IT RISK MANAGEMENT

Volume 1, Published February, 2007

IT Risk Management Report

Trends through December 2006

As IT becomes the cornerstone of our connections with customers, suppliers, partners, and business information, identifying and managing IT Risk becomes a core business capability.
Greg Hughes, Executive Vice President Worldwide Services and Support, Symantec Corporation

Table of Contents
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1 Understanding IT Risk
.........................................................................................5 As the role of IT grows, IT Risk is emerging as a major component of organizational risk. IT Risks span Security, Availability, Performance and Compliance each with its own drivers and potential impacts.

2 Process and technology effectiveness in Managing IT Risk

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Technology controls to manage IT Risk are often deployed more effectively than process controls. Yet organizations that manage IT Risk effectively deploy people and process controls equally well.

3 Aligning IT and business risks

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

IT has moved from the glass house to the front lines and perceptions of IT Risk often differ by role and function within organizations.These misalignments are barriers to effective IT Risk management.

4 Understanding effective Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Effective IT Risk Management demands a disciplined, structured program to develop awareness, quantify costs and impacts, and design and implement a solution that adapts to organizational requirements.

5 Risk Mitigation: process and payoff . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

The good news is that theres a substantial upside to IT Risk Management a more effective organization, with better control of its costs, technology, and future.

Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
In a connected world, we share a responsibility to identify and manage risk so our customers, suppliers and partners can work with us confidently toward our common goals.

Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Executive Summary
Information Technology (IT) Risk is a growing component of total Operational Risk. As businesses increasingly depend on IT to automate processes and store information, IT Risk Management is emerging as a separate practice. Organizations across sectors and industries have begun to consolidate functions to develop a more comprehensive, focused approach to IT Risk. IT Risk includes security, availability, performance and compliance elements, each with its own drivers and capacity for harm. This study examined IT Risk, along with the technology and process controls used to mitigate it, in a year-long study based on in-depth structured interviews with more than 500 IT professionals around the world. The study determined that across industries, regions, and job roles, IT professionals: rate themselves more effective in their deployments of technology than of process controls see management of IT assets and configuration and change processes as particular problem areas see people and process improvements as holding the greatest opportunities for them to move from good to great Data from high-performance organizations yielded a surprising and very encouraging result. More-effective organizations even though they often face higher risk levels expect fewer incidents than less-effective organizations. More detailed analysis into the specific controls deployed by these companies revealed that best-in-class organizations perform with high effectiveness across most controls, including process controls, while lower-performing organizations typically focus on a small number of more tactical controls. The study identified substantial differences in the ways IT operational personnel and executives view their IT Risk exposure, and examined these in detail. Differing internal viewpoints on IT Risk, and poor alignment between IT Risk Management programs and overall business objectives, may themselves create risk. This appears to occur when Risk Management programs are not tailored to the specific risk profile of the business or coordinated across functional and business unit lines leading to areas of both under- and over-investment. Poor organizational support for IT Risk awareness and training is both a compelling example of poor alignment, and a major cause. Best-in-class IT Risk management requires a disciplined approach that includes IT Risk awareness, quantification of business impacts, solution design and implementation across people, process, and technology, and creation of a sustained IT Risk Management program complete with performance measurement and a model for continuous improvement. A staged program helps balance benefits, risks and costs at every step of implementation.

Highlights
This report is intended for executives with responsibilities for general, financial and IT management anyone concerned with IT Risk and its management. With a broad cross-section of experience from IT professionals across industries, geographies and organization types, the report should provide context for Risk Management programs at your own organization. Be sure to check these IT Risk Management Report highlights: Finance and CRM processes introduce the highest IT Risk: see What Drives IT Risk in Section 1 Best-in-class managers of IT Risk frequently face more IT Risk exposure, but expect fewer incidents: see Effective IT Risk Management performance in Section 2 Asset Management is the least-effective IT process: see Process effectiveness in Section 2 Poor alignment between IT Risk strategy and the risk profile of the business can actually create higher business risk: see Why alignment on IT Risk matters in Section 3 High performance across most process and technology controls, versus a few targeted areas, typically separates great from at-risk organizations: see Effective mitigation in Section 5

Your customers connect to their financial future through your systems and networks.

