Regulatory Resource   Threat Intelligence      Resilient IT      Boardroom Strategies      
Resilient IT / Network and Infrastructure

Persistent Myths about IT Risk

By Thomas Schmidt

IT risk -- encompassing security, availability, performance and compliance elements -- has become a critical issue for executives and boards of directors. Yet some common myths about IT risk persist, and they need to be dispelled if IT risk is to be managed effectively.

In a new report, based on more than 500 interviews, best-in-class organizations -- even though they face higher risk levels -- were found to experience fewer incidents than less effective organizations. Their effective defense against more intense attack may be attributable to balanced investments across a range of controls to mitigate the full spectrum of IT risks.

Myth #1: IT risk equals security risk
No myth about IT risk management is more persistent than the idea that it is concerned primarily with identifying and mitigating security risks. It may be that the word “risk” seems to apply more easily to security than performance, availability or compliance. In fact, survey participants rated availability risk as most significant -- 78 percent saw it as “serious” or “business-critical” for their organizations, followed by security risk (70 percent), performance risk (68 percent) and compliance risk (63 percent).

Interestingly, more than half the participants rated every risk element serious or business-critical, and only 15 percentage points separated the highest and lowest elements.

Survey responses also indicate that IT incidents are common, with 63 percent of participants expecting a major IT incident every year and 59 percent a major data loss at least once every five years. In addition, the responses show IT professionals in agreement with their customers about the gravity of data leakage: 63 percent believe a data leak would have serious impact on their businesses.

Myth #2: IT risk management is a project
Involved as they are in hundreds of projects, busy enterprise IT departments may view the assessment of IT risk as a “one-off” project to be followed by adjustments to remediate specific deficiencies. While better than no assessment, this approach can yield unsatisfactory results.

On average, the 405 survey participants anticipate “significant” IT-based incidents nearly once a month. Moreover, participants’ responses confirm what is now a fact of life for IT professionals; namely, they operate in an ever changing IT risk environment:

“Not only are IT and business environments rife with every kind of IT risk, but the risks are constantly changing,” the report observes. “In fact, every category of IT risk is evolving all the time, driven by technology change, company go-to-market strategy, and the macro business climate.”

Myth #3: Technology alone mitigates IT risk
While technology plays a critical role, effective organizations manage IT risks by deploying people and process controls as well. Best-in-class organizations also deploy balanced controls to manage IT risk -- and expect fewer incidents than less effective organizations, despite higher perceived risk levels. No control or category alone leads to high performance -- a combination of effective controls helps best-in-class organizations achieve their expectation of lower rates of IT incidents.

Moreover, while IT professionals are comfortable with technology controls, process controls are often the key to avoiding serious incidents. In a 2007 study, researchers from MIT’s Center for Information Research examined the root causes of 85 severe security and availability incidents. Their findings: process-based issues caused 53 percent of the incidents, while environmental configuration issues accounted for 51 percent of incident root causes, and staff skills accounted for 41 percent.

Myth #4: IT Risk management is a science
The last myth may be more widespread within the practice of IT risk management than in the business community at large. As IT risk management becomes more widely practiced -- and especially as standards and frameworks encourage consistent practices -- practitioners may come to see it as a set of fixed principles and relationships, universally applicable across industries and geographies. But as the latest report observes:

“IT management is an emerging business process, not a science. Rather than experiment and analysis, IT Risk Management relies on the experience accumulated by individuals and organizations as they manage their way across a changing business landscape.”

Four IT risk management best practices have been identified that are applicable across organizations:

  • Assess risk and scope Before taking action, assess the likelihood and probable impact of each risk. Even simple, qualitative assessment will help avoid coverage gaps and waste as your program gets under way
  • Build a risk-aware culture Because businesses take risks for profit, naive risk aversion can be a barrier to success. IT Risk Management should build a culture that understands organizational objectives, IT risks, mitigation costs and their interrelationships
  • Develop people As the MIT research cited above showed, 41 percent of IT incidents have root causes based in staff skills. Separately, IDC found that training has profound impacts on IT performance, improving productivity by 10 percent on average
  • Give it time Experience indicates that it may take three to five years for IT Risk Management controls to become completely effective

Conclusion
The latest data about IT Risk indicate the following:

  • IT failures in an organization ripple through customers, suppliers, and partners
  • IT risks come from multiple sources, change constantly and require a continuous program of discovery, monitoring and management
  • IT risks are managed by the combination of people, process and technology, balancing risks against business objectives
  • IT Risk Management is a business process that adapts to organizational requirements, guided by best practices

Managing IT risk rarely means eliminating it. Instead, IT risk management disciplines and practices help keep IT services flexible, adaptive and aligned to organizational goals in a constantly changing business climate. IT risk management can provide the insight that allows organizations to take calculated risks with confidence and use IT to drive competitive advantage.


Thomas Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.

IT Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
Network and Infrastructure
Analytics and ROI
Strategies
Related Content

Features

View More


Metrics

View More

Fast Fact

A 2007 study found the root causes of 85 severe security and availability incidents were caused by the following: process-based issues (53 percent of incidents), environmental configuration issues (51 percent of incidents) and staff skills (41 percent of incidents).
-- MIT’s Center for Information Research
Sponsor Tools

Resources

White Papers

View More


Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:


Preparing for a Disaster
Playtime: 8 min 07 sec



Download | Subscribe

Copyright © 2009 Studio One Networks. All rights reserved.