News Release
FOR IMMEDIATE RELEASE
Symantec Research Debunks Common Myths that Contribute to IT Failures
Report Reveals IT Taking a More Balanced, Less Security-Centric Approach to IT Risk
Symantec Corp. (Nasdaq: SYMC) today released the Symantec IT Risk Management Report Volume II, revealing that awareness of the importance of IT risk management is increasing, however several myths persist. Despite
the finding that practitioners are embracing a more balanced approach that encompasses security, availability,
compliance and performance risks, misunderstandings of IT risk management can lead to potential IT system failures, and
ultimately impact business continuity. The report also indicates process issues cause 53 percent of IT incidents, while
IT often underestimates the frequency of data loss incidents.
The comprehensive report, driven by the analysis of more than 400 in-depth, structured surveys with IT professionals
worldwide, identifies key issues and trends, and analyses and dispels the following four myths commonly associated with
IT risk:
- The myth that IT risk management is focused only on IT security;
- The myth that IT risk management is project driven;
- The myth that technology alone can manage IT risk;
- The myth that IT risk management has already become a formal discipline.
Myth One: IT Risk is Security Risk
Despite traditional perceptions associating IT risk primarily with security risks, survey results indicate the emergence
of a broader view among IT professionals. Of the survey respondents, 78 percent gave “critical” or “serious” ratings to
availability risk as opposed to security, performance and compliance risks, with 70, 68 and 63 percent respectively. The
fact that only 15 percent separate the highest and lowest scoring risk-types indicates that IT professionals are
adopting a more balanced, less security-centric view of IT risk.
“It is encouraging to see Symantec’s report highlight that organisations are recognising the criticality of managing IT
risk in areas such as availability and performance in addition to security,” said Jon Oltsik, senior analyst at
Enterprise Strategy Group. “In today’s connected world, businesses are starting to understand that failures across a
broad spectrum of systems can impact the business operations and results.”
The report findings confirmed that security and compliance risks often attract attention because of their high
visibility and impact — 63 percent of respondents rated data loss incidents as having a serious impact on their
business. However, increased emphasis is being placed on availability risks, which the report shows can flow through the
value chain and create impacts measuring in millions of dollars, even from minor performance issues. Researchers at
Dartmouth and the University of Virginia recently determined that a hypothetical Supervisory Control and Data
Acquisition (SCADA) network failure at an oil refinery would result in an estimated economic impact of US$405 million,
with the supplier only bearing $255 million of the impact while others in the supply chain would assume the remaining
loss (http://www.ists.dartmouth.edu/library/207.pdf).
Myth Two: IT Risk Management is a Project
The myth that IT risk management can be addressed in a single project, or even as a series of point-in-time exercises
across budget periods or years, ignores the dynamic nature of the internal and external IT risk environment. IT risk
management should be approached as an ongoing process in order to keep pace with the changing landscape businesses face
today. IT security, availability, compliance and performance incidents can impact the modern organisation at an alarming
rate. The report revealed the following regarding the frequency of different types of IT incidents:
- 69 percent expect a minor IT incident once a month;
- 63 percent expect a major IT failure at least once a year;
- 26 percent expect a regulatory non-compliance incident at least once a year;
- 25 percent expect a data-loss incident at least once a year.
The report shows that the most effective organisations take a more holistic approach. However, many organisations appear
to be failing to implement some fundamental risk management controls, such as asset classification and management, where
only 40 percent of participants rate their performance as 75 percent effective or higher. In addition, only 34 percent
of participants believe that they have an up-to-date inventory for their wireless and mobile devices, which are
essential in today’s business world.
Myth Three: Technology Alone Mitigates IT Risk
While technology plays a critical role in risk mitigation, the people and processes supported by technology also
determine the effectiveness of an IT risk management programme. According to the report, process issues cause 53 percent
of IT incidents. Several controls also showed a decline in ratings from the previous report one year ago, causing
increasing concerns. For instance, process controls such as training and awareness decreased from nearly 50 percent in
Volume I to only 43 percent of respondents rating their training and awareness programmes as more than 75 percent
effective.
Similarly to Volume I, the new report also shows very little improvement for the low rating of the asset and inventory
classification control. Finally, only 43 percent of participants rate data lifecycle management “greater than 75
percent” effective, a 17 percent decline from Volume I. Weakness of these controls suggests that assets will be treated
equally, so that some systems, processes and objects will be overprotected and others under protected from IT risk,
resulting in cost and service inefficiencies.
Volume II of the IT Risk Management Report highlighted a 10 percent improvement in the number of participants rating
secure application development “more than 75 percent effective.” The report also signals that problem management is
rising on the agenda.
Myth Four: IT Risk Management Has Already Become a Formal Discipline
The report makes it clear that IT risk management is an evolving business discipline, rather than a precise science, due
to reliance on the experience accumulated by individuals and organisations as they keep pace with a changing business
and technology environment. There is a growing understanding that IT risk management incorporates elements of
operational risk management, quality control and business and IT governance. In addition, practitioners may come to see
IT risk management as a set of fixed principles and relationships, universally applicable across industries and
geographies.
Industry Differences
The report also sheds light on the state of IT risk management within particular industries. Highlights include that
healthcare participants expected the most IT incidents of any industry sector. Given the complexity and highly personal
nature of healthcare services, as well as stringent compliance requirements, this is cause for some concern.
Telecommunications ranked highest in deploying IT risk management controls, followed closely by banking and financial
services. This success is likely driven by increased governance and compliance scrutiny of these sectors and concerns
over the protection of personal data.
“Now in its second year, the IT Risk Management Report provides IT professionals and C-level executives with
unparalleled insight into the discipline of IT risk management — ranging from understanding what’s working and what’s
not to providing actionable guidance and best practices for effective programme execution,” said David Thompson, group
president, Symantec Information Technology and Services Group. “Better understanding of the practice of IT risk
management empowers organisations to take calculated risks with confidence and use IT to drive competitive advantage.”
Click here to listen to further discussion on Symantec IT Risk Management Report.
The Symantec IT Risk Management Report Volume II is available at http://www.symantec.com/business/theme.jsp?themeid=inform.
About Symantec
Symantec is a global leader in infrastructure software, enabling businesses and consumers to have confidence in a
connected world. The company helps customers protect their infrastructure, information, and interactions by delivering
software and services that address risks to security, availability, compliance and performance. Headquartered in
Cupertino, California, Symantec has operations in 40 countries. More information is available at www.symantec.com.
This information is not a commitment, promise or legal obligation to deliver any material, code or functionality and it
should not be relied on in making a purchasing decision. The development, release and timing of any features or
functionality described for our products remains at our sole discretion.
Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the
U.S. and other countries. Other names may be trademarks of their respective owners.
NOTE TO EDITORS: If you would like additional information on Symantec Corporation and its products, please visit the Symantec News Room
at http://www.symantec.com/news.
ENDS