Section 1

Understanding IT Risk

Risk is potential damage to an organizations value, often from inadequate management of processes and events. IT Risk is emerging as a significant component of total business risk as IT assumes a more prominent role in organizations, and can account for more than 50% of total capital expenditure at some companies. Individual IT Risks may be classified as: Security risks of unauthorized access, alteration or use of information Availability risks of inaccessible business processes or data Performance risks of delayed access to business processes or data Compliance risks of violating legal, regulatory or IT policy requirements

Understanding IT Risk
Lifes risks extend from poor mobile-phone connections through war, famine and disease. Different risks affect different individuals and organizations in different ways and as the world changes, so do the origins and types of risk we face. What is IT Risk?
Business risks range from everyday operational shortcomings to rare cataclysmic failures. The types and levels of risk organizations face vary with their business and preferred risk profile. For example, an entertainment company with many customer-facing systems and a strong brand image might have a very different risk profile than a manufacturer with few externallyfacing systems but significant trade and design information to protect. And a high-growth financial organization in a developing nation might be more concerned about availability and performance risks as it scales up operations than a financial organization in a more mature market where security and compliance concerns prevail. Business risk is often split into financial and operational components. Financial risk is well understood, and established markets help organizations manage or transfer their credit, currency, pricing, and other types of financial risk. Operational risk results from operations rather than transactions, and may include risks from external events such as natural disasters or changes in government regulation, or internal processes associated with product quality, organization and plant performance, loss of intellectual property, or supervisory or legal controls. As IT has become widely and deeply interconnected with business operations, IT Risk has grown to prominence as a component of total operational risk. More than just a specialty area of Operational Risk Management, IT Risk Management is emerging as a separate practice because of the unique role IT plays in todays organizations: IT is now integral to many business operations and transactions. In Financial Services and Online Retail, for example, virtually the entire business may be carried out across IT systems and networks. IT Risk evolves as fast as technology changes. For example, online phishing fraud and legal and regulatory requirements for IT countermeasures were virtually unknown just three years ago.

 Identification, measurement, analysis, and management of IT Risk requires specialized knowledge and skills. Aligning IT skills and processes including IT Risk Management to organizational goals is a constant challenge.

Internal and External Malicious Threats

Se cu

Keep Bad Things Out Keep Important Things In

y rit

Ava il a
y lit bi

Natural Disasters and System Failures Keep Systems Up Ensure Rapid Recovery

IT Risk
r fo Per

Ensure Adequate Controls Automate Evidence Collection

IT Policy and External Regulations

ce

Figure 1: IT Risk spans four areas, each with its own set of drivers and potential impacts.

p m Co

lia nc e

Application Performance and IT Performance Optimize Resources Ensure Correct Configuration

Classifying IT Risk
To help organizations understand and analyze IT Risk and organize their mitigation strategies, Figure 1 outlines a framework for classifying risks according to their impact on the organization. The framework classifies IT Risks as: Security risk that information will be altered, accessed or used by unauthorized parties Availability risk that information or applications will be inaccessible due to system failure or natural disaster, including any recovery period Performance risk that underperformance of systems, applications, or personnel or IT as a whole will diminish business productivity or value Compliance risk that information handling or processing will fail to meet regulatory, IT or business policy requirements These four categories classify all elements of IT Risk that we have seen in organizations. Table 1 (next page) provides further information and examples of sources and potential impacts of risks in each category. Although the survey on which this report is based concentrated on Security and Compliance areas of risk, this implies no prioritization of the four elements of IT Risk. As we will see, every organization has its own unique IT Risk profile, and prioritization of these elements is an important early step in establishing an effective IT Risk Management program.

an

Risk Category

Source

Potential Impact

Security Compromise of information, confidence in it and technology and processes for managing it

- External attacks - Malicious code - Physical destruction - Inappropriate access - Disgruntled employees - Proliferation of platform and messaging types

- Corruption of information - External fraud - Identity theft - Theft of financial assets - Damage to reputation & brand - Damage to assets

Availability Failure or delay in delivering IT processes or information needed for business transactions and operations

- Hardware failures - Network outages - Poor change management processes - Data center failures - Force majeure

- Abandoned transactions and lost sales - Reduced customer, partner, employee confidence - Interruption or delay of businesscritical processes - Reduced IT staff productivity

Performance Slow or inefficient operation of IT processes supporting business transactions and operations

- Poor system architectures - Network congestion - Inefficient code - Inadequate capacity

- Reduced client satisfaction - Reduced client or partner loyalty - Reduced user productivity - Interruption or delay of businesscritical process - Lost IT productivity

Compliance Penalties, fines and loss of reputation from failure to comply with laws and regulations, or consequences of noncompliance with IT policies

- Regulations unique to each jurisdiction, including: Graham-Leach-Bliley Act EU Data Protection Directive Health Insurance Portability and Accountability Act (HIPAA) Sarbanes-Oxley Act - Legal actions - Internal IT safeguards supporting compliance - Inadequate third-party compliance standards - Expansion from central to end-point compliance

- Damage to reputation - Breach of client confidentiality - Litigation - Executive productivity

Table 1: Categories of IT Risk, with examples of the sources and potential impacts associated with each.

