IT Risk ManagementReport

Trends through December 2006Volume 1, Published February, 2007

ITR

ISK

MA

NA

GE

ME

NT

– Greg Hughes, Executive Vice PresidentWorldwide Services and Support, Symantec Corporation

“As IT becomes the cornerstone of

our connections with customers, suppliers,

partners, and business information,

identifying and managing IT Risk

becomes a core business capability.”

Table of Contents

Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1 – Understanding IT Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5As the role of IT grows, IT Risk is emerging as a major component of organizational risk. IT Risks span Security,

Availability, Performance and Compliance – each with its own drivers and potential impacts.

2 – Process and technology effectiveness in Managing IT Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Technology controls to manage IT Risk are often deployed more effectively than process controls.

Yet organizations that manage IT Risk effectively deploy people and process controls equally well.

3 – Aligning IT and business risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23IT has moved from the glass house to the front lines – and perceptions of IT Risk often differ by role and

function within organizations.These misalignments are barriers to effective IT Risk management.

4 – Understanding effective Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Effective IT Risk Management demands a disciplined, structured program to develop awareness, quantify costs

and impacts, and design and implement a solution that adapts to organizational requirements.

5 – Risk Mitigation: process and payoff . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37The good news is that there’s a substantial upside to IT Risk Management – a more effective organization,

with better control of its costs, technology, and future.

Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42In a connected world, we share a responsibility to identify and manage risk so our customers, suppliers and

partners can work with us confidently toward our common goals.

Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

2

Executive SummaryInformation Technology (IT) Risk is a growing component of total Operational Risk. As businesses

increasingly depend on IT to automate processes and store information, IT Risk Management is

emerging as a separate practice. Organizations across sectors and industries have begun to

consolidate functions to develop a more comprehensive, focused approach to IT Risk. IT Risk

includes security, availability, performance and compliance elements, each with its own drivers

and capacity for harm.

This study examined IT Risk, along with the technology and process controls used to mitigate

it, in a year-long study based on in-depth structured interviews with more than 500 IT profes-

sionals around the world. The study determined that across industries, regions, and job roles,

IT professionals:

• rate themselves more effective in their deployments of technology than of process controls

• see management of IT assets and configuration and change processes as particular problem

areas

• see people and process improvements as holding the greatest opportunities for them to move

from good to great

Data from high-performance organizations yielded a surprising – and very encouraging – result.

More-effective organizations – even though they often face higher risk levels – expect fewer

incidents than less-effective organizations. More detailed analysis into the specific controls

deployed by these companies revealed that best-in-class organizations perform with high effec-

tiveness across most controls, including process controls, while lower-performing organizations

typically focus on a small number of more tactical controls.

The study identified substantial differences in the ways IT operational personnel and executives

view their IT Risk exposure, and examined these in detail. Differing internal viewpoints on IT

Risk, and poor alignment between IT Risk Management programs and overall business objec-

tives, may themselves create risk. This appears to occur when Risk Management programs are

not tailored to the specific risk profile of the business or coordinated across functional and

business unit lines – leading to areas of both under- and over-investment. Poor organizational

support for IT Risk awareness and training is both a compelling example of poor alignment,

and a major cause.

Best-in-class IT Risk management requires a disciplined approach that includes IT Risk aware-

ness, quantification of business impacts, solution design and implementation across people,

process, and technology, and creation of a sustained IT Risk Management program complete

with performance measurement and a model for continuous improvement. A staged program

helps balance benefits, risks and costs at every step of implementation.

3

Highlights

This report is intended for executives with responsibilities for general, financial and IT manage-

ment – anyone concerned with IT Risk and its management. With a broad cross-section of

experience from IT professionals across industries, geographies and organization types, the

report should provide context for Risk Management programs at your own organization.

Be sure to check these IT Risk Management Report highlights:

• Finance and CRM processes introduce the highest IT Risk: see What Drives IT Risk in Section 1

• Best-in-class managers of IT Risk frequently face more IT Risk exposure, but expect fewer

incidents: see Effective IT Risk Management performance in Section 2

• Asset Management is the least-effective IT process: see Process effectiveness in Section 2

• Poor alignment between IT Risk strategy and the risk profile of the business can actually

create higher business risk: see Why alignment on IT Risk matters in Section 3

• High performance across most process and technology controls, versus a few targeted areas,

typically separates great from at-risk organizations: see Effective mitigation in Section 5

Your customers connect to their

financial future through your

systems and networks.

Section 1

Risk is potential damage to an organization’s value, often from

inadequate management of processes and events. IT Risk is

emerging as a significant component of total business risk as

IT assumes a more prominent role in organizations, and can

account for more than 50% of total capital expenditure at

some companies. Individual IT Risks may be classified as:

• Security risks – of unauthorized access, alteration or use of

information

• Availability risks – of inaccessible business processes or data

• Performance risks – of delayed access to business processes

or data

• Compliance risks – of violating legal, regulatory or IT policy

requirements

Understanding IT Risk

5

6

Understanding IT Risk

What is IT Risk?

Business risks range from everyday operational shortcomings to rare cataclysmic failures.

The types and levels of risk organizations face vary with their business and preferred risk pro-

file. For example, an entertainment company with many customer-facing systems and a strong

brand image might have a very different risk profile than a manufacturer with few externally-

facing systems but significant trade and design information to protect. And a high-growth

financial organization in a developing nation might be more concerned about availability and

performance risks as it scales up operations than a financial organization in a more mature

market where security and compliance concerns prevail.

Business risk is often split into financial and operational components. Financial risk is well un-

derstood, and established markets help organizations manage or transfer their credit, currency,

pricing, and other types of financial risk.

Operational risk results from operations rather than transactions, and may include risks from

external events such as natural disasters or changes in government regulation, or internal

processes associated with product quality, organization and plant performance, loss of intellec-

tual property, or supervisory or legal controls.

As IT has become widely and deeply interconnected with business operations, IT Risk has grown

to prominence as a component of total operational risk. More than just a specialty area of

Operational Risk Management, IT Risk Management is emerging as a separate practice because

of the unique role IT plays in today’s organizations:

• IT is now integral to many business operations and transactions. In Financial Services and

Online Retail, for example, virtually the entire business may be carried out across IT systems

and networks.

• IT Risk evolves as fast as technology changes. For example, online “phishing” fraud – and

legal and regulatory requirements for IT countermeasures – were virtually unknown just three

years ago.

Life’s risks extend from poor mobile-phone connections through war, famine and

disease. Different risks affect different individuals and organizations in different

ways – and as the world changes, so do the origins and types of risk we face.

7

• Identification, measurement, analysis, and management of IT Risk requires specialized

knowledge and skills. Aligning IT skills and processes – including IT Risk Management – to

organizational goals is a constant challenge.

Figure 1: IT Risk spans four areas, each with its own set of drivers and potential impacts.

Classifying IT Risk

To help organizations understand and analyze IT Risk and organize their mitigation strategies,

Figure 1 outlines a framework for classifying risks according to their impact on the organization.

The framework classifies IT Risks as:

• Security risk – that information will be altered, accessed or used by unauthorized parties

• Availability risk – that information or applications will be inaccessible due to system failure or

natural disaster, including any recovery period

• Performance risk – that underperformance of systems, applications, or personnel – or IT as a

whole – will diminish business productivity or value

• Compliance risk – that information handling or processing will fail to meet regulatory, IT or

business policy requirements

These four categories classify all elements of IT Risk that we have seen in organizations. Table 1

(next page) provides further information and examples of sources and potential impacts of risks

in each category.

Although the survey on which this report is based concentrated on Security and Compliance

areas of risk, this implies no prioritization of the four elements of IT Risk. As we will see, every

organization has its own unique IT Risk profile, and prioritization of these elements is an impor-

tant early step in establishing an effective IT Risk Management program.

