Symantec study reframes IT risk management

New report shows that availability maintenance and compliance concerns are now as vital to businesses' risk management efforts as the installation of security tools

Symantec's primary strategy in the enterprise may currently revolve around the notion of IT risk management, but the company's latest research finds that efforts to refine corporate process unrelated to security technology have become just as popular with customers moving to limit their exposure.

According to Symantec's annual survey of 405 businesses, the notion that technologies used to improve IT security serve as the most vital element of corporate risk management currently ranks below other priorities among customers. Respondents to the study rated IT availability management and work on specific regulatory compliance projects as comparable, and in some cases more important, to their ongoing risk mitigation efforts.

In addition, fewer businesses are utilizing a strategy that approaches IT risk as a stand-alone skill set or initiative, according to the Symantec report.

One year ago, customers participating in the study indicated that the adoption of security technologies represented the central tenet of their risk management plans. In the 2008 report, 78 percent replied that availability maintenance concerns are now as vital to their exposure mitigation efforts as the installation of security tools.

Some 70 percent of respondents replied that security projects are still a critical part of their approach. However, 53 percent of the IT-related incidents experienced by surveyed companies were tied to other issues besides problems with systems defense.

"IT risk doesn't necessarily equate to security risk. That's a big shift, and the key takeaway is that organizations are getting more mature around the portfolio of risks they have to manage," said Samir Kapuria, managing director of Advisory Services at Symantec. "In the past, people looked at one area as discrete, but now they're addressing the four pillars of compliance, security, risk, and performance availability as part of a balanced strategy."

Increasing interdependence on IT systems shared between business partners has elevated availability and performance concerns above security issues -- and businesses are more worried about causing a bottleneck in their global supply chain then they are looking to thwart attacks, the expert contends.

"IT systems availability can have a downstream impact, which has had this downward effect," Kapuria said.

Spending on compliance-oriented projects also stands as a major piece of most companies' plans, with 68 percent of those people responding stating that their employers rate those efforts as crucial to their risk management strategies.

Respondents indicated that high-level risk management projects have become less central to their IT planning, with companies favoring targeted initiatives that address individual problems or regulations.

In terms of the participants' expectations to avoid and prevent IT breakdowns, 69 percent said they believe they will encounter at least one minor incident per month, with 63 percent predicting a major IT failure at least once a year.

Some 26 percent indicated they expect a failed regulatory compliance incident at least once annually, and 25 percent said that they will experience a data loss event every 12 months.

"This speaks volumes to the confidence that people have about their overall IT risk posture," said Kapuria. "Part of the problem is that people only do assessments on a bi-annual basis, or they might inventory their assets sporadically; that gap is what often leads to exposure in availability, security, compliance, or performance." All the individual projects involved need to be managed on an ongoing basis, he said.

However, the process remains a moving target. Increased adoption of mobile devices and other distributed enterprise trends continue to boost data and compliance risks, while business practices -- including fast-paced mergers and acquisitions -- introduce greater complexity, Kapuria said.

More than technological efforts, the Symantec report contends that companies may see faster returns in improving their risk status through greater investment in employee risk education and training.

Only 43 percent of respondents rated their training and awareness programs as more than 75 percent effective, showing that companies are well aware of their current shortcomings, Kapuria said. The report shows a decrease of more than 50 percent in companies' confidence about their training programs, compared to the year ago survey.

"The area where most people need to focus on is classifying their data, what it's used for, and what its sensitivity may be," said Kapuria. "Rather than just throwing technology at their problems, companies need to assess, and then apply the appropriate availability, security, and compliance requirements."