Symantec Goes Myth Busting With New IT Risk Management Study

Managers of enterprise networks are becoming more aware of the importance of IT risk management issues even though they still cling to four so-called myths that give a false sense of security, according to Symantec (Nasdaq: SYMC).

The security vendor on Wednesday released its IT Risk Management Report Volume II, which looks beyond last year's study of how the IT industry reacted to risk warnings. The report, driven by the analysis of more than 400 in-depth, structured surveys with IT professionals worldwide, concludes that misunderstandings of IT risk management can lead to potential IT system failures, impacting business continuity.

The report also found that IT practitioners have embraced a more balanced approach that encompasses availability, security, compliance and performance risks.

"IT participants now think about IT risk more holistically. The discipline of IT security is maturing," Bob Yang, senior director of education services at Symantec, told TechNewsWorld.

Building Frameworks

Symantec's risk management report identifies four key issues and trends, which it describes as "myths" commonly associated with IT risk. The study based these myths on frameworks Symantec used to describe key components of IT risk management.

The first framework centers on security, or preventing any unauthorized access. The second concerns availability or system functionality. Third is compliance with legal and regulatory restrictions, and the fourth framework regards performance or efficient system operation.

"Despite the greater awareness of IT risks, the flip side is that companies still are not sleeping well at night," said Yang, explaining that corporations are not yet fully confident about IT risk issues.

Debunking Myths

The first myth is that IT risk management focuses only on IT security. Of the survey respondents, 78 percent gave "critical" or "serious" ratings to availability risk as opposed to security, performance and compliance risks -- 70, 68 and 63 percent, respectively. The fact that only 15 percent separate the highest- and lowest-scoring risk types indicates that IT professionals are adopting a more balanced, less security-centric view of IT risk, the report noted.

The second myth, according to the report, is that IT risk management is project-driven. This year's report indicates people are moving away from this belief, said Yang.

More IT personnel are seeing security risk as just one part of the risk management process. IT risk management should be approached as an ongoing process in order to keep pace with the changing landscape businesses face today, according to the study.

Science or Business?

Myth No. 3, according to the study, is that technology alone mitigates IT risk. While technology plays a critical role in risk mitigation, the people and processes supported by technology also determine the effectiveness of an IT risk management program.

Process issues cause 53 percent of IT incidents, according to Symantec; people failures are responsible for 40 percent of system failures.

The final myth the Symantec report debunks, said Yang, is that IT risk management is now a scientific discipline. The report asserts that IT risk management is an evolving business discipline that relies on the experience accumulated by individuals and organizations as they keep pace with a changing business and technology environment.

IT risk management, the report notes, incorporates elements of operational risk management, quality control and business and IT governance. However, it also adds process and technology controls unique to the IT world.

Educational Goal

Training is one of the most effective controls for managing IT risk. Companies, according to the report, need an organization-wide strategy for training.

"Often the right hand does not know what the left hand is doing. Training everybody about risk management takes time. It can't be achieved overnight," said Yang.