Secu

rity

Availability

Perform

ance

Compliance

ITRisk

Keep Bad Things OutKeep Important Things In

Internal and ExternalMalicious Threats

IT Policy andExternal Regulations

Application Performanceand IT Performance

Natural Disasters and System Failures

Ensure Adequate ControlsAutomate Evidence Collection

Optimize ResourcesEnsure Correct Configuration

Keep Systems UpEnsure Rapid Recovery

Table 1: Categories of IT Risk, with examples of the sources and potential impacts associated with each.

8

Risk Category

Security

Compromise of information, confidence in it and technology and processes for managing it

Availability

Failure or delay in delivering ITprocesses or information needed forbusiness transactions and operations

Performance

Slow or inefficient operation of ITprocesses supporting business trans-actions and operations

Compliance

Penalties, fines and loss of reputationfrom failure to comply with laws andregulations, or consequences of non-compliance with IT policies

Source

- External attacks

- Malicious code

- Physical destruction

- Inappropriate access

- Disgruntled employees

- Proliferation of platform

and messaging types

- Hardware failures

- Network outages

- Poor change management

processes

- Data center failures

- Force majeure

- Poor system architectures

- Network congestion

- Inefficient code

- Inadequate capacity

- Regulations unique to each jurisdic-

tion, including:

• Graham-Leach-Bliley Act

• EU Data Protection

Directive

• Health Insurance Portability

and Accountability Act

(HIPAA)

• Sarbanes-Oxley Act

- Legal actions

- Internal IT safeguards supporting

compliance

- Inadequate third-party compliance

standards

- Expansion from central to end-point

compliance

Potential Impact

- Corruption of information

- External fraud

- Identity theft

- Theft of financial assets

- Damage to reputation & brand

- Damage to assets

- Abandoned transactions and lost

sales

- Reduced customer, partner, em-

ployee confidence

- Interruption or delay of business-

critical processes

- Reduced IT staff productivity

- Reduced client satisfaction

- Reduced client or partner loyalty

- Reduced user productivity

- Interruption or delay of business-

critical process

- Lost IT productivity

- Damage to reputation

- Breach of client

confidentiality

- Litigation

- Executive productivity

What drives IT Risk?

From October 2005 through October 2006, Symantec surveyed 528 individuals on topics related

to IT Risk. Participants held a range of professional responsibilities in organizations of different

sizes, industries and geographies – the Appendix provides demographic details.

To assess the magnitude of IT Risk associated with core business processes, we asked a subset

of respondents (n = 310)* to rate the IT Risk associated with each of seven key businesses

processes in their organization.1 The results are shown in Figure 2.

Figure 2: IT Risk associated with each of seven key business processes. IT Risk associated with Finance and Administra-

tion processes (leftmost column) led participants’ ratings for High or Critical risk, followed by those associated with

critical customer-facing and operational tasks. Research and Supply-chain processes received the lowest risk ratings.

9

LowNil Moderate High Critical

IT Risk by Business Process

0%

20%

40%

60%

80%

100%

%of

resp

ond

ents

Finance, Admin.

CRM Operations BusinessIntel.

Corp.Resources

R&D Supply Chain

Customer Relationship Management (CRM) – sales and electronic commerce

Supply Chain Management (SCM) – the entire product value chain from source to end-user

Operations Management – operational control of continuous service and product processes

Research & Development – the development cycle of products and service offerings

Business Intelligence – the corporate ability to make timely, informed business judgments

Finance & Administration – the process of financial and administrative management

Corporate Resources – business functions supporting the organization as a whole

Business-process definitions

* This study used two separate survey instruments – some questions were repeated on both; others not. Numbers in parentheses (“n= ”) report the number ofsurveys supporting each graph or data comparison. Please see the Appendix, “Survey instruments” for details.

Systems and processes supporting Finance and Administrative were associated with the great-

est IT Risk, with over 66% of the respondents rating it High or Critical. Sales, Operations and

Business Intelligence processes ranked second, with 53% giving Critical or High ratings for all

three measures. Research & Development and Supply Chain Management systems and pro-

cesses introduced the least amount of IT Risk; only 27% of those surveyed rated SCM risks as

High or Critical, and just 33% rated R&D risks this way.

These results highlight two important points. First, IT Risk affects every major business process

category: for even the lowest-ranked business process, nearly a third of professionals ranked IT

Risk High or Critical. Second, IT Risk is highest for critical operational functions or those that

manage critical and proprietary or confidential information, and lower only for functions further

removed from revenue generation and the customer experience.

Our analysis also explored the components of compliance risk. Participants were asked how

much risk each of six categories of regulations introduced into their organization. The results

are illustrated in Figure 3 (n = 528 except for Data Retention, n = 310).

Figure 3: IT Risk index ratings associated with six areas of Regulatory Compliance. Data Protection and Retention show

the highest proportion of High and Critical ratings, followed by Corporate Governance.

Respondents saw Data Protection and Retention introducing the greatest amount of compliance

risk into their organizations, with a very substantial 66% and 70% of respondents rating these

risks as High and Critical, respectively. Compliance with Corporate Governance policies ranked

third, with 55% High or Critical ratings. About half the respondents rated Intellectual Property

risk as High or Critical, while National Security and Criminal and Civil Laws were seen to intro-

duce the least risk – only 36% and 44% of respondents, respectively, rating these either High

or Critical.

10

LowNil Moderate High Critical

IT Risk by Compliance Area

0%

20%

40%

60%

80%

100%

%of

resp

ond

ents

DataRetention

DataProtection

Corp.Governance

IP Civil,Criminal

NationalSecurity

As with Business Processes, respondents expressed strong concerns about IT Risk in every Com-

pliance area – risks in even the lowest-ranked areas were seen as significant by a third to half of

the respondents. More significantly, more than half the respondents saw High or Critical IT Risk

in areas governing the proper operation of their organizations and protection of critical informa-

tion. This level of concern – across so broad a range of roles and industries – underscores how

poorly managed these risks may be judged by those best-positioned to know.

To help understand the impact of IT Risk associated with compliance processes, we compiled an

index to measure the relative importance of each of the six compliance measures above, and

applied it to organizations with different demographics.

Results show that organization size is a significant determinant of perceived compliance risk.

For example, while 33% of organizations with more than 20,000 employees see compliance risk

as critical to their organizations, only 15% of organizations with fewer employees do. Although

a definitive explanation for this requires further investigation, the data are consistent with

larger organizations’ greater complexity, number of business processes and operations, and

geographic span of operations, exposing them to more regulations and requiring greater com-

pliance with internal policies to monitor and govern organizational behavior.

The Aerospace and Defense industry segment was the only industry in which a majority of

respondents rated compliance risk as critical. And despite the stringent regulations they face,

only 28% of Financial Services and 4% of Healthcare organizations rated compliance risk as

critical. Respondents from Europe, the Middle East and Africa generally saw less risk associated

with compliance than their counterparts in the United States. In Section 5, we will explore

reasons for low risk ratings by organizations operating in high-risk environments.

11

Data Protection – securing confidentiality of private and personal information, for example against identity theft

Data Retention – ensuring that enterprise data is stored securely and retained for access by legitimate users

Corporate Governance – assuring that public disclosures accurately reflect corporate performance

National Security – protecting citizens and national infrastructure from terrorism, war, or national disaster

Civil & Criminal Legal Framework – assuring that IT systems and networks systems support legal infrastructure

through electronic signatures, data movement and use of IT resources

Intellectual Property Protection – protecting individual and corporate intellectual property

Compliance definitions

Patient health and privacy

connect when medical records

are transmitted or stored.

Section 2

Effective IT Risk Management requires competence and invest-

ment in processes and technologies. Professionals surveyed

at all levels of organizations across industries, scale, and

geographic reach, see their organizations’ capabilities to

deploy IT Risk Management technologies as more effective

than their capabilities deploying processes.

