavior.
The Aerospace and Defense industry segment was the only industry in which a majority of
respondents rated compliance risk as critical. And despite the stringent regulations they face,
only 28% of Financial Services and 4% of Healthcare organizations rated compliance risk as
critical. Respondents from Europe, the Middle East and Africa generally saw less risk associated
with compliance than their counterparts in the United States. In Section 5, we will explore
reasons for low risk ratings by organizations operating in high-risk environments.
11
Data Protection – securing confidentiality of private and personal information, for example against identity theft
Data Retention – ensuring that enterprise data is stored securely and retained for access by legitimate users
Corporate Governance – assuring that public disclosures accurately reflect corporate performance
National Security – protecting citizens and national infrastructure from terrorism, war, or national disaster
Civil & Criminal Legal Framework – assuring that IT systems and networks systems support legal infrastructure
through electronic signatures, data movement and use of IT resources
Intellectual Property Protection – protecting individual and corporate intellectual property
Compliance definitions
Section 2
Effective IT Risk Management requires competence and invest-
ment in processes and technologies. Professionals surveyed
at all levels of organizations across industries, scale, and
geographic reach, see their organizations’ capabilities to
deploy IT Risk Management technologies as more effective
than their capabilities deploying processes.
Process and technology effectiveness inManaging IT Risk
13
IT Risk Management processes and technology
Controls for IT Risk Management
Although Risk Management principles have received wide attention, few organizations have for-
malized their IT Risk Management programs until recently. In the past few years, however, more
organizations have added Chief Risk Officers and other executive positions with responsibilities
for IT Risk management, or have adopted formalized service-management standards such as
the IT Infrastructure Library (ITIL®), ISO 17799, and COBIT® to help them manage IT Risk.
The most effective IT Risk Management programs use well-defined controls that combine well-
chosen technologies and best-practice processes. We have identified eight technology and eight
process controls that represent best practices for managing IT Risk (see sidebar, “Process and
Technology Controls for IT Risk Management,” for details). They are derived from best practices
defined by international standards including the code of practice for information security man-
agement (ISO/IEC 17799:20052), COBIT3 and ITIL, published by the United Kingdom’s Office of
Government Commerce,4 refined by Symantec experience in dealing with highly effective organi-
zations, and expanded to encompass availability and performance in addition to security and
compliance.
We asked survey participants to rate their success implementing each of the defined IT Risk
Management controls – both process and technology. We also asked them to rate the amount of
risk their organizations face, to determine whether organizations facing high levels of risk are
more likely to have implemented highly-effective controls.
14
While acknowledging the relevance of Risk Management to IT, organizations
often struggle to put its principles into practice. Participants’ ratings of their
organizations’ effectiveness deploying processes and technologies for IT Risk
Management depend not only on their organizations’ industry, size, range of
operation and other demographic factors, but on the differing perceptions of
professionals within the organizations.
15
Process Controls
IT and Security Strategic Management, Policy and
Architecture – architectures, policies and strategies
defined to run IT services
Organizational Structure, Roles and Responsibili-
ties – standards for interactions between groups;
authority for security and external security-related
communications
Training and Awareness – processes to increase
visibility and knowledge of security risks
Assessment and Auditing – processes to assess the
environment, controls, policies and processes used to
implement strategy
Authentication, Authorization and Access Manage-
ment – processes and technology to verify users’
identities and control access to resources
Operational Design, Workflows and Automation –
design and implementation of automated solutions;
workflow and resource management
Asset Inventory, Classification and Management –
processes to identify and classify assets, supporting
execution of asset-class-based policies
Incident Readiness and Response – standards for
preparation for and response to incidents
Technology Controls
Application Design, Development and Testing –
processes, procedures, and methodologies to ensure
that new and updated applications are appropriate,
efficient and secure
Systems Build and Deployment – systems and tech-
nologies to assure effective, secure deployment of new
and updated systems
Data Life Cycle Management – technology to move,
replicate and protect data
Configuration and Change Management – tools and
processes to regulate change
Resilient Infrastructure – technology to detect and
correct vulnerabilities related to availability (e.g.,redundancy and failover)
Performance Management – technology to monitor
and manage system performance
Network, Protocol and Host Security – network
design and infrastructure including segmentation,
protocols, perimeter defense and availability
Physical Security – technologies governing access to
IT infrastructure and facilities
Process and Technology Controls for IT Risk Management
Process effectiveness
We surveyed our sample of IT professionals (n=310) to understand how effective they thought
their organizations were in deploying eight key process-based controls. The results are shown in
Figure 4.
Figure 4: Ratings of organizations’ effectiveness at IT Risk Management processes, ordered left-to-right in decreasing
order of perceived effectiveness.
“Authentication, Authorization and Access” was rated highest for effectiveness, with 68% of
respondents rating their organizations more than 75% effective. “Asset Inventory Classification
and Management” was lowest, with only 38% rating their organizations more than 75% effective.
The findings show that most IT professionals feel their organizations are most effective deploying
tactical controls for which they are accountable: organizational structure, and authentication,
authorization, and access. They rate themselves moderately effective at policy-setting and com-
pliance, assessment and audit, and incident response. And few felt they performed effectively in
employee and IT staff training and awareness, operational design, or asset management.
The data show that the path from basic performance to best practice requires moving IT Risk
Management programs away from a reactive posture, designed for protection against malicious
external threats. Instead, programs should raise IT Risk awareness and spread avoidance and
mitigation efforts throughout their organizations.
Respondents rated “Asset Inventory Classification and Management” least effective of all their
deployments. Yet this discipline is fundamental to build an IT Risk Management program that
reflects the organization’s priorities. Without careful risk assessment, all assets are likely to be
treated equally, so that some will be overprotected and others underprotected.