What drives IT Risk?

From October 2005 through October 2006, Symantec surveyed 528 individuals on topics related to IT Risk. Participants held a range of professional responsibilities in organizations of different sizes, industries and geographies the Appendix provides demographic details. To assess the magnitude of IT Risk associated with core business processes, we asked a subset of respondents (n = 310)* to rate the IT Risk associated with each of seven key businesses processes in their organization.1 The results are shown in Figure 2.
IT Risk by Business Process
100% 80% % of respondents 60% 40% 20% 0% Finance, Admin. CRM Nil Operations Low Business Intel. High Corp. Resources Critical R&D Supply Chain

Moderate

Figure 2: IT Risk associated with each of seven key business processes. IT Risk associated with Finance and Administration processes (leftmost column) led participants ratings for High or Critical risk, followed by those associated with critical customer-facing and operational tasks. Research and Supply-chain processes received the lowest risk ratings.

Business-process definitions
Customer Relationship Management (CRM) sales and electronic commerce Supply Chain Management (SCM) the entire product value chain from source to end-user Operations Management operational control of continuous service and product processes Research & Development the development cycle of products and service offerings Business Intelligence the corporate ability to make timely, informed business judgments Finance & Administration the process of financial and administrative management Corporate Resources business functions supporting the organization as a whole

* This study used two separate survey instruments some questions were repeated on both; others not. Numbers in parentheses (n= ) report the number of surveys supporting each graph or data comparison. Please see the Appendix, Survey instruments for details.

Systems and processes supporting Finance and Administrative were associated with the greatest IT Risk, with over 66% of the respondents rating it High or Critical. Sales, Operations and Business Intelligence processes ranked second, with 53% giving Critical or High ratings for all three measures. Research & Development and Supply Chain Management systems and processes introduced the least amount of IT Risk; only 27% of those surveyed rated SCM risks as High or Critical, and just 33% rated R&D risks this way. These results highlight two important points. First, IT Risk affects every major business process category: for even the lowest-ranked business process, nearly a third of professionals ranked IT Risk High or Critical. Second, IT Risk is highest for critical operational functions or those that manage critical and proprietary or confidential information, and lower only for functions further removed from revenue generation and the customer experience. Our analysis also explored the components of compliance risk. Participants were asked how much risk each of six categories of regulations introduced into their organization. The results are illustrated in Figure 3 (n = 528 except for Data Retention, n = 310).
IT Risk by Compliance Area
100% 80% % of respondents 60% 40% 20% 0% Data Retention Nil Data Protection Low Corp. Governance Moderate IP High Civil, Criminal Critical National Security

Figure 3: IT Risk index ratings associated with six areas of Regulatory Compliance. Data Protection and Retention show the highest proportion of High and Critical ratings, followed by Corporate Governance.

Respondents saw Data Protection and Retention introducing the greatest amount of compliance risk into their organizations, with a very substantial 66% and 70% of respondents rating these risks as High and Critical, respectively. Compliance with Corporate Governance policies ranked third, with 55% High or Critical ratings. About half the respondents rated Intellectual Property risk as High or Critical, while National Security and Criminal and Civil Laws were seen to introduce the least risk only 36% and 44% of respondents, respectively, rating these either High or Critical.

10

Compliance definitions
Data Protection securing confidentiality of private and personal information, for example against identity theft Data Retention ensuring that enterprise data is stored securely and retained for access by legitimate users Corporate Governance assuring that public disclosures accurately reflect corporate performance National Security protecting citizens and national infrastructure from terrorism, war, or national disaster Civil & Criminal Legal Framework assuring that IT systems and networks systems support legal infrastructure through electronic signatures, data movement and use of IT resources Intellectual Property Protection protecting individual and corporate intellectual property