Process and technology effectiveness inManaging IT Risk

13

IT Risk Management processes and technology

Controls for IT Risk Management

Although Risk Management principles have received wide attention, few organizations have for-

malized their IT Risk Management programs until recently. In the past few years, however, more

organizations have added Chief Risk Officers and other executive positions with responsibilities

for IT Risk management, or have adopted formalized service-management standards such as

the IT Infrastructure Library (ITIL®), ISO 17799, and COBIT® to help them manage IT Risk.

The most effective IT Risk Management programs use well-defined controls that combine well-

chosen technologies and best-practice processes. We have identified eight technology and eight

process controls that represent best practices for managing IT Risk (see sidebar, “Process and

Technology Controls for IT Risk Management,” for details). They are derived from best practices

defined by international standards including the code of practice for information security man-

agement (ISO/IEC 17799:20052), COBIT3 and ITIL, published by the United Kingdom’s Office of

Government Commerce,4 refined by Symantec experience in dealing with highly effective organi-

zations, and expanded to encompass availability and performance in addition to security and

compliance.

We asked survey participants to rate their success implementing each of the defined IT Risk

Management controls – both process and technology. We also asked them to rate the amount of

risk their organizations face, to determine whether organizations facing high levels of risk are

more likely to have implemented highly-effective controls.

14

While acknowledging the relevance of Risk Management to IT, organizations

often struggle to put its principles into practice. Participants’ ratings of their

organizations’ effectiveness deploying processes and technologies for IT Risk

Management depend not only on their organizations’ industry, size, range of

operation and other demographic factors, but on the differing perceptions of

professionals within the organizations.

15

Process Controls

IT and Security Strategic Management, Policy and

Architecture – architectures, policies and strategies

defined to run IT services

Organizational Structure, Roles and Responsibili-

ties – standards for interactions between groups;

authority for security and external security-related

communications

Training and Awareness – processes to increase

visibility and knowledge of security risks

Assessment and Auditing – processes to assess the

environment, controls, policies and processes used to

implement strategy

Authentication, Authorization and Access Manage-

ment – processes and technology to verify users’

identities and control access to resources

Operational Design, Workflows and Automation –

design and implementation of automated solutions;

workflow and resource management

Asset Inventory, Classification and Management –

processes to identify and classify assets, supporting

execution of asset-class-based policies

Incident Readiness and Response – standards for

preparation for and response to incidents

Technology Controls

Application Design, Development and Testing –

processes, procedures, and methodologies to ensure

that new and updated applications are appropriate,

efficient and secure

Systems Build and Deployment – systems and tech-

nologies to assure effective, secure deployment of new

and updated systems

Data Life Cycle Management – technology to move,

replicate and protect data

Configuration and Change Management – tools and

processes to regulate change

Resilient Infrastructure – technology to detect and

correct vulnerabilities related to availability (e.g.,redundancy and failover)

Performance Management – technology to monitor

and manage system performance

Network, Protocol and Host Security – network

design and infrastructure including segmentation,

protocols, perimeter defense and availability

Physical Security – technologies governing access to

IT infrastructure and facilities

Process and Technology Controls for IT Risk Management

Process effectiveness

We surveyed our sample of IT professionals (n=310) to understand how effective they thought

their organizations were in deploying eight key process-based controls. The results are shown in

Figure 4.

Figure 4: Ratings of organizations’ effectiveness at IT Risk Management processes, ordered left-to-right in decreasing

order of perceived effectiveness.

“Authentication, Authorization and Access” was rated highest for effectiveness, with 68% of

respondents rating their organizations more than 75% effective. “Asset Inventory Classification

and Management” was lowest, with only 38% rating their organizations more than 75% effective.

The findings show that most IT professionals feel their organizations are most effective deploying

tactical controls for which they are accountable: organizational structure, and authentication,

authorization, and access. They rate themselves moderately effective at policy-setting and com-

pliance, assessment and audit, and incident response. And few felt they performed effectively in

employee and IT staff training and awareness, operational design, or asset management.

The data show that the path from basic performance to best practice requires moving IT Risk

Management programs away from a reactive posture, designed for protection against malicious

external threats. Instead, programs should raise IT Risk awareness and spread avoidance and

mitigation efforts throughout their organizations.

Respondents rated “Asset Inventory Classification and Management” least effective of all their

deployments. Yet this discipline is fundamental to build an IT Risk Management program that

reflects the organization’s priorities. Without careful risk assessment, all assets are likely to be

treated equally, so that some will be overprotected and others underprotected.

16

IT Risk Management Process Effectiveness

%of

resp

ond

ents

100%

80%

60%

40%

20%

0%Authent.,

Authorization,Access

OrganizationalStructure

IncidentResponse

IT PolicyManagement,Architecture

Assessment,Audit

Training,Awareness

OperationalDesign

Asset Inv.,Classification,Management

<10% effective 25% effective 50% effective 75% effective >90% effective

Technology effectiveness

Figure 5 below represents how effective organizations are in deploying technology controls:

Figure 5: Ratings of organizations’ technology effectiveness, ordered left-to-right in decreasing order of perceived

effectiveness.

“Network Protocol and Host Security” and “Physical Security” were the top-rated technology

control deployments, with 80% and 77% of respondents, respectively, rating their organiza-

tions more than 75% effective. These are the strongest ratings of all controls, process or

technology. “Configuration and Change Management” received such ratings from only 55%

of respondents, and “Performance Management” from just 52%. “Secure Application Develop-

ment” was least-frequently rated effective, with only 43% rating their deployments 75%

effective or higher.

The low ratings of configuration and change and performance management deployments are

significant. Organizations use these technologies to understand the configurations and per-

formance levels of IT assets so they can minimize service disruptions and increase throughput.

These deployments are critical in keeping systems stable, performing effectively, and up to date.

Poor configuration and change management also constrains efforts to adapt and modernize

systems for new opportunities or threats.

Although the survey identifies change management as a problem area, there are recent signs

of improvement. In their “ITIL Change Management Maturity Benchmark Study,”5 Evergreen

Systems noted that, “IT executives are increasingly integrating and internalizing change manage-

ment procedures, processes and tools as core components of the organization.” We will see

in Section 4 that these disciplines are important drivers of performance improvements in IT

organizations.

17

IT Risk Management Technology Effectiveness

<10% effective 25% effective 50% effective 75% effective >90% effective

0%

20%

40%

60%

80%

100%

%of

resp

ond

ents

Network,Protocol,

Host Security

PhysicalSecurity

ResilientInfrastructure

Secure DataLifecycle

Management

SecureSystems

Config. and Change

Management

Perform.Management

SecureApplication

Development

The role of secure application development is growing, as IT professionals recognize its effec-

tiveness in preventing exploitation of application vulnerabilities by eliminating them at the

source. The technology requires substantial early investments in tools and skills, so while

secure application development proves very cost-effective over time, it remains in an early

stage of adoption at most organizations.

Technology and Process effectiveness index

To compare organizations’ effectiveness deploying IT Risk Management processes and technol-

ogy by industry, geography, organization size and respondent job role, we defined two indexes.

The first averages ratings for eight process controls, the second for eight technology controls.

We set levels to classify organizations as Strong, Good, Weak or Poor at implementing and

deploying these controls.

Figure 6 compares these effectiveness ratings. It shows that organizations are generally more

effective implementing technology than they are processes: 33% rated Strong on the Technol-

ogy Effectiveness Index; only 25% on the Process Effectiveness Index.

Figure 6: Effectiveness indexes of organizations, rating implementation effectiveness of technology and process

controls; each index averages eight individual factors. Organizations’ implementations are generally stronger for

technology controls.