16
IT Risk Management Process Effectiveness
%of
resp
ond
ents
100%
80%
60%
40%
20%
0%Authent.,
Authorization,Access
OrganizationalStructure
IncidentResponse
IT PolicyManagement,Architecture
Assessment,Audit
Training,Awareness
OperationalDesign
Asset Inv.,Classification,Management
<10% effective 25% effective 50% effective 75% effective >90% effective
Technology effectiveness
Figure 5 below represents how effective organizations are in deploying technology controls:
Figure 5: Ratings of organizations’ technology effectiveness, ordered left-to-right in decreasing order of perceived
effectiveness.
“Network Protocol and Host Security” and “Physical Security” were the top-rated technology
control deployments, with 80% and 77% of respondents, respectively, rating their organiza-
tions more than 75% effective. These are the strongest ratings of all controls, process or
technology. “Configuration and Change Management” received such ratings from only 55%
of respondents, and “Performance Management” from just 52%. “Secure Application Develop-
ment” was least-frequently rated effective, with only 43% rating their deployments 75%
effective or higher.
The low ratings of configuration and change and performance management deployments are
significant. Organizations use these technologies to understand the configurations and per-
formance levels of IT assets so they can minimize service disruptions and increase throughput.
These deployments are critical in keeping systems stable, performing effectively, and up to date.
Poor configuration and change management also constrains efforts to adapt and modernize
systems for new opportunities or threats.
Although the survey identifies change management as a problem area, there are recent signs
of improvement. In their “ITIL Change Management Maturity Benchmark Study,”5 Evergreen
Systems noted that, “IT executives are increasingly integrating and internalizing change manage-
ment procedures, processes and tools as core components of the organization.” We will see
in Section 4 that these disciplines are important drivers of performance improvements in IT
organizations.
17
IT Risk Management Technology Effectiveness
<10% effective 25% effective 50% effective 75% effective >90% effective
0%
20%
40%
60%
80%
100%
%of
resp
ond
ents
Network,Protocol,
Host Security
PhysicalSecurity
ResilientInfrastructure
Secure DataLifecycle
Management
SecureSystems
Config. and Change
Management
Perform.Management
SecureApplication
Development
The role of secure application development is growing, as IT professionals recognize its effec-
tiveness in preventing exploitation of application vulnerabilities by eliminating them at the
source. The technology requires substantial early investments in tools and skills, so while
secure application development proves very cost-effective over time, it remains in an early
stage of adoption at most organizations.
Technology and Process effectiveness index
To compare organizations’ effectiveness deploying IT Risk Management processes and technol-
ogy by industry, geography, organization size and respondent job role, we defined two indexes.
The first averages ratings for eight process controls, the second for eight technology controls.
We set levels to classify organizations as Strong, Good, Weak or Poor at implementing and
deploying these controls.
Figure 6 compares these effectiveness ratings. It shows that organizations are generally more
effective implementing technology than they are processes: 33% rated Strong on the Technol-
ogy Effectiveness Index; only 25% on the Process Effectiveness Index.
Figure 6: Effectiveness indexes of organizations, rating implementation effectiveness of technology and process
controls; each index averages eight individual factors. Organizations’ implementations are generally stronger for
technology controls.
Process effectiveness lags behind technology despite the recent industry focus on processes,
using frameworks such as ITIL, ISO and COBIT.6 For a closer look, we analyzed the data according
to demographic categories.
The relative strength of technology over process effectiveness was robust across industry,
organization size, operating region, and professional role of respondents, with just a few varia-
tions, specifically:
18
Poor Weak Good Strong
IT Risk Management Process vs. Technology EffectivenessEffectiveness Index
100%
80%
60%
40%
20%
0%
%of
resp
ond
ents
Process Technology
• only in Government, Healthcare and Manufacturing did effectiveness deploying process
controls even approach parity with effectiveness deploying technology controls; in no case
were process controls rated more effective.
• large organizations and global organizations (often the same) were more effective deploying
both technology and process controls, but every classification showed greater effectiveness
with technology controls than with process controls.
• ratings of overall effectiveness from Managers were higher than those from either Directors
or Executives; again, all groups rated their organizations more effective with technology than
with process controls for IT Risk Management.
Best in Class: IT Risk and incident expectations
To help understand what makes organizations stand out as Best in Class at IT Risk Management,
we divided 310 respondents into quartiles according to their overall effectiveness in the 16
process and technology controls identified earlier. The classifications were:
• Best in Class – top quartile (76th or better percentile, n=77)
• Better – second (51st to 75th, n=78)
• Good – third (26th to 50th, n=77)
• Worst – fourth (25th or worse n=78)
For each quartile, we calculated and plotted separate indexes for regulatory and operational
IT Risk (across 6 compliance and 7 business-process IT Risk areas), together with the rates at
which respondents expected IT incidents. Results appear in Figure 7.
Figure 7: Expected IT incident rates and two categories of IT Risk for organizations in each IT Risk Management perform-
ance quartile. IT incident expectations decline with effectiveness, despite increasing perception of IT Risk.
19
Perceived IT Risks and Incidents by IT Risk Management Effectivenessby Quartile
1
2
3
4
5
Worst
Ind
ex
Good BestBetter
Compliance Risk Business Process Risk Incidents
These results show that organizations rated more effective at managing IT Risk also experience
higher levels of both Regulatory and Operational Risk. We had anticipated higher incident
rates at high risk levels, either because negative impacts are more likely where risk exposure is
higher, or because organizations base their perceptions of risk on incident expectations. The
data show the opposite: effective organizations expect fewer incidents despite operating
in riskier environments.
This result suggests that by building awareness of exposure to IT Risks and improving technol-
ogy and processes for mitigating them, organizations may actually reduce incident rates below
the levels experienced by less-effective firms operating in safer environments. The result also
cautions organizations not to count on a low-exposure operating environment to protect them
from incidents without effective technical and process controls.
Effective IT Risk Management performance
The relationship between organizations’ IT Risk Management controls and expected incident
rates deserves a close look. For example, we’ve seen that despite facing the study’s highest
levels of risk, best-in-class organizations expect the lowest realization of IT Risk, measured as
incidents. Clearly, they are doing something right – what is it?
