RealTime IT News

Symantec Finds Scope of IT Risk Widening

Symantec has released is second-annual Risk Assessment survey and the results show that the definition of "risk" is expanding, as are the threats facing IT.

The survey of 405 IT managers, undertaken between February and November 2007, found that their top concern is network availability -- with 78 percent citing it as a business-critical or serious risk.

The finding marked the first time that network availability surpassed security among IT managers' concerns.

Security, which 70 percent of IT managers said was business-critical or a serious concern, was followed by performance (68 percent) and compliance (60 percent).

"That told us two things: respondents are taking a broader view of IT risk and what constitutes it and they are shifting away from just a security-oriented view to one of availability, compliance and performance," said Jennie Grimes, senior director of Symantec's IT risk management program office.

But while IT managers' concerns are multiplying, confidence in their ability to keep a reign on things is slipping. More than half, 53 percent, said they expected a major IT incident related to those four issues.

Yet only a third said they had good management, configurations and backup plans.

Part of the reason for this is due to risk's increasing scope. A year ago, the industry considered risk incident to be hacking attacks. Now, the term includes human error -- like losing a laptop or backup tape, failing an internal audit and poor-performing applications.

The other problem is that with so many laptops being lost or stolen and insecure technologies, ranging from instant messenger to USB thumb drives, entering the workplace, IT is getting away from the people who live by it.

"I do believe the infrastructures are getting more complicated and I do believe that the notion of the perimeter of the network -- traditionally having been a physical thing -- is shifting to the human being and is causing complexity to increase," Grimes said.

One possible reason for the drop in confidence is that the definition of IT and its influence on companies have also grown -- so much so that IT has become the lifeblood of firms.

In recent years, the discussion among C-level executives has been how IT is expected to drive profits. Now the situation is beyond that, where companies simply can't function without it.

"Organizations are realizing how much they rely on IT," Grimes said.

For example, she said she noticed that many large firms now have a new executive in the ranks, the vice president of IT risk management, whose job is to deal with risks to the IT infrastructure.

Grimes said she's met about 40 now, all relatively new to the position.

What's different about them is that they all report to different superiors. Some report to the CIO or chief information security officer, some to legal and others to auditing and the controller. A few even report to the board of directors, she said.

"When you see that kind of range, that shows most organizations understand that it has to have an owner or a driver of risk assessment in the organization, but most of them are still grappling with how to empower that singular owner," she added. "They know it has to be one person who holds the reigns but there is a lack of clarity of their responsibility."

The way to get management to respond, they have learned, is to talk in business terms, she said.

"I do think in the coming year you will see things around this enablement discussion," Grimes said. "Some of that will be IT risk managers realizing they have to change their language."

One such example: An IT risk management executive may report a poor-performing e-commerce server in technical terms -- such as describing the slower response, the inability to handle large numbers of customers, or some kind of benchmark. That doesn't work.

But when the IT risk management officer says the company loses about five percent of sales due to a poor performing server, "then you have their attention."