Process effectiveness lags behind technology despite the recent industry focus on processes,

using frameworks such as ITIL, ISO and COBIT.6 For a closer look, we analyzed the data according

to demographic categories.

The relative strength of technology over process effectiveness was robust across industry,

organization size, operating region, and professional role of respondents, with just a few varia-

tions, specifically:

18

Poor Weak Good Strong

IT Risk Management Process vs. Technology EffectivenessEffectiveness Index

100%

80%

60%

40%

20%

0%

%of

resp

ond

ents

Process Technology

• only in Government, Healthcare and Manufacturing did effectiveness deploying process

controls even approach parity with effectiveness deploying technology controls; in no case

were process controls rated more effective.

• large organizations and global organizations (often the same) were more effective deploying

both technology and process controls, but every classification showed greater effectiveness

with technology controls than with process controls.

• ratings of overall effectiveness from Managers were higher than those from either Directors

or Executives; again, all groups rated their organizations more effective with technology than

with process controls for IT Risk Management.

Best in Class: IT Risk and incident expectations

To help understand what makes organizations stand out as Best in Class at IT Risk Management,

we divided 310 respondents into quartiles according to their overall effectiveness in the 16

process and technology controls identified earlier. The classifications were:

• Best in Class – top quartile (76th or better percentile, n=77)

• Better – second (51st to 75th, n=78)

• Good – third (26th to 50th, n=77)

• Worst – fourth (25th or worse n=78)

For each quartile, we calculated and plotted separate indexes for regulatory and operational

IT Risk (across 6 compliance and 7 business-process IT Risk areas), together with the rates at

which respondents expected IT incidents. Results appear in Figure 7.

Figure 7: Expected IT incident rates and two categories of IT Risk for organizations in each IT Risk Management perform-

ance quartile. IT incident expectations decline with effectiveness, despite increasing perception of IT Risk.

19

Perceived IT Risks and Incidents by IT Risk Management Effectivenessby Quartile

1

2

3

4

5

Worst

Ind

ex

Good BestBetter

Compliance Risk Business Process Risk Incidents

These results show that organizations rated more effective at managing IT Risk also experience

higher levels of both Regulatory and Operational Risk. We had anticipated higher incident

rates at high risk levels, either because negative impacts are more likely where risk exposure is

higher, or because organizations base their perceptions of risk on incident expectations. The

data show the opposite: effective organizations expect fewer incidents despite operating

in riskier environments.

This result suggests that by building awareness of exposure to IT Risks and improving technol-

ogy and processes for mitigating them, organizations may actually reduce incident rates below

the levels experienced by less-effective firms operating in safer environments. The result also

cautions organizations not to count on a low-exposure operating environment to protect them

from incidents without effective technical and process controls.

Effective IT Risk Management performance

The relationship between organizations’ IT Risk Management controls and expected incident

rates deserves a close look. For example, we’ve seen that despite facing the study’s highest

levels of risk, best-in-class organizations expect the lowest realization of IT Risk, measured as

incidents. Clearly, they are doing something right – what is it?

When we fielded the research, we believed that the 16 process and technology controls identi-

fied in earlier sections would prove to be effective defenses or countermeasures, reducing an

organization’s exposure to both external and internal IT Risks. To test this hypothesis, we used

data from performance quartiles identified in the preceding section to plot organizations’ effec-

tiveness in deploying each individual process or technology control.

In the “radar” graphs of Figure 8, gaps between the concentric polygons reveal differences in

effectiveness from one performance quartile to another – for example, the jump in “Training

and Awareness” process effectiveness between the “Worst” and “Good” groups in Figure 7.

Asymmetries in the polygons reveal imbalances in effectiveness – for example, the high esti-

mates of “Network Protocol, Host Security” technology effectiveness for all quartiles in Figure 8.

The lowest-performing quartile shows modest performance in two process areas (organization

and authentication/authorization/access) and two technology areas (network and physical

security). These areas are the most tactical in scope and straightforward in implementation, and

therefore where most organizations get started. They have deployed other controls lightly or not

at all, and assess their deployments as fairly ineffective.

20

Effectiveness with Controls for Managing IT RIsk

Figure 8: Process (top) and technology (bottom) control effectiveness scores for organizations in each performance

quartile. Organizations with higher performance show effective performance across most or all measures (shown as

distance from the graph’s center), rather than heavy emphasis on a few.

Moving from the lowest quartile to the highest reveals a clear trend. More-effective organizations

increase the number of controls they deploy, and raise the effectiveness of deployment of each

control. Organizations in the top two quartiles begin to experience diminishing returns in areas

such as physical security and authentication, authorization, and access, and much better returns

on measures such as configuration and change management, data lifecycle management,

operational design, training and awareness, and others. The path from good to great IT Risk

Management, then, involves moving from tactical, technical, and reactive to strategic, expansive,

and proactive measures. It also requires a balanced program to evaluate all 16 measures and

optimize incremental investments of people and dollars to achieve the greatest impact.

21

Process Controlsby Quartile

Assesment, Audit

Training, Awareness

Operational Design

Incident Response

Asset Inv., Classify, Mgmt.

IT Policy Mgmt., Architect

Authent., Author., Access 1

2

3

4

5

Org. Structure

W Technology Controlsby Quartile

Secure Systems

Secure Appl. Development

Config. and Change Mgmt.

Secure Data Lifecycle Mgmt.

Perform. Mgmt.

Resilient Infra.

Physical Security

Network, Protocol, Host Security

Worst Good Better Best Mean

Critical connections face unique

risks, and require special defenses.

Section 3

Organizations manage risks so that they can pursue opportu-

nities while keeping costs under control. Aligning differing

perspectives on and activities toward IT Risk – among technical

staff, managers and executives, and across departments and

regions – is critical to avoid gaps, duplication, and waste.

Aligning IT and business risks

23

Aligning IT Risk strategy to organizationalgoals

IT Risk Management strategy – the importance of alignment

Aligning IT to business strategy has been a consistent theme in the IT professional and industry

press for years. Yet progress is slow: CIO Magazine recently reported their readers’ number-one

priority for 2007 was – again – aligning IT and business goals.7 Why is alignment so important,

and how can an IT Risk Management program advance it?

When business and IT operate in alignment, clearly-visible links identify which IT assets and

operations support business operations and the value they create. This visibility transforms IT

from a cost center to a driver of business value. Alignment clarifies how IT resources may be

deployed to bring products to market faster, deliver more effective service to customers, and

generate new revenue streams for the business.

Aligning an organization’s IT Risk strategy to business strategy is as important as operational

alignment. Organizations’ risk profiles differ according to their lines of business and the strate-

gies they pursue to maximize their effectiveness. Just as IT departments align their operations

to best support those business objectives, they must align their Risk Management strategies as

well – investing most heavily to mitigate those risks with greatest potential for business impact,

and assuming greater exposure in those areas whose likelihood and impact are lower.

Whatever an organization’s risk profile and level of risk tolerance, risk mitigation typically means

the ability to manage a larger risk portfolio. Alignment closes gaps between organizational and IT

Risk strategies that would leave the organization critically exposed to internal and external risks

of all kinds. It also cuts duplication and over-investment that wastes resources and creates un-

necessary IT complexity and cost. Finally, a well-prepared IT Risk Management plan also guides

system design and decision-making, resulting in higher operational efficiency, greater capacity

for innovation, and lower IT costs. As a result, an effective strategy for mitigating IT Risk may

both protect an organization against incidents, and reduce IT cost and complexity.

24

Aligning their operations to support organizational strategy is a top priority for

IT executives worldwide. An effective IT Risk Management program creates an

IT Risk profile that supports the businesses’ larger objectives, accepting more

risk where business impact is low, and managing risk more closely in areas

where the most is at stake.