When we fielded the research, we believed that the 16 process and technology controls identi-
fied in earlier sections would prove to be effective defenses or countermeasures, reducing an
organization’s exposure to both external and internal IT Risks. To test this hypothesis, we used
data from performance quartiles identified in the preceding section to plot organizations’ effec-
tiveness in deploying each individual process or technology control.
In the “radar” graphs of Figure 8, gaps between the concentric polygons reveal differences in
effectiveness from one performance quartile to another – for example, the jump in “Training
and Awareness” process effectiveness between the “Worst” and “Good” groups in Figure 7.
Asymmetries in the polygons reveal imbalances in effectiveness – for example, the high esti-
mates of “Network Protocol, Host Security” technology effectiveness for all quartiles in Figure 8.
The lowest-performing quartile shows modest performance in two process areas (organization
and authentication/authorization/access) and two technology areas (network and physical
security). These areas are the most tactical in scope and straightforward in implementation, and
therefore where most organizations get started. They have deployed other controls lightly or not
at all, and assess their deployments as fairly ineffective.
20
Effectiveness with Controls for Managing IT RIsk
Figure 8: Process (top) and technology (bottom) control effectiveness scores for organizations in each performance
quartile. Organizations with higher performance show effective performance across most or all measures (shown as
distance from the graph’s center), rather than heavy emphasis on a few.
Moving from the lowest quartile to the highest reveals a clear trend. More-effective organizations
increase the number of controls they deploy, and raise the effectiveness of deployment of each
control. Organizations in the top two quartiles begin to experience diminishing returns in areas
such as physical security and authentication, authorization, and access, and much better returns
on measures such as configuration and change management, data lifecycle management,
operational design, training and awareness, and others. The path from good to great IT Risk
Management, then, involves moving from tactical, technical, and reactive to strategic, expansive,
and proactive measures. It also requires a balanced program to evaluate all 16 measures and
optimize incremental investments of people and dollars to achieve the greatest impact.
21
Process Controlsby Quartile
Assesment, Audit
Training, Awareness
Operational Design
Incident Response
Asset Inv., Classify, Mgmt.
IT Policy Mgmt., Architect
Authent., Author., Access 1
2
3
4
5
Org. Structure
W Technology Controlsby Quartile
Secure Systems
Secure Appl. Development
Config. and Change Mgmt.
Secure Data Lifecycle Mgmt.
Perform. Mgmt.
Resilient Infra.
Physical Security
Network, Protocol, Host Security
Worst Good Better Best Mean
Section 3
Organizations manage risks so that they can pursue opportu-
nities while keeping costs under control. Aligning differing
perspectives on and activities toward IT Risk – among technical
staff, managers and executives, and across departments and
regions – is critical to avoid gaps, duplication, and waste.
Aligning IT and business risks
23
Aligning IT Risk strategy to organizationalgoals
IT Risk Management strategy – the importance of alignment
Aligning IT to business strategy has been a consistent theme in the IT professional and industry
press for years. Yet progress is slow: CIO Magazine recently reported their readers’ number-one
priority for 2007 was – again – aligning IT and business goals.7 Why is alignment so important,
and how can an IT Risk Management program advance it?
When business and IT operate in alignment, clearly-visible links identify which IT assets and
operations support business operations and the value they create. This visibility transforms IT
from a cost center to a driver of business value. Alignment clarifies how IT resources may be
deployed to bring products to market faster, deliver more effective service to customers, and
generate new revenue streams for the business.
Aligning an organization’s IT Risk strategy to business strategy is as important as operational
alignment. Organizations’ risk profiles differ according to their lines of business and the strate-
gies they pursue to maximize their effectiveness. Just as IT departments align their operations
to best support those business objectives, they must align their Risk Management strategies as
well – investing most heavily to mitigate those risks with greatest potential for business impact,
and assuming greater exposure in those areas whose likelihood and impact are lower.
Whatever an organization’s risk profile and level of risk tolerance, risk mitigation typically means
the ability to manage a larger risk portfolio. Alignment closes gaps between organizational and IT
Risk strategies that would leave the organization critically exposed to internal and external risks
of all kinds. It also cuts duplication and over-investment that wastes resources and creates un-
necessary IT complexity and cost. Finally, a well-prepared IT Risk Management plan also guides
system design and decision-making, resulting in higher operational efficiency, greater capacity
for innovation, and lower IT costs. As a result, an effective strategy for mitigating IT Risk may
both protect an organization against incidents, and reduce IT cost and complexity.
24
Aligning their operations to support organizational strategy is a top priority for
IT executives worldwide. An effective IT Risk Management program creates an
IT Risk profile that supports the businesses’ larger objectives, accepting more
risk where business impact is low, and managing risk more closely in areas
where the most is at stake.
Our survey data identified lack of alignment on assessments of IT Risk within IT departments
themselves, and between IT departments and the organizations they serve.
Achieving internal alignment on IT Risk
The survey classified respondents’ jobs into Executive, Director, Manager, and Professional cate-
gories. Since the latter group includes non-IT employees, consultants, and third parties, the
analysis concentrates on the first three groups. Respondents reported the level of IT Risk they
perceived, first in complying with regulatory and policy requirements, and second in carrying
out business operations.
Figure 9 shows the level of compliance risk perceived across the range of professional responsi-
bilities in the survey. The results show an organizational chasm between the ranks of Managers
who implement IT programs – and therefore bear responsibility for the internal risk exposures
and shortcomings of the organization – and senior Executives who set direction for the organi-
zation, and bear responsibility for its exposure to external risks. The chasm appears in the
assessment of Critical risks at the Director level. Directors were least likely to perceive compli-
ance risk as Critical: only 16% did so, against 22% for Executives and Managers. Assessments
of High risks were close to parity: 44% of Directors rated their compliance risk as High, the
same as Managers and two percentage points below Executives.
Figure 9: Ratings of organizations’ compliance IT Risk by respondents in four job categories. Directors reported lower
levels of compliance risk than Executives or Managers.
