Shortcomings in Approaches to Mitigating IT Risk

News Release
Symantec Report Identifies Shortcomings in Approaches to Mitigating IT Risk

Organisations anticipate security breaches, believe they are less effective at process controls, and demonstrate misalignment within their own internal IT organisation regarding risk perception

Symantec Corp. (NASDAQ: SYMC) today released the Symantec IT Risk Management Report, highlighting that 60 percent of respondents expect at least one major IT incident per year that could halt or disrupt a critical part of the business. The Symantec IT Risk Management Report, a new report aimed at helping executives and IT operational personnel understand the critical elements involved in an effective IT risk management strategy, is based on input from quantitative and qualitative survey research conducted over a twelve month period ending October 2006. Symantec collected information from more than 500 respondents from IT managers to top IT executives in organisations with worldwide operations, in a wide representation of industry segments.

“The ING Renault F1 Team’s IT infrastructure is critical to our relationships with customers and partners and therefore, we are committed to managing IT risk as part of our larger business strategy,” said Graeme Hackland, IT manager, ING Renault FI Team. “In today’s environment, understanding our exact risk profile and how we can better prioritise our resources to ensure an effective IT risk strategy is top of mind.”

Organisations Anticipate Security Breaches, Incidents

The Symantec IT Risk Management Report survey data indicated that a majority of respondents expect to be impacted by some type of security or compliance incident in the next one to five years. Specifically, 66 percent of respondents expect a major regulatory incident at least once every five years. Additionally, 58 percent of respondents expect a major data loss caused by events such as data centre outage, corruption of data, or breach of security systems, at least once every five years.

Deployment of Process Controls Falls Behind Technology Controls

Effective IT risk management requires a strong combination of expertise and investment in process controls and technology controls. The most effective IT risk management programs use defined controls that combine well-chosen technologies and best-practice processes. The Symantec IT Risk Management Report revealed that professionals surveyed at all levels of organisations, across industries, scale and geographic reach, view their organisations’ capabilities with technology controls as more effective than with process controls.

The report findings indicated that authentication, authorisation, and access was the process control rated highest for effectiveness, with 68 percent of respondents rating their organisation more than 75 percent effective. The report also underlined a specific process control problem in identifying, classifying and managing IT assets. Only 38 percent of respondents rated themselves more than 75 percent effective in implementing asset inventory, classification and management process controls. These controls are of fundamental importance in building an IT risk management program which reflects the organisation’s priorities. Without careful risk assessment, all assets are likely to be treated equally, where some may be overprotected and others under protected.

“Organisations are beginning to see the value in taking a proactive, rather than reactive approach to their IT risk management strategy,” said Jon Oltsik, senior analyst at Enterprise Strategy Group. “Effective IT risk management requires organisations to assess both their technology and processes, as well as have clear understanding and agreement about different risks that may impact their systems and their overall business.”

Misalignment Exists Within Internal IT Organisational Roles Regarding Perception of Risk

The Symantec IT Risk Management Report revealed a noticeable difference in the way IT staff and IT executives view their organisation’s IT risk exposure, particularly around perceived risk related to both business process and compliance risk. For example, 8 percent of IT executives rate business process risk as critical to their IT operations compared to 22 percent of IT directors and 23 percent of IT executives rate compliance risk as critical to their IT operations compared to 16 percent of IT directors.

Symantec believes that strong alignment between all areas of IT and the business must exist in order for IT risk management investments to be successful. These differing internal IT viewpoints could even create risk by producing poor coordination with the larger business. This may result in over- or under- investment in controls, leading to wasted resources and ineffective IT risk management programs.

“As organisations are growing more and more dependent on their IT systems to conduct business, IT risk has become a primary concern for business leaders and one that should be addressed as part of a larger business risk management strategy,” said Greg Hughes, executive vice president, Symantec Global Services. “The Symantec IT Risk Management Report offers organisations a comprehensive view of IT risk perceived by various organisations worldwide.”

Holistic Approach to IT Risk Management Yielded Fewer Incidents

Data from the Symantec IT Risk Management Report identified a trend related to Best-in-Class organisations. In this report, Symantec defines Best-in-Class organisations as the top 25 percent of respondents who rated their effectiveness in implementing 16 control areas. These organisations experience higher levels of compliance and business process risk, but lower levels of IT incidents. A detailed analysis revealed that Best-in-Class organisations perform with high effectiveness across a variety of controls, including process controls, creating a holistic approach. The data also indicated that lower-performing organisations typically focus on a small number of more tactical technology controls rather than implementing a broad range of control areas.

The Symantec IT Risk Management Report provides organisations with the benchmarks and recommendations that they need to evaluate the effectiveness of their own IT Risk Management strategy.

The Symantec IT Risk Management Report is available on Symantec’s web site at www.symantec.com/riskreport.

About Symantec

Symantec is a global leader in infrastructure software, enabling businesses and consumers to have confidence in a connected world. The company helps customers protect their infrastructure, information and interactions by delivering software and services that address risks to security, availability, compliance and performance. Headquartered in Cupertino, California, Symantec has operations in 40 countries. More information is available at www.symantec.com.

###

NOTE TO EDITORS: If you would like additional information on Symantec Corporation and its products, please visit the Symantec News Room at http://www.symantec.com/news.

Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

© Scoop Media