Our survey data identified lack of alignment on assessments of IT Risk within IT departments

themselves, and between IT departments and the organizations they serve.

Achieving internal alignment on IT Risk

The survey classified respondents’ jobs into Executive, Director, Manager, and Professional cate-

gories. Since the latter group includes non-IT employees, consultants, and third parties, the

analysis concentrates on the first three groups. Respondents reported the level of IT Risk they

perceived, first in complying with regulatory and policy requirements, and second in carrying

out business operations.

Figure 9 shows the level of compliance risk perceived across the range of professional responsi-

bilities in the survey. The results show an organizational chasm between the ranks of Managers

who implement IT programs – and therefore bear responsibility for the internal risk exposures

and shortcomings of the organization – and senior Executives who set direction for the organi-

zation, and bear responsibility for its exposure to external risks. The chasm appears in the

assessment of Critical risks at the Director level. Directors were least likely to perceive compli-

ance risk as Critical: only 16% did so, against 22% for Executives and Managers. Assessments

of High risks were close to parity: 44% of Directors rated their compliance risk as High, the

same as Managers and two percentage points below Executives.

Figure 9: Ratings of organizations’ compliance IT Risk by respondents in four job categories. Directors reported lower

levels of compliance risk than Executives or Managers.

25

Low Moderate High Critical

100%

80%

60%

40%

20%

0%

Perception of Compliance IT Risk by Professional Responsibilityby Job Role

Executive Director Manager Professional

%of

resp

ond

ents

Figure 10 repeats the analysis for IT Risk introduced by Business Processes. Misalignment of IT

Risk perceptions was even more dramatic, but in the opposite direction: 22% of Directors per-

ceived Business Process Risk as Critical, against only 8% of Executives and 12% of Managers.

Figure 10: Rating of organizations' business process IT Risk by respondents in four job categories. Directors reported

lower levels than either Executives or Managers.

Disagreements among the ranks continued with process and technology effectiveness ratings.

Section 2 revealed different effectiveness ratings for deployment of process and technology

capabilities. A closer look shows that while 39% of IT managers report their organizations 75%

or more effective in implementing technology capabilities, only 27% of executives agreed.

Again, IT professionals differ by job role in assessing their risk-management environments.

Of course, since these respondents were drawn from different organizations, alignment may be

better within organizations than the job-role analysis suggests. But the systematic differences

seen among Executive, Director and Manager perceptions were outside expectations based on

differences in experience with a regulation or technology.

The survey data, as well as discussions with respondents, revealed that the operational staff

closest to implementation of IT programs may be the most inwardly-focused, and have the high-

est awareness of specific weaknesses. Senior executives most removed from day-to-day opera-

tions may share a high perception of IT Risk, but with perceptions based on awareness of

external factors and concern for the unknown. The Director level – which would ideally bridge

these operational and strategic viewpoints to facilitate alignment – may be biased toward tacti-

cal operational risks over external or regulatory risks, due to their direct accountability for

operational IT Risks.

26

0%

20%

40%

60%

80%

100%

Low Moderate High Critical

Perceptions of Business Process IT Risk by Professional ResponsibilityJob Role

%of

resp

ond

ents

Executive Director Manager Professional

Why alignment on IT Risk matters

Misalignment of perceptions and actions is more than just a source of internal disagreement

about IT Risk Management policy; it can itself become a source of IT Risk. Misalignment occurs

in two ways, either of which may elevate risk.

The first type of misalignment is internal to IT, causing gaps in the way systems and processes

are developed, deployed and managed. Invisible until something goes wrong, these gaps may

cause sudden unexpected service-level shortfalls, system downtime, and security breaches.

Today this disconnect often occurs along organizational lines – for example, in the seams

between the executives and functions responsible for security, compliance, and operational

business continuity and availability. Solutions such as messaging typically require all these

functions to converge on a solution that is secure, available, and compliant, yet organizational

alignments make convergence difficult to achieve.

27

Collecting data for this study at IT conferences and roundtables, we heard a recurring theme about alignment.

Respondents told us that training users about IT and security risks, for example, ranked among their greatest

challenges. Recall that in Figure 4 of Section 2, we saw that Training and Awareness ranked third from the

bottom in effectiveness among eight process controls. They insisted that technology-based controls can only

go so far, and that effective mitigation of IT Risk requires behavioral changes by end users throughout the

organization.

Two elements were frequently cited as necessary to encourage behavioral change. The first was quantification

of value to the organization as a whole. Until an organization’s stakeholders understand the impact of lost infor-

mation, unavailable systems, and non-compliant processes in terms that are meaningful to them – lost sales,

dissatisfied customers or reduced productivity, for example – sustained focus will remain out of reach. Dramatic

examples of extreme but infrequent events such as major failures and 100-year natural disasters provide insuffi-

cient motivation to do more than the minimum.

The second element is culture. Organizations have different risk profiles to which IT Risk programs should be

tuned. But they may also incorporate different workforces and cultures that will accept different levels of IT pol-

icy awareness and compliance. For example, a company with tens of thousands of employees averaging 24 years

of age may require a very different policy for IM use and Web access on company systems and time than smaller

companies with older workforces. Selective enforcement and highly visible actions may be more effective than

stringent policies that are unenforceable because they fail to align with the organization’s culture.

Alignment – the business side

The second type of misalignment is between the IT function and the rest of the organization.

The IT Risk program may not fully reflect or respond to the needs of the organization as a whole,

resulting in loss of agility and increased risk. Alternately, organizational units and functions

may not have sufficient awareness of their own IT Risk exposures. These disconnects result in

“ivory tower” IT programs that over-invest in risk areas relevant to IT but not necessarily high

organizational priorities, or under-invest in areas critical to organizational goals. Both result in

lower contributions to the organization’s overall success.

Active management and mitigation of IT Risk requires IT departments to avoid risks created by

misalignment. First, they must make sure their departments are aligned internally. From the CIO

to the backup administrator, everyone in the department should share an understanding of IT

Risks and priorities, and how they relate to their own areas of responsibility. Second, IT man-

agement must work closely with clients and stakeholders in the organization as a whole, enlist-

ing their help to assure that IT priorities reflect the organization’s goals and objectives, and to

drive compliance with IT Risk Management programs where necessary. In combination, internal

and business alignment assures appropriate resource allocation and operational efficiency.

Companies following best practices in managing IT Risk incorporate the IT Risk strategy within

the organization’s annual planning process to ensure alignment within IT and across the

organization, and then track performance at an executive level as part of a corporate balanced

scorecard.

28

29

How do your incident expectations measure up to those of the organizations in the survey? Answer these four

questions, and check your results against survey norms on the last page of the report:

Context: What reflects the expected frequency of the following incidents in your organization?

1. Regulatory Your enterprise is found to be out of compliance with one or more governing

Non-Compliance regulations:

Never

Once every 5 years

Once every 2 years

Once a year

More than once a year

2. Major Information Service impact to your organization, caused by a loss of information, confidential-

Loss ity, integrity or availability (e.g. data center outage, data corruption, full breach of

security):

Never

Once every 5 years

Once a year

Twice a year

More than twice a year

3. Major IT Impact Severe impact to your IT organization affecting more than 10% of your clients

and/or servers – halting operations of some critical part of your operations:

Once every 5 years

Once a year

Twice a year

5 times a year

More than 5 times a year

4. Minor IT Impact Minor impact to your IT systems affecting less than 10% of your clients and/or

servers, hinders the work of individuals or groups:

Once a year

10 times a year

20 times a year

Every day

More than once a day

Sample questions

Answers to self-test on page 47.

Your business depends on reliable

connections with suppliers,

distributors, and customers.

Section 4

Organizations achieve effective IT Risk Management by deploy-

ing a broad range of IT technology and process controls. The

transition from good to great IT Risk Management is achieved

primarily by increasing effectiveness across the full range of

measures in a structured, disciplined program that proceeds

from a broad assessment of IT Risks to a closed-loop process of

continuous improvement.