25
Low Moderate High Critical
100%
80%
60%
40%
20%
0%
Perception of Compliance IT Risk by Professional Responsibilityby Job Role
Executive Director Manager Professional
%of
resp
ond
ents
Figure 10 repeats the analysis for IT Risk introduced by Business Processes. Misalignment of IT
Risk perceptions was even more dramatic, but in the opposite direction: 22% of Directors per-
ceived Business Process Risk as Critical, against only 8% of Executives and 12% of Managers.
Figure 10: Rating of organizations' business process IT Risk by respondents in four job categories. Directors reported
lower levels than either Executives or Managers.
Disagreements among the ranks continued with process and technology effectiveness ratings.
Section 2 revealed different effectiveness ratings for deployment of process and technology
capabilities. A closer look shows that while 39% of IT managers report their organizations 75%
or more effective in implementing technology capabilities, only 27% of executives agreed.
Again, IT professionals differ by job role in assessing their risk-management environments.
Of course, since these respondents were drawn from different organizations, alignment may be
better within organizations than the job-role analysis suggests. But the systematic differences
seen among Executive, Director and Manager perceptions were outside expectations based on
differences in experience with a regulation or technology.
The survey data, as well as discussions with respondents, revealed that the operational staff
closest to implementation of IT programs may be the most inwardly-focused, and have the high-
est awareness of specific weaknesses. Senior executives most removed from day-to-day opera-
tions may share a high perception of IT Risk, but with perceptions based on awareness of
external factors and concern for the unknown. The Director level – which would ideally bridge
these operational and strategic viewpoints to facilitate alignment – may be biased toward tacti-
cal operational risks over external or regulatory risks, due to their direct accountability for
operational IT Risks.
26
0%
20%
40%
60%
80%
100%
Low Moderate High Critical
Perceptions of Business Process IT Risk by Professional ResponsibilityJob Role
%of
resp
ond
ents
Executive Director Manager Professional
Why alignment on IT Risk matters
Misalignment of perceptions and actions is more than just a source of internal disagreement
about IT Risk Management policy; it can itself become a source of IT Risk. Misalignment occurs
in two ways, either of which may elevate risk.
The first type of misalignment is internal to IT, causing gaps in the way systems and processes
are developed, deployed and managed. Invisible until something goes wrong, these gaps may
cause sudden unexpected service-level shortfalls, system downtime, and security breaches.
Today this disconnect often occurs along organizational lines – for example, in the seams
between the executives and functions responsible for security, compliance, and operational
business continuity and availability. Solutions such as messaging typically require all these
functions to converge on a solution that is secure, available, and compliant, yet organizational
alignments make convergence difficult to achieve.
27
Collecting data for this study at IT conferences and roundtables, we heard a recurring theme about alignment.
Respondents told us that training users about IT and security risks, for example, ranked among their greatest
challenges. Recall that in Figure 4 of Section 2, we saw that Training and Awareness ranked third from the
bottom in effectiveness among eight process controls. They insisted that technology-based controls can only
go so far, and that effective mitigation of IT Risk requires behavioral changes by end users throughout the
organization.
Two elements were frequently cited as necessary to encourage behavioral change. The first was quantification
of value to the organization as a whole. Until an organization’s stakeholders understand the impact of lost infor-
mation, unavailable systems, and non-compliant processes in terms that are meaningful to them – lost sales,
dissatisfied customers or reduced productivity, for example – sustained focus will remain out of reach. Dramatic
examples of extreme but infrequent events such as major failures and 100-year natural disasters provide insuffi-
cient motivation to do more than the minimum.
The second element is culture. Organizations have different risk profiles to which IT Risk programs should be
tuned. But they may also incorporate different workforces and cultures that will accept different levels of IT pol-
icy awareness and compliance. For example, a company with tens of thousands of employees averaging 24 years
of age may require a very different policy for IM use and Web access on company systems and time than smaller
companies with older workforces. Selective enforcement and highly visible actions may be more effective than
stringent policies that are unenforceable because they fail to align with the organization’s culture.
Alignment – the business side
The second type of misalignment is between the IT function and the rest of the organization.
The IT Risk program may not fully reflect or respond to the needs of the organization as a whole,
resulting in loss of agility and increased risk. Alternately, organizational units and functions
may not have sufficient awareness of their own IT Risk exposures. These disconnects result in
“ivory tower” IT programs that over-invest in risk areas relevant to IT but not necessarily high
organizational priorities, or under-invest in areas critical to organizational goals. Both result in
lower contributions to the organization’s overall success.
Active management and mitigation of IT Risk requires IT departments to avoid risks created by
misalignment. First, they must make sure their departments are aligned internally. From the CIO
to the backup administrator, everyone in the department should share an understanding of IT
Risks and priorities, and how they relate to their own areas of responsibility. Second, IT man-
agement must work closely with clients and stakeholders in the organization as a whole, enlist-
ing their help to assure that IT priorities reflect the organization’s goals and objectives, and to
drive compliance with IT Risk Management programs where necessary. In combination, internal
and business alignment assures appropriate resource allocation and operational efficiency.
Companies following best practices in managing IT Risk incorporate the IT Risk strategy within
the organization’s annual planning process to ensure alignment within IT and across the
organization, and then track performance at an executive level as part of a corporate balanced
scorecard.
28
29
How do your incident expectations measure up to those of the organizations in the survey? Answer these four
questions, and check your results against survey norms on the last page of the report:
Context: What reflects the expected frequency of the following incidents in your organization?
1. Regulatory Your enterprise is found to be out of compliance with one or more governing
Non-Compliance regulations:
Never
Once every 5 years
Once every 2 years
Once a year
More than once a year
2. Major Information Service impact to your organization, caused by a loss of information, confidential-
Loss ity, integrity or availability (e.g. data center outage, data corruption, full breach of
security):
Never
Once every 5 years
Once a year
Twice a year
More than twice a year
3. Major IT Impact Severe impact to your IT organization affecting more than 10% of your clients
and/or servers – halting operations of some critical part of your operations:
Once every 5 years
Once a year
Twice a year
5 times a year
More than 5 times a year
4. Minor IT Impact Minor impact to your IT systems affecting less than 10% of your clients and/or
servers, hinders the work of individuals or groups:
Once a year
10 times a year
20 times a year
Every day
More than once a day
Sample questions
Answers to self-test on page 47.
