CIOZone.com - Professional Network for CIOs and IT Professionals

By Laton McCartney

The recently released IT Risk Management Report Volume II, published by security vendor Symantec, notes that while the awareness of the importance of IT risk management (ITRM) is on the upswing, several potentially damaging myths still exist.

"These can lead to potential system failures and impact business continuity," says Samir Kapuria, managing director of Symantec Advisory Services.

Based on surveys with 405 IT professionals, the Symantec study analyzes and dispels four myths commonly associated with IT risk:

• That IT risk management is focused only on security.
• That risk management is project driven.
• That technology alone can manage IT risk.
• That risk management has already become a formal discipline.

"Risk management is now more balanced than it has been in the past," says Kapuria. "There's a portfolio approach. It involves compliance, performance and availability as well as security. Today businesses are depending on IT to conduct day-to-day business so availability is critical."

The idea that ITRM is project driven is also fallacious, Kapuria says, given the changing landscape businesses face today and the ongoing possibility for a major problem. "Sixty-five percent of those surveyed expect a major outage once a year and at least 10 minor failures a year," he notes.

Instead of a project approach, ITRM should be seen as an ongoing process.

Moreover, process controls, and not the technology itself, are needed to manage risk effectively, Kapuria continues. He notes that 53% of ITRM problems result from process issues. "The irony is that process controls such as training and awareness are the most effective ways of dealing with this, yet only about 40% of the respondents rate their training and awareness programs as effective."

Finally, the report shows that ITRM is evolving from what was thought of as a formal discipline or science to an evolving business discipline—one Kapuria says, that should be managed on a senior, or "C" level, and possibly by the board. "At the end of the day, business and not just IT owns the risk," he asserts.

Comments (2)

	1. 02-08-2008 10:59
	a good article regarding IT risk mgt. Guest

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

	2. 02-08-2008 15:00
	Great Article! We engage on a daily basis with many CIOs from F1000 clients in highly regulated industries. I would agree with you and Mr. Kapuria that IT risk management cannot be project driven nor focused on security alone. Information Technology is too critical in today’s enterprises and IT organizations must be able to not only react to risk but also implement processes to successfully detect and prevent risk. It appears that a holistic approach to IT risk management should include aspects of governance, risk and compliance working together.   Executives must ensure their companies understand their policies, regulatory outlook and driving principles, identify risks against those statements and ensure compliance. I also agree that technology cannot be seen as the sole solution.   Software can only be successful when incorporated into a process and configured to meet the needs of the process.     Fortunately, we are seeing companies incorporate these principles into strategic objectives and managed alongside enterprise wide risk and compliance programs.     Thanks for the information … spot on!    David Walter  Archer Technologies  www.archer-tech.com Guest

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

Only registered users can write comments.
Please login or register.