Understanding effective Risk Management

31

Understanding effective IT Risk Management

Achieving Best in Class IT Risk Management

Few organizations have achieved the level of IT Risk Management performance achieved by

Best in Class organizations in this survey. The field is still emerging, and not all organizations

are yet organized to deal with IT Risk in an integrated fashion. Nor do all companies face the

same levels of IT Risk or share similar risk profiles. The case for change, however, is compelling:

organizations are experiencing rising incident rates across the areas of security, availability,

performance, and compliance, with significant impact to revenue, reputation, productivity, and

cost. According to the Computer Security Institute and the FBI, per-incident costs of unauthor-

ized access to information averaged over $85,000 in 2006,8 and system downtime costs reached

tens of thousands of dollars per hour.9 It doesn’t take long for incidents of this scale to create

significant drag on an organization.

How can organizations advance from good IT Risk Management practice to great? For organiza-

tions trying to manage IT Risks effectively, the challenge includes understanding their portfolio

of IT Risks, quantifying and prioritizing them against the organization’s risk profile, and devel-

oping an effective program of remediation activities.

A five-step process can help organizations assess their levels of IT Risk, develop remediation

roadmaps, and ultimately build effective, continuous IT Risk Management Programs. While the

steps themselves, detailed in Figure 11, may seem familiar, the specific tools and tasks support-

ing them are very valuable, and linkages between phases help maintain focus and continuity of

organizational commitment.

32

How can an organization build its capabilities for IT Risk Management? While

there is no single formula or protocol, a broadly-applicable assessment, quan-

tification, design, alignment and measurement program can help organizations

marshal their resources effectively to achieve real, lasting improvements in

IT Risk Management, often while reducing IT infrastructure and process com-

plexity and cost.

Figure 11: Five-step IT Risk Mitigation process.

Step 1 – Develop awareness of IT Risks

IT Risk mitigation begins with comprehensive discovery, including:

• establishing the program’s scope (how expansive a view of IT Risk is appropriate?)

• constructing a risk profile for the organization based on its overall priorities

• identifying key areas of IT Risk

For many companies, the challenge of discovery includes both identifying new areas of risk,

often by evaluating the risk profile and assessment against IT best practices, and organizing the

dozens or hundreds of IT Risks of which they are already acutely aware.

A common question at this stage is, “How do I take the issues I already know about and assem-

ble them into a comprehensive, structured framework I can assess and prioritize?” A clear

framework requires identifying critical IT assets and understanding how they support critical

business processes. Critical assets include the technology infrastructure underlying corporate

operations, staff with privileged access to information, and the organization’s IT operational

processes.

Assessment should also consider the organization’s current requirements, capabilities and

vulnerabilities. Requirements include legal obligations such as regulations, contracts, and

service level agreements, as well as business requirements such as the privacy, availability,

and integrity of business information.

Finally, this stage involves identifying and classifying threats, issues, vulnerabilities, and

weaknesses, assigning each a priority according to risk. The search for vulnerabilities and

weaknesses should cover applications, infrastructure, operations, and organizations.

33

DevelopAwarenessof IT Risks

QuantifyBusinessImpacts

DesignSolution

Align IT /Business Value& ImplementSolution

Build &ManageUnifiedCapability

Step 1 Step 2 Step 3 Step 4 Step 5

IT Risk Assessment and Management Process

Step 2 – Quantify business impacts

Quantifying business impacts is typically the most challenging step – and the most important.

Until they have quantified the impact, positive or negative, of addressing an area of IT Risk,

IT leadership may be unable to attract their colleagues’ attention to it, or the funds needed for

mitigation.

The “currency” of the business case varies according to the business and the area of risk. A Web

site crash will mean lost revenue or sales for a retailer, negative brand impact or lost viewers for

a media company, lost productivity for a manufacturer, and so on. The key is to build a case that

makes sense in the local currency, whatever it may be.

Quantification of business impacts typically follows a two-phased approach. In the first, the full

portfolio of risks is coarsely prioritized based on potential business impacts according to the

organization’s risk profile and the ease or difficulty of risk mitigation, measured in time, staff

resources, and investment. The second phase builds detailed business arguments for only those

risks identified as high-impact areas. The model can be iterative, and it should be periodic,

linked to the organizational and IT planning cycles.

Step 3 – Design solution

At this point, the organization knows the scope and components of its Risk Management pro-

gram, its current status, and the priority and quantification of each area of IT Risk.

The next step is to design a set of remediation solutions, across the classic elements of people,

process, and technology, each with requirements, specifications, goals, and functions. For some

organizations this will be a narrowly-focused activity to address the most imminent areas of

risk; for others a longer-term program with sequenced waves of initiatives.

This phase also includes detailed costing analysis to keep costs and benefits of proposed initia-

tives aligned to organizational goals. For example, a model might be designed to provide tiered

levels of service based on the priorities for different types of data and portions of the business.

Solutions that reduce risk frequently also reduce complexity and cost. This is especially true

when risks have been introduced by dense or poorly-followed processes, misaligned organiza-

tional models, or unclear requirements or policies.

34

Step 4 – Align IT and business value; implement solution

Although quantification is the most difficult step, most programs’ success lies in the effective-

ness of implementation. Implementation determines whether risk-mitigation initiatives are

deployed successfully across people, process, and technology with close involvement of organi-

zational stakeholders, or devolve into local IT projects measured narrowly by software and gear

implemented and administrators trained.

Closed-loop measurement and continuous improvement are essential. With a coherent system

of metrics and performance management capabilities, organizations set the stage for collection

of baseline data, performance tracking, and assessment of program effectiveness against the

original business case.

Step 5 – Build and manage unified capability

Once implementation of the first wave of IT Risk solutions is underway, organizations should

institute programs for continuous improvement and ongoing governance of their IT Risk Man-

agement program.

As in most change-management programs, IT Risk Management follows a maturity model that

begins with tactical basics and evolves to Best-in-Class performance. For most organizations,

their position in this maturity model depends on their IT Risk profile and progresses through

several waves of organizational, process, and technological change before reaching its goal. By

adapting their efforts as their experience and effectiveness grow toward maturity, organizations

can avoid or overcome the most common implementation challenges, including:

• replacing guesswork with quantification and prioritization of IT Risk Management efforts and

investments

• replacing intermittent, reactive projects with a program that delivers consistent improve-

ments over the long run

• replacing speculation with clear progress against consensus goals to secure the long-term

investments needed for mitigation of IT Risks

35

Connections bring both opportu-

nities and risks – managing them

is everyone’s job.

37

Section 5

In order to understand organizations’ IT Risk strategies better,

we classified respondents into profiles based on their level of

IT Risk and IT Risk Management effectiveness. While there are

many ways to manage risk successfully, the resulting levels of

risk and the costs to the organization can vary greatly. The best

companies align investment to exposure, to focus attention

and resources where they matter most.

Risk Mitigation: process and payoff

37

IT Risk mitigation profiles

Effective mitigation

To explore the limits of risk mitigation, we performed a cluster analysis (n=310) to identify con-

sistent patterns in survey respondents’ risk exposure, effectiveness of mitigation efforts, and

expectation of IT incidents. The analysis revealed three groups in which respondents are similar

to one another, but different from those in the two other segments:

• At-Risk respondents (35%) struggle to cope with IT risk: they see their organizations facing

medium to high levels of IT Risk, but demonstrate poor effectiveness in addressing it through

mitigating process and technology measures. Organizations with this profile typically expect a

high rate of incidents.

• IT Risk Mitigators (23%) maintain effective IT Risk Management programs, but actually

experience low levels of IT Risk. Organizations in this category seem to address IT Risk

through overinvestment, ensuring mitigation, but at high costs.

