Symantec study reframes IT risk management

Symantec's primary strategy in the enterprise may currently revolve around the notion of IT risk management, but the company's latest research finds that efforts to refine corporate process unrelated to security technology have become just as popular with customers moving to limit their exposure.

According to Symantec's annual survey of 405 businesses, the notion that technologies used to improve IT security serve as the most vital element of corporate risk management currently ranks below other priorities among customers. Respondents to the study rated IT availability management and work on specific regulatory compliance projects as comparable, and in some cases more important, to their ongoing risk mitigation efforts.

In addition, fewer businesses are utilizing a strategy that approaches IT risk as a stand-alone skill set or initiative, according to the Symantec report.

One year ago, customers participating in the study indicated that the adoption of security technologies represented the central tenet of their risk management plans. In the 2008 report, 78 percent replied that availability maintenance concerns are now as vital to their exposure mitigation efforts as the installation of security tools.

Some 70 percent of respondents replied that security projects are still a critical part of their approach. However, 53 percent of the IT-related incidents experienced by surveyed companies were tied to other issues besides problems with systems defense.

"IT risk doesn't necessarily equate to security risk. That's a big shift, and the key takeaway is that organizations are getting more mature around the portfolio of risks they have to manage," said Samir Kapuria, managing director of Advisory Services at Symantec. "In the past, people looked at one area as discrete, but now they're addressing the four pillars of compliance, security, risk, and performance availability as part of a balanced strategy."

Increasing interdependence on IT systems shared between business partners has elevated availability and performance concerns above security issues -- and businesses are more worried about causing a bottleneck in their global supply chain then they are looking to thwart attacks, the expert contends.

"IT systems availability can have a downstream impact, which has had this downward effect," Kapuria said.

Spending on compliance-oriented projects also stands as a major piece of most companies' plans, with 68 percent of those people responding stating that their employers rate those efforts as crucial to their risk management strategies.

Respondents indicated that high-level risk management projects have become less central to their IT planning, with companies favoring targeted initiatives that address individual problems or regulations.

In terms of the participants' expectations to avoid and prevent IT breakdowns, 69 percent said they believe they will encounter at least one minor incident per month, with 63 percent predicting a major IT failure at least once a year.

Some 26 percent indicated they expect a failed regulatory compliance incident at least once annually, and 25 percent said that they will experience a data loss event every 12 months.