Shift in security risk priorities, says Symantec study

The notion that technologies used to improve IT security serve as the most vital element of corporate risk management currently ranks below other priorities among customers, according to Symantec’s annual survey of 405 businesses.

Respondents to the study rated IT availability management and work on specific regulatory compliance projects as comparable, and in some cases more important, to their ongoing risk mitigation efforts.

In addition, fewer businesses are utilizing a strategy that approaches IT risk as a standalone skill set or initiative, according to the Symantec report.

One year ago, customers participating in the study indicated that the adoption of security technologies represented the central tenet of their risk management plans. In the 2008 report, 78 per cent replied that availability maintenance concerns are now as vital to their exposure mitigation efforts as the installation of security tools.

Some 70 per cent of respondents replied that security projects are still a critical part of their approach. However, 53 per cent of the IT-related incidents experienced by surveyed companies were tied to other issues besides problems with systems defence.

“IT risk doesn’t necessarily equate to security risk. That’s a big shift and the key takeaway is that organizations are getting more mature around the portfolio of risks they have to manage,” said Samir Kapuria, managing director of Advisory Services at Symantec.

“In the past, people looked at one area as discreet, but now they’re addressing the four pillars of compliance, security, risk, and performance availability as part of a balanced strategy.”

Increasing interdependence on IT systems shared between business partners has elevated availability and performance concerns above security issues — and businesses are more worried about causing a bottleneck in their global supply chain then they are looking to thwart attacks, the expert contends.

“IT systems availability can have a downstream impact which has had this downward effect,” Kapuria said.

Spending on compliance-oriented projects also stands as a major piece of most companies’ plans, with 68 per cent of those people responding stating that their employers rate those efforts as crucial to their risk management strategies.

Respondents indicated that high-level risk management projects have become less central to their IT planning, with companies favouring targeted initiatives that address individual problems or regulations.

In terms of the participants’ expectations to avoid and prevent IT breakdowns, 69 per cent said they believe they will encounter at least one minor incident per month, with 63 per cent predicting a major IT failure at least once a year.

Some 26 per cent indicated they expect a failed regulatory compliance incident at least once annually, and 25 per cent said that they will experience a data loss event every 12 months.

“This speaks volumes to the confidence that people have about their overall IT risk posture,” said Kapuria. “Part of the problem is that people only do assessments on a bi-annual basis, or they might inventory their assets sporadically; that gap is what often leads to exposure in availability, security, compliance, or performance.”

All the individual projects involved need to be managed on an ongoing basis, he said.

However, the process remains a moving target. Increased adoption of mobile devices and other distributed enterprise trends continue to boost data and compliance risks, while business practices — including fast-paced mergers and acquisitions — introduce greater complexity, Kapuria said.

More than technological efforts, the Symantec report contends that companies may see faster returns in improving their risk status through greater investment in employee risk education and training.

Only 43 per cent of respondents rated their training and awareness programs as more than 75 per cent effective, showing that companies are well aware of their current shortcomings, Kapuria said. The report shows a decrease of over 50 per cent in companies’ confidence about their training programs, compared to the year ago survey.

“The area where most people need to focus on is classifying their data, what it’s used for, and what its sensitivity may be,” said Kapuria. “Rather than just throwing technology at their problems, companies need to assess, and then apply the appropriate availability, security, and compliance requirements.”

Related content:

Today’s IT professionals: New roles, new salaries

Canadian firms pulling up their SOX, says study

Eight security tips that every CIO should know



Related Download
Improving the State of Affairs With Analytics Sponsor: SAS
Improving the State of Affairs With Analytics
Download this case study-rich white paper to learn why data management and analytics are so crucial in the public sector, and how to put it to work in your organization.
Register Now