• IT Risk Balancers (42%) pursue a matching strategy, meeting their organizations’ high levels

of IT Risk exposure with highly-effective mitigation processes and technologies. These organi-

zations are frequently Best in Class.

Figure 12 shows the performance of the three groups revealed by the cluster analysis, display-

ing all five underlying measurements instead of the single composite score used to create the

clusters. The most interesting results are from the IT Risk Mitigator cluster. Mitigators, like Bal-

ancers, show high process and technology effectiveness – yet they face the lowest IT Risk levels

of any group. Nothing in their underlying demographics separates Mitigators from Balancers.

Instead, it appears that these organizations have chosen IT Risk Management strategies that

meet comparatively low levels of IT Risk with investments that keep their mitigation processes

and technologies highly effective. Mitigators expect to enjoy low incident rates, but it is possible

that the Discovery and Quantification steps of a well-planned IT Risk mitigation program would

identify over-investments, signaling excessive costs, and missed opportunities elsewhere.

38

The way an organization manages the challenges in its environment can make

the difference between a defensive, reactive position and an active posture

that gives it the freedom to choose appropriate risks, effective actions, and its

own path.

Figure 12: Organizational clusters, showing all five underlying measurements. Mitigators deploy high technology and

process effectiveness despite comparatively low levels of compliance and business-process IT Risk.

Figure 13 shows how the groups identified by the cluster analysis would map onto a two-factor

grid of IT Risk exposure (bottom axis) and IT Risk Management effectiveness (side axis):

Figure 13: Data from the cluster analysis grouped according to IT Risk exposure and IT Risk Management effectiveness,

showing that both Balancers and Mitigators deploy highly effective controls despite different levels of risk.

The cluster analysis did not identify a fourth group, occupying the lower-left quadrant and

combining low levels of IT Risk and poor implementation of IT Risk Management programs.

We suspect that such organizations are underrepresented in our sample because they are less

likely than others to participate in surveys about IT Risk Management or attend industry events

with IT Risk Management prominent on the agenda.

39

ITR

Isk

Man

agem

ent

Eff

ecti

ven

ess

Low

Hig

h

Low-Mid High

IT Risk Exposure

IT RiskMitigators

IT RiskBalancer

IT Risk

Risk Management Patterns – Cluster Analysis

IT Risk Exposure, Control Effectiveness and Incident Experience by Performance Cluster

Operating Risk Index

Incident Index

Compliance Risk Index

Process Effectiveness Index

Technology Effectiveness

At Risk Balancer Mitigator

We speculate that this group faces low levels of risk, and implements IT Risk Management

programs poorly, if at all. Their IT Risk strategy, which may not be articulated, might be to react

to risks one by one as they arise, absorbing incident costs when that reaction is missing, inade-

quate or too late. Some may self-insure against IT Risks by maintaining reserves of financial

assets to help with recovery from incidents.

Risk mitigation: how far?

Can highly-effective IT Risk Management programs ever eliminate IT Risk? Research and com-

mon sense suggest not – and certainly not at a reasonable cost. IT Risk must be managed,

minimizing risk and cost in areas most vital to the organization, without constraining business

performance.

And as organizations evolve over time, business priorities change, new regulations are enacted,

and new external and internal threats to information and infrastructure crop up every day.

A changing IT Risk landscape demands consistent, programmatic management to adapt to and

mediate new forms of IT Risk. The five-step approach described in Section 4 emphasized the

importance of iteration and management to address risk as part of a program of continuous

improvement.

Organizations that manage their risk portfolios effectively create opportunity: they can make

educated, informed decisions on how and when to take on additional risk. Their improved IT

Risk Management capacity gives them latitude to innovate and explore a wider range of

business options. IT’s support of this capacity for flexible innovation is among its greatest

contributions to business value.

40

41

We undertook this study to understand IT Risk and the effectiveness of technology and process controls in

managing that risk. We assumed Balancer and Mitigator organizations worked primarily to reduce organizational

risk – and while true, it may not be the full story. Organizations may also choose to invest in process and technol-

ogy improvements with a primary goal of increasing operational efficiency. Lower risk levels in the Mitigator

cluster and lower incident rates among the Best-in-Class would then be by-products of investments made for

operational effectiveness. Our results don’t speak to their motivations.

But regardless of the motivations, these disciplines have positive impacts. Risk-management investments pay off

by reducing incidents and freeing organizations to compete with greater confidence, agility, and success.

Operational efficiency – the same path to a different goal

ConclusionsAn organization’s assets, operations, and personnel may be brought to harm by internal or

external threats carried out or weaknesses exposed across IT networks and systems. Managing

IT Risk – in service of your organization’s mission – is the subject of this report, and the purpose

of this series.

In a major year-long study, IT professionals reported significant gaps and shortcomings in their

organizations’ deployments of controls to help them manage IT Risk. Respondents rated their

organizations more effective at implementing risk-management technology than processes

across the full range of industries, geographies, organization size and professional responsibili-

ties. And they saw particular problems in managing IT assets and configuration and change

control – both areas of critical importance in bringing IT Risks under control.

Respondents also displayed different perspectives on risk based on their individual responsibili-

ties, and identify serious problems aligning and coordinating IT Risk Management with the

broader goals of their organizations. Misalignment is itself a source of IT Risk, from risk expo-

sures created by gaps between IT and organizational perceptions and priorities, and over-

investment in areas of low organizational priority, sapping resources more effectively deployed

elsewhere.

Best-in-class organizations – even though they face higher levels of IT Risk – anticipate fewer

incidents, due to careful investments that maintain high effectiveness over the entire range of

technology and process controls.

The report outlines a five-step process to help organizations put consistent, measurable, long-

term programs in place, avoiding over- and under-investment, and achieving steady improve-

ments measured against consensus goals.

Managing IT Risk is everyone’s job. From the CIO to the backup administrator, everyone should

share a common understanding of IT Risks, their priorities, and how they relate to their individ-

ual areas of responsibility. IT management must work closely with their business clients to

assure those priorities reflect the goals and objectives of the business as a whole. In combina-

tion, internal and business alignment assures appropriate resource allocation and operational

efficiencies.

42

43

Appendix

Methodology

Data collection

Between October 2005 and October 2006, Symantec collected 528 responses from IT profes-

sionals attending IT events worldwide. Respondents completed survey questionnaires and sub-

mitted results in person. Respondents were offered and received a report comparing their

responses to a benchmark group. To ensure candid responses and protect participants’ privacy,

Symantec contracted a third party, Ecosystems LLC of Vienna VA to collect, process, aggregate,

and protect the confidentiality of survey results on behalf of Symantec.

Survey instruments

Symantec collected 528 records using two survey instruments. The first, with 218 respondents,

covered Compliance Risk, Incident Rate, Technology Effectiveness and Process Effectiveness.

The second added a section on Business Process Risk and additional questions about Compli-

ance Risk, Technology Effectiveness and Process Effectiveness. An additional 310 individuals

responded to the expanded survey.

Most questions were identical on both surveys, so we combined those results for a sample size

of 528. Additions and improvements to the second survey prevented use of the full record set

for every analysis. As a result, much of the report reflects the 310 responses from the second

survey, with the larger sample size and more complete set of questions.

Demographics

We fielded both versions of the survey to a broad demographic group, and identified the indus-

try, number of employees, respondent job role and global or regional coverage of the respon-

dent’s business operations. These demographics provided the variables for much of our

analytical work.

Industry was classified into 37 segments, assembled into seven groups. The “Other” industry

group comprises Agriculture, Mining, Construction, Retail, Wholesale and Energy.

44

Figure A1: Breakdown of 528 responses by industry. Please see the text for details.