Section 4
Organizations achieve effective IT Risk Management by deploy-
ing a broad range of IT technology and process controls. The
transition from good to great IT Risk Management is achieved
primarily by increasing effectiveness across the full range of
measures in a structured, disciplined program that proceeds
from a broad assessment of IT Risks to a closed-loop process of
continuous improvement.
Understanding effective Risk Management
31
Understanding effective IT Risk Management
Achieving Best in Class IT Risk Management
Few organizations have achieved the level of IT Risk Management performance achieved by
Best in Class organizations in this survey. The field is still emerging, and not all organizations
are yet organized to deal with IT Risk in an integrated fashion. Nor do all companies face the
same levels of IT Risk or share similar risk profiles. The case for change, however, is compelling:
organizations are experiencing rising incident rates across the areas of security, availability,
performance, and compliance, with significant impact to revenue, reputation, productivity, and
cost. According to the Computer Security Institute and the FBI, per-incident costs of unauthor-
ized access to information averaged over $85,000 in 2006,8 and system downtime costs reached
tens of thousands of dollars per hour.9 It doesn’t take long for incidents of this scale to create
significant drag on an organization.
How can organizations advance from good IT Risk Management practice to great? For organiza-
tions trying to manage IT Risks effectively, the challenge includes understanding their portfolio
of IT Risks, quantifying and prioritizing them against the organization’s risk profile, and devel-
oping an effective program of remediation activities.
A five-step process can help organizations assess their levels of IT Risk, develop remediation
roadmaps, and ultimately build effective, continuous IT Risk Management Programs. While the
steps themselves, detailed in Figure 11, may seem familiar, the specific tools and tasks support-
ing them are very valuable, and linkages between phases help maintain focus and continuity of
organizational commitment.
32
How can an organization build its capabilities for IT Risk Management? While
there is no single formula or protocol, a broadly-applicable assessment, quan-
tification, design, alignment and measurement program can help organizations
marshal their resources effectively to achieve real, lasting improvements in
IT Risk Management, often while reducing IT infrastructure and process com-
plexity and cost.
Figure 11: Five-step IT Risk Mitigation process.
Step 1 – Develop awareness of IT Risks
IT Risk mitigation begins with comprehensive discovery, including:
• establishing the program’s scope (how expansive a view of IT Risk is appropriate?)
• constructing a risk profile for the organization based on its overall priorities
• identifying key areas of IT Risk
For many companies, the challenge of discovery includes both identifying new areas of risk,
often by evaluating the risk profile and assessment against IT best practices, and organizing the
dozens or hundreds of IT Risks of which they are already acutely aware.
A common question at this stage is, “How do I take the issues I already know about and assem-
ble them into a comprehensive, structured framework I can assess and prioritize?” A clear
framework requires identifying critical IT assets and understanding how they support critical
business processes. Critical assets include the technology infrastructure underlying corporate
operations, staff with privileged access to information, and the organization’s IT operational
processes.
Assessment should also consider the organization’s current requirements, capabilities and
vulnerabilities. Requirements include legal obligations such as regulations, contracts, and
service level agreements, as well as business requirements such as the privacy, availability,
and integrity of business information.
Finally, this stage involves identifying and classifying threats, issues, vulnerabilities, and
weaknesses, assigning each a priority according to risk. The search for vulnerabilities and
weaknesses should cover applications, infrastructure, operations, and organizations.
33
DevelopAwarenessof IT Risks
QuantifyBusinessImpacts
DesignSolution
Align IT /Business Value& ImplementSolution
Build &ManageUnifiedCapability
Step 1 Step 2 Step 3 Step 4 Step 5
IT Risk Assessment and Management Process
Step 2 – Quantify business impacts
Quantifying business impacts is typically the most challenging step – and the most important.
Until they have quantified the impact, positive or negative, of addressing an area of IT Risk,
IT leadership may be unable to attract their colleagues’ attention to it, or the funds needed for
mitigation.
The “currency” of the business case varies according to the business and the area of risk. A Web
site crash will mean lost revenue or sales for a retailer, negative brand impact or lost viewers for
a media company, lost productivity for a manufacturer, and so on. The key is to build a case that
makes sense in the local currency, whatever it may be.
Quantification of business impacts typically follows a two-phased approach. In the first, the full
portfolio of risks is coarsely prioritized based on potential business impacts according to the
organization’s risk profile and the ease or difficulty of risk mitigation, measured in time, staff
resources, and investment. The second phase builds detailed business arguments for only those
risks identified as high-impact areas. The model can be iterative, and it should be periodic,
linked to the organizational and IT planning cycles.
Step 3 – Design solution
At this point, the organization knows the scope and components of its Risk Management pro-
gram, its current status, and the priority and quantification of each area of IT Risk.
The next step is to design a set of remediation solutions, across the classic elements of people,
process, and technology, each with requirements, specifications, goals, and functions. For some
organizations this will be a narrowly-focused activity to address the most imminent areas of
risk; for others a longer-term program with sequenced waves of initiatives.
This phase also includes detailed costing analysis to keep costs and benefits of proposed initia-
tives aligned to organizational goals. For example, a model might be designed to provide tiered
levels of service based on the priorities for different types of data and portions of the business.
Solutions that reduce risk frequently also reduce complexity and cost. This is especially true
when risks have been introduced by dense or poorly-followed processes, misaligned organiza-
tional models, or unclear requirements or policies.
34
Step 4 – Align IT and business value; implement solution
Although quantification is the most difficult step, most programs’ success lies in the effective-
ness of implementation. Implementation determines whether risk-mitigation initiatives are
deployed successfully across people, process, and technology with close involvement of organi-
zational stakeholders, or devolve into local IT projects measured narrowly by software and gear
implemented and administrators trained.