We collected 161 and 308 job-role classifications from Surveys 1 and 2, respectively. We

attribute the lower response rate for job roles in Survey 1 to privacy concerns among European

respondents. The “Professional” role includes business, consultant and other non-IT job

functions.

Figure A2: Breakdown of responses by respondents’ professional responsibilities. Please see the text for details.

45

Respondents by Industry

Public Sector

Financial Services

Services

Manufacturing

Other

Telecom, Media

Healthcare

0 10 20 30 40 50 60 70 80 90

Survey 1 Survey 2

Number of Respondents

Professional

Executive

Director

Manager

0 20 40 60 80 100 120

Respondents by Professional Responsibility

Survey 1 Survey 2

Number of Respondents

We measured organization size according to number of employees. As seen below, 215 respon-

dents from Survey 1 and 299 respondents from Survey 2 reported the total employee count at

their organization.

Figure A3: Breakdown of responses by organization size. Please see the text for details.

We asked respondents to indicate the major areas of the globe in which their organizations had

operations. This question allowed respondents to pick multiple geographic regions, so the

number of responses exceeds the number of respondents. Since we did not identify headquar-

ters country, specific attribution of responses to geographic regions is not possible. We can,

however, understand risk-management behavior in terms of geographic scale of operations and

globalization.

Figure A4: Breakdown of 528 responses by respondent organizations’ operating region. Please see the text for details.

46

5,001 to 20,000employees

> 20,000employees

1,001 to 5,000employees

< 1,000employees

0 2010 40 5030 60 70 80 10090

Respondents by organization size

Survey 1 Survey 2

Number of Respondents

North America

Asia Pacific

EMEA

Latin America

0 50 100 150 200 250 350300

Respondents by organization operating regions

Survey 1 Survey 2

Number of Respondents

We collected 92 of the 528 total responses during events conducted in Europe and South Africa,

most during events based in the United Kingdom. Where appropriate, we compared these to the

rest of the data set. Please see the report text for details.

Use of Indexes

Indexes used in the report measured total importance or impact of a risk, effectiveness meas-

ure, or incident rate across respondents. During the analysis phase, we used the data to create

six indexes summarizing the average response to a set of questions. We used each index to com-

pare means across organization demographics or respondent group, and for correlation and

comparative analysis.

The six indexes used in the analysis are:

• Compliance Index – compliance risks listed on page 11.

• Business Process Index – business process risks listed on page 19.

• Incident Rate Index – incident expectations, as described on page 19.

• Process Effectiveness Index – effectiveness of organizations at implementing process capa-

bilities listed on page 18.

• Technology Effectiveness Index – effectiveness of organizations at implementing technology

capabilities listed on page 18.

• Overall Effectiveness Index – combination of the previous two indexes.

Answers to the Self-Test

To score your responses against incident expectations reported by 310 respondents in Survey 2,

assign a value of “1” if you selected the least-frequent alternative, “2” for the next, to a maxi-

mum of “5” for the most-frequent alternative. Add the four scores, and then compare them to

the survey sample using this table:

Best in Class = fewer than 6 points

Good performance = 6 to 10 points

Underperforming = more than 10 points

47

ReferencesNotes1 Michael Porter. Competitive Advantage: Creating and Sustaining Superior Performance. (New York: The Free Press,

1985).

2 Information Technology – Security Techniques – Code of Practice for Information Security Management. (ISO/IEC

17799:2005(E). (Geneva: International Organization for Standardization, 2005).

3 Aligning COBIT, ITIL and ISO 17799 for Business Benefit. (Rolling Meadows, IL: IT Governance Institute and Norwich,

UK: Office of Government Commerce, 2005).

4 IT Infrastructure Library, http://www.itil.co.uk. (Norwich, UK: Office of Government Commerce).

5 ITIL Change Management Maturity Benchmark Study. (Sterling, VA: Evergreen Systems, Inc., July 2006).

6 Sunny Gupta. “ITIL Adoption.” E-Business Blog, http://www.line56.com. (Los Angeles: Line56.com, Oct 13, 2006).

7 CIO Magazine. State of the CIO Survey. http://www.cio.com/state. (Boston: International Data Group, 2007).

8 Lawrence Gordon, Martin Loeb, William Lucyshyn and Robert Richardson. 2006 CSI/ FBI Computer Crime and Security

Survey. http://www.goCSI.com. (San Francisco: Computer Security Institute, 2006).

9 “From Contingency to Continuity.” Information Age, http://www.information-age.com. (London: Infoconomy, Ltd.

February 10, 2004)

General References

Adner, Ron. “Match Your Innovation Strategy to Your Innovation Ecosystem.” Harvard Business Review, April 2006:

reprint.

Broussard, Frederick, Stephen Elliot, and Tim Grieser. ITIL Penetration is Moving Faster than You Might Think: Some

Results of the System Management Software Strategies Study. Framingham, MA: IDC, March 2006.

Champy, James. “Four Steps to Successful IT/Business Alignment” SearchCIO.com. Needham, MA: TechTarget, May 11,

2005.

Craig, David, and Ranjit Tinaikar. “Divide and Conquer: Rethinking IT Strategy.” McKinsey on IT, Fall 2006: 4-13.

Froot, Kenneth, David Scharfstein, and Jeremy Stein. “A Framework for Risk Management.” Harvard Business Review,

November-December 1994: reprint.

Hughes, Greg. “Five Steps to IT Risk Management Best Practices.” Risk Management Magazine, July 2006: 34-40.

Kolodgy, Charles J., Christian A. Christiansen, Brian E. Burke, Sally Hudson, Allan Carey, Rose Ryan, J.D. Top 10

Predictions for Security in 2006: Countering Crafty Criminals and Insidious Insiders. Framingham, MA: IDC, March

2006.

Lassiter, Lee. CIO Guide to Sarbanes Oxley. Edgewater, MD: ReymannGroup, Inc., January 2005.

Macauley, Tyson. “Operational Risk and Resiliency Frameworks, A tale of five risk management characters and how they

fit into your organization.” http://www.csoonline.com. Framingham, MA: CXO Media, October 30, 2006.

META Group. “Enterprise Application Trends.” META Trends 2005/2006. Stamford, CT: Gartner, Inc. 2005. Rasmussen,

Michael. Enterprise Risk Management, Measuring and Gaining Control of Risk. Cambridge, MA: Forrester Research,

Inc., December 29, 2004.

Vijayan, Jaikumar. “Defending Data will be IT Manager 2007 Focus.” http://www.computerworld.com. Framingham, MA:

IDG Network, November 8, 2006.

48

NO WARRANTY. The information provided in this document is being delivered to you “AS IS” and Symantec Corporation makes no warranty as to its accuracy or

use. Any use of the information contained herein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors.

Symantec reserves the right to make changes without prior notice.

Copyright © 2007 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and INFORM are trademarks or registered trademarks of Symantec

Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

About Symantec

Symantec is a global leader in

infrastructure software, enabling

businesses and consumers to have

confidence in a connected world.

The company helps customers protect

their infrastructure, information, and

interactions by delivering software

and services that address risks to

security, availability, compliance,

and performance. Headquartered

in Cupertino, Calif., Symantec has

operations in 40 countries.

More information is available at

www.symantec.com

For specific country offices and

contact numbers please visit our

Web site. For product information

in the U.S., call toll-free

1 (800) 745 6054.

Symantec Corporation

World Headquarters

20330 Stevens Creek Boulevard

Cupertino, CA 95014 USA

1 (408) 517 8000

1 (800) 721 3934

www.symantec.com

Copyright © 2007 Symantec Corporation. All rights

reserved. Symantec and the Symantec logo are

trademarks or registered trademarks of Symantec

Corporation or its affiliates in the U.S. and other

countries. Other names may be trademarks of their

respective owners.

1/07 11859849

Confidence in a connected world.