Closed-loop measurement and continuous improvement are essential. With a coherent system
of metrics and performance management capabilities, organizations set the stage for collection
of baseline data, performance tracking, and assessment of program effectiveness against the
original business case.
Step 5 – Build and manage unified capability
Once implementation of the first wave of IT Risk solutions is underway, organizations should
institute programs for continuous improvement and ongoing governance of their IT Risk Man-
agement program.
As in most change-management programs, IT Risk Management follows a maturity model that
begins with tactical basics and evolves to Best-in-Class performance. For most organizations,
their position in this maturity model depends on their IT Risk profile and progresses through
several waves of organizational, process, and technological change before reaching its goal. By
adapting their efforts as their experience and effectiveness grow toward maturity, organizations
can avoid or overcome the most common implementation challenges, including:
• replacing guesswork with quantification and prioritization of IT Risk Management efforts and
investments
• replacing intermittent, reactive projects with a program that delivers consistent improve-
ments over the long run
• replacing speculation with clear progress against consensus goals to secure the long-term
investments needed for mitigation of IT Risks
35
37
Section 5
In order to understand organizations’ IT Risk strategies better,
we classified respondents into profiles based on their level of
IT Risk and IT Risk Management effectiveness. While there are
many ways to manage risk successfully, the resulting levels of
risk and the costs to the organization can vary greatly. The best
companies align investment to exposure, to focus attention
and resources where they matter most.
Risk Mitigation: process and payoff
37
IT Risk mitigation profiles
Effective mitigation
To explore the limits of risk mitigation, we performed a cluster analysis (n=310) to identify con-
sistent patterns in survey respondents’ risk exposure, effectiveness of mitigation efforts, and
expectation of IT incidents. The analysis revealed three groups in which respondents are similar
to one another, but different from those in the two other segments:
• At-Risk respondents (35%) struggle to cope with IT risk: they see their organizations facing
medium to high levels of IT Risk, but demonstrate poor effectiveness in addressing it through
mitigating process and technology measures. Organizations with this profile typically expect a
high rate of incidents.
• IT Risk Mitigators (23%) maintain effective IT Risk Management programs, but actually
experience low levels of IT Risk. Organizations in this category seem to address IT Risk
through overinvestment, ensuring mitigation, but at high costs.
• IT Risk Balancers (42%) pursue a matching strategy, meeting their organizations’ high levels
of IT Risk exposure with highly-effective mitigation processes and technologies. These organi-
zations are frequently Best in Class.
Figure 12 shows the performance of the three groups revealed by the cluster analysis, display-
ing all five underlying measurements instead of the single composite score used to create the
clusters. The most interesting results are from the IT Risk Mitigator cluster. Mitigators, like Bal-
ancers, show high process and technology effectiveness – yet they face the lowest IT Risk levels
of any group. Nothing in their underlying demographics separates Mitigators from Balancers.
Instead, it appears that these organizations have chosen IT Risk Management strategies that
meet comparatively low levels of IT Risk with investments that keep their mitigation processes
and technologies highly effective. Mitigators expect to enjoy low incident rates, but it is possible
that the Discovery and Quantification steps of a well-planned IT Risk mitigation program would
identify over-investments, signaling excessive costs, and missed opportunities elsewhere.
38
The way an organization manages the challenges in its environment can make
the difference between a defensive, reactive position and an active posture
that gives it the freedom to choose appropriate risks, effective actions, and its
own path.
Figure 12: Organizational clusters, showing all five underlying measurements. Mitigators deploy high technology and
process effectiveness despite comparatively low levels of compliance and business-process IT Risk.
Figure 13 shows how the groups identified by the cluster analysis would map onto a two-factor
grid of IT Risk exposure (bottom axis) and IT Risk Management effectiveness (side axis):
Figure 13: Data from the cluster analysis grouped according to IT Risk exposure and IT Risk Management effectiveness,
showing that both Balancers and Mitigators deploy highly effective controls despite different levels of risk.
The cluster analysis did not identify a fourth group, occupying the lower-left quadrant and
combining low levels of IT Risk and poor implementation of IT Risk Management programs.
We suspect that such organizations are underrepresented in our sample because they are less
likely than others to participate in surveys about IT Risk Management or attend industry events
with IT Risk Management prominent on the agenda.
39
ITR
Isk
Man
agem
ent
Eff
ecti
ven
ess
Low
Hig
h
Low-Mid High
IT Risk Exposure
IT RiskMitigators
IT RiskBalancer
IT Risk
Risk Management Patterns – Cluster Analysis
IT Risk Exposure, Control Effectiveness and Incident Experience by Performance Cluster
Operating Risk Index
Incident Index
Compliance Risk Index
Process Effectiveness Index
Technology Effectiveness
At Risk Balancer Mitigator
We speculate that this group faces low levels of risk, and implements IT Risk Management
programs poorly, if at all. Their IT Risk strategy, which may not be articulated, might be to react
to risks one by one as they arise, absorbing incident costs when that reaction is missing, inade-
quate or too late. Some may self-insure against IT Risks by maintaining reserves of financial
assets to help with recovery from incidents.
Risk mitigation: how far?
Can highly-effective IT Risk Management programs ever eliminate IT Risk? Research and com-
mon sense suggest not – and certainly not at a reasonable cost. IT Risk must be managed,
minimizing risk and cost in areas most vital to the organization, without constraining business
performance.
And as organizations evolve over time, business priorities change, new regulations are enacted,
and new external and internal threats to information and infrastructure crop up every day.
A changing IT Risk landscape demands consistent, programmatic management to adapt to and
mediate new forms of IT Risk. The five-step approach described in Section 4 emphasized the
importance of iteration and management to address risk as part of a program of continuous
improvement.
Organizations that manage their risk portfolios effectively create opportunity: they can make
educated, informed decisions on how and when to take on additional risk. Their improved IT
Risk Management capacity gives them latitude to innovate and explore a wider range of
business options. IT’s support of this capacity for flexible innovation is among its greatest
contributions to business value.
40
41
We undertook this study to understand IT Risk and the effectiveness of technology and process controls in
managing that risk. We assumed Balancer and Mitigator organizations worked primarily to reduce organizational
risk – and while true, it may not be the full story. Organizations may also choose to invest in process and technol-
ogy improvements with a primary goal of increasing operational efficiency. Lower risk levels in the Mitigator
cluster and lower incident rates among the Best-in-Class would then be by-products of investments made for
operational effectiveness. Our results don’t speak to their motivations.
But regardless of the motivations, these disciplines have positive impacts. Risk-management investments pay off
by reducing incidents and freeing organizations to compete with greater confidence, agility, and success.
Operational efficiency – the same path to a different goal
ConclusionsAn organization’s assets, operations, and personnel may be brought to harm by internal or
external threats carried out or weaknesses exposed across IT networks and systems. Managing
IT Risk – in service of your organization’s mission – is the subject of this report, and the purpose
of this series.
In a major year-long study, IT professionals reported significant gaps and shortcomings in their
organizations’ deployments of controls to help them manage IT Risk. Respondents rated their
organizations more effective at implementing risk-management technology than processes
across the full range of industries, geographies, organization size and professional responsibili-
ties. And they saw particular problems in managing IT assets and configuration and change
control – both areas of critical importance in bringing IT Risks under control.
Respondents also displayed different perspectives on risk based on their individual responsibili-
ties, and identify serious problems aligning and coordinating IT Risk Management with the
broader goals of their organizations. Misalignment is itself a source of IT Risk, from risk expo-
sures created by gaps between IT and organizational perceptions and priorities, and over-
investment in areas of low organizational priority, sapping resources more effectively deployed
elsewhere.
Best-in-class organizations – even though they face higher levels of IT Risk – anticipate fewer
incidents, due to careful investments that maintain high effectiveness over the entire range of
technology and process controls.
The report outlines a five-step process to help organizations put consistent, measurable, long-
term programs in place, avoiding over- and under-investment, and achieving steady improve-
ments measured against consensus goals.
Managing IT Risk is everyone’s job. From the CIO to the backup administrator, everyone should
share a common understanding of IT Risks, their priorities, and how they relate to their individ-
ual areas of responsibility. IT management must work closely with their business clients to
assure those priorities reflect the goals and objectives of the business as a whole. In combina-
tion, internal and business alignment assures appropriate resource allocation and operational
efficiencies.
42
Appendix
Methodology
Data collection
Between October 2005 and October 2006, Symantec collected 528 responses from IT profes-
sionals attending IT events worldwide. Respondents completed survey questionnaires and sub-
mitted results in person. Respondents were offered and received a report comparing their
responses to a benchmark group. To ensure candid responses and protect participants’ privacy,
Symantec contracted a third party, Ecosystems LLC of Vienna VA to collect, process, aggregate,
and protect the confidentiality of survey results on behalf of Symantec.
Survey instruments
Symantec collected 528 records using two survey instruments. The first, with 218 respondents,
covered Compliance Risk, Incident Rate, Technology Effectiveness and Process Effectiveness.
The second added a section on Business Process Risk and additional questions about Compli-
ance Risk, Technology Effectiveness and Process Effectiveness. An additional 310 individuals
responded to the expanded survey.
Most questions were identical on both surveys, so we combined those results for a sample size
of 528. Additions and improvements to the second survey prevented use of the full record set
for every analysis. As a result, much of the report reflects the 310 responses from the second
survey, with the larger sample size and more complete set of questions.
Demographics
We fielded both versions of the survey to a broad demographic group, and identified the indus-
try, number of employees, respondent job role and global or regional coverage of the respon-
dent’s business operations. These demographics provided the variables for much of our
analytical work.
Industry was classified into 37 segments, assembled into seven groups. The “Other” industry
group comprises Agriculture, Mining, Construction, Retail, Wholesale and Energy.
44
Figure A1: Breakdown of 528 responses by industry. Please see the text for details.
We collected 161 and 308 job-role classifications from Surveys 1 and 2, respectively. We
attribute the lower response rate for job roles in Survey 1 to privacy concerns among European
respondents. The “Professional” role includes business, consultant and other non-IT job
functions.
Figure A2: Breakdown of responses by respondents’ professional responsibilities. Please see the text for details.
45
Respondents by Industry
Public Sector
Financial Services
Services
Manufacturing
Other
Telecom, Media
Healthcare
0 10 20 30 40 50 60 70 80 90
Survey 1 Survey 2
Number of Respondents
Professional
Executive
Director
Manager
0 20 40 60 80 100 120
Respondents by Professional Responsibility
Survey 1 Survey 2
Number of Respondents
We measured organization size according to number of employees. As seen below, 215 respon-
dents from Survey 1 and 299 respondents from Survey 2 reported the total employee count at
their organization.
Figure A3: Breakdown of responses by organization size. Please see the text for details.
We asked respondents to indicate the major areas of the globe in which their organizations had
operations. This question allowed respondents to pick multiple geographic regions, so the
number of responses exceeds the number of respondents. Since we did not identify headquar-
ters country, specific attribution of responses to geographic regions is not possible. We can,
however, understand risk-management behavior in terms of geographic scale of operations and
globalization.
Figure A4: Breakdown of 528 responses by respondent organizations’ operating region. Please see the text for details.
46
5,001 to 20,000employees
> 20,000employees
1,001 to 5,000employees
< 1,000employees
0 2010 40 5030 60 70 80 10090
Respondents by organization size
Survey 1 Survey 2
Number of Respondents
North America
Asia Pacific
EMEA
Latin America
0 50 100 150 200 250 350300
Respondents by organization operating regions
Survey 1 Survey 2
Number of Respondents
We collected 92 of the 528 total responses during events conducted in Europe and South Africa,
most during events based in the United Kingdom. Where appropriate, we compared these to the
rest of the data set. Please see the report text for details.
Use of Indexes
Indexes used in the report measured total importance or impact of a risk, effectiveness meas-
ure, or incident rate across respondents. During the analysis phase, we used the data to create
six indexes summarizing the average response to a set of questions. We used each index to com-
pare means across organization demographics or respondent group, and for correlation and
comparative analysis.
The six indexes used in the analysis are:
• Compliance Index – compliance risks listed on page 11.
• Business Process Index – business process risks listed on page 19.
• Incident Rate Index – incident expectations, as described on page 19.
• Process Effectiveness Index – effectiveness of organizations at implementing process capa-
bilities listed on page 18.
• Technology Effectiveness Index – effectiveness of organizations at implementing technology
capabilities listed on page 18.
• Overall Effectiveness Index – combination of the previous two indexes.
Answers to the Self-Test
To score your responses against incident expectations reported by 310 respondents in Survey 2,
assign a value of “1” if you selected the least-frequent alternative, “2” for the next, to a maxi-
mum of “5” for the most-frequent alternative. Add the four scores, and then compare them to
the survey sample using this table:
Best in Class = fewer than 6 points
Good performance = 6 to 10 points
Underperforming = more than 10 points
47
ReferencesNotes1 Michael Porter. Competitive Advantage: Creating and Sustaining Superior Performance. (New York: The Free Press,
1985).
2 Information Technology – Security Techniques – Code of Practice for Information Security Management. (ISO/IEC
17799:2005(E). (Geneva: International Organization for Standardization, 2005).
3 Aligning COBIT, ITIL and ISO 17799 for Business Benefit. (Rolling Meadows, IL: IT Governance Institute and Norwich,
UK: Office of Government Commerce, 2005).
4 IT Infrastructure Library, http://www.itil.co.uk. (Norwich, UK: Office of Government Commerce).
5 ITIL Change Management Maturity Benchmark Study. (Sterling, VA: Evergreen Systems, Inc., July 2006).
6 Sunny Gupta. “ITIL Adoption.” E-Business Blog, http://www.line56.com. (Los Angeles: Line56.com, Oct 13, 2006).
7 CIO Magazine. State of the CIO Survey. http://www.cio.com/state. (Boston: International Data Group, 2007).
8 Lawrence Gordon, Martin Loeb, William Lucyshyn and Robert Richardson. 2006 CSI/ FBI Computer Crime and Security
Survey. http://www.goCSI.com. (San Francisco: Computer Security Institute, 2006).
9 “From Contingency to Continuity.” Information Age, http://www.information-age.com. (London: Infoconomy, Ltd.
February 10, 2004)
General References
Adner, Ron. “Match Your Innovation Strategy to Your Innovation Ecosystem.” Harvard Business Review, April 2006:
reprint.
Broussard, Frederick, Stephen Elliot, and Tim Grieser. ITIL Penetration is Moving Faster than You Might Think: Some
Results of the System Management Software Strategies Study. Framingham, MA: IDC, March 2006.
Champy, James. “Four Steps to Successful IT/Business Alignment” SearchCIO.com. Needham, MA: TechTarget, May 11,
2005.
Craig, David, and Ranjit Tinaikar. “Divide and Conquer: Rethinking IT Strategy.” McKinsey on IT, Fall 2006: 4-13.
Froot, Kenneth, David Scharfstein, and Jeremy Stein. “A Framework for Risk Management.” Harvard Business Review,
November-December 1994: reprint.
Hughes, Greg. “Five Steps to IT Risk Management Best Practices.” Risk Management Magazine, July 2006: 34-40.
Kolodgy, Charles J., Christian A. Christiansen, Brian E. Burke, Sally Hudson, Allan Carey, Rose Ryan, J.D. Top 10
Predictions for Security in 2006: Countering Crafty Criminals and Insidious Insiders. Framingham, MA: IDC, March
2006.
Lassiter, Lee. CIO Guide to Sarbanes Oxley. Edgewater, MD: ReymannGroup, Inc., January 2005.
Macauley, Tyson. “Operational Risk and Resiliency Frameworks, A tale of five risk management characters and how they
fit into your organization.” http://www.csoonline.com. Framingham, MA: CXO Media, October 30, 2006.
META Group. “Enterprise Application Trends.” META Trends 2005/2006. Stamford, CT: Gartner, Inc. 2005. Rasmussen,
Michael. Enterprise Risk Management, Measuring and Gaining Control of Risk. Cambridge, MA: Forrester Research,
Inc., December 29, 2004.
Vijayan, Jaikumar. “Defending Data will be IT Manager 2007 Focus.” http://www.computerworld.com. Framingham, MA:
IDG Network, November 8, 2006.
48
NO WARRANTY. The information provided in this document is being delivered to you “AS IS” and Symantec Corporation makes no warranty as to its accuracy or
use. Any use of the information contained herein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors.
Symantec reserves the right to make changes without prior notice.
Copyright © 2007 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and INFORM are trademarks or registered trademarks of Symantec
Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
About Symantec
Symantec is a global leader in
infrastructure software, enabling
businesses and consumers to have
confidence in a connected world.
The company helps customers protect
their infrastructure, information, and
interactions by delivering software
and services that address risks to
security, availability, compliance,
and performance. Headquartered
in Cupertino, Calif., Symantec has
operations in 40 countries.
More information is available at
www.symantec.com
For specific country offices and
contact numbers please visit our
Web site. For product information
in the U.S., call toll-free
1 (800) 745 6054.
Symantec Corporation
World Headquarters
20330 Stevens Creek Boulevard
Cupertino, CA 95014 USA
1 (408) 517 8000
1 (800) 721 3934
www.symantec.com
Copyright © 2007 Symantec Corporation. All rights
reserved. Symantec and the Symantec logo are
trademarks or registered trademarks of Symantec
Corporation or its affiliates in the U.S. and other
countries. Other names may be trademarks of their
respective owners.
1/07 11859849
Confidence in a connected world.