As with Business Processes, respondents expressed strong concerns about IT Risk in every Compliance area risks in even the lowest-ranked areas were seen as significant by a third to half of the respondents. More significantly, more than half the respondents saw High or Critical IT Risk in areas governing the proper operation of their organizations and protection of critical information. This level of concern across so broad a range of roles and industries underscores how poorly managed these risks may be judged by those best-positioned to know. To help understand the impact of IT Risk associated with compliance processes, we compiled an index to measure the relative importance of each of the six compliance measures above, and applied it to organizations with different demographics. Results show that organization size is a significant determinant of perceived compliance risk. For example, while 33% of organizations with more than 20,000 employees see compliance risk as critical to their organizations, only 15% of organizations with fewer employees do. Although a definitive explanation for this requires further investigation, the data are consistent with larger organizations greater complexity, number of business processes and operations, and geographic span of operations, exposing them to more regulations and requiring greater compliance with internal policies to monitor and govern organizational behavior. The Aerospace and Defense industry segment was the only industry in which a majority of respondents rated compliance risk as critical. And despite the stringent regulations they face, only 28% of Financial Services and 4% of Healthcare organizations rated compliance risk as critical. Respondents from Europe, the Middle East and Africa generally saw less risk associated with compliance than their counterparts in the United States. In Section 5, we will explore reasons for low risk ratings by organizations operating in high-risk environments.

11

Patient health and privacy connect when medical records are transmitted or stored.

Section 2

Process and technology effectiveness in Managing IT Risk

Effective IT Risk Management requires competence and investment in processes and technologies. Professionals surveyed at all levels of organizations across industries, scale, and geographic reach, see their organizations capabilities to deploy IT Risk Management technologies as more effective than their capabilities deploying processes.

13

IT Risk Management processes and technology

While acknowledging the relevance of Risk Management to IT, organizations often struggle to put its principles into practice. Participants ratings of their organizations effectiveness deploying processes and technologies for IT Risk Management depend not only on their organizations industry, size, range of operation and other demographic factors, but on the differing perceptions of professionals within the organizations. Controls for IT Risk Management
Although Risk Management principles have received wide attention, few organizations have formalized their IT Risk Management programs until recently. In the past few years, however, more organizations have added Chief Risk Officers and other executive positions with responsibilities for IT Risk management, or have adopted formalized service-management standards such as the IT Infrastructure Library (ITIL), ISO 17799, and COBIT to help them manage IT Risk. The most effective IT Risk Management programs use well-defined controls that combine wellchosen technologies and best-practice processes. We have identified eight technology and eight process controls that represent best practices for managing IT Risk (see sidebar, Process and Technology Controls for IT Risk Management, for details). They are derived from best practices defined by international standards including the code of practice for information security management (ISO/IEC 17799:20052), COBIT3 and ITIL, published by the United Kingdoms Office of
4 Government Commerce, refined by Symantec experience in dealing with highly effective organi-

zations, and expanded to encompass availability and performance in addition to security and compliance. We asked survey participants to rate their success implementing each of the defined IT Risk Management controls both process and technology. We also asked them to rate the amount of risk their organizations face, to determine whether organizations facing high levels of risk are more likely to have implemented highly-effective controls.

14

Process and Technology Controls for IT Risk Management

Process Controls IT and Security Strategic Management, Policy and Architecture architectures, policies and strategies defined to run IT services Organizational Structure, Roles and Responsibilities standards for interactions between groups; authority for security and external security-related communications Training and Awareness processes to increase visibility and knowledge of security risks Assessment and Auditing processes to assess the environment, controls, policies and processes used to implement strategy Authentication, Authorization and Access Management processes and technology to verify users identities and control access to resources Operational Design, Workflows and Automation design and implementation of automated solutions; workflow and resource management Asset Inventory, Classification and Management processes to identify and classify assets, supporting execution of asset-class-based policies Incident Readiness and Response standards for preparation for and response to incidents Technology Controls Application Design, Development and Testing processes, procedures, and methodologies to ensure that new and updated applications are appropriate, efficient and secure Systems Build and Deployment systems and technologies to assure effective, secure deployment of new and updated systems Data Life Cycle Management technology to move, replicate and protect data Configuration and Change Management tools and processes to regulate change Resilient Infrastructure technology to detect and correct vulnerabilities related to availability (e.g., redundancy and failover) Performance Management technology to monitor and manage system performance Network, Protocol and Host Security network design and infrastructure including segmentation, protocols, perimeter defense and availability Physical Security technologies governing access to IT infrastructure and facilities

15

Process effectiveness
We surveyed our sample of IT professionals (n=310) to understand how effective they thought their organizations were in deploying eight key process-based controls. The results are shown in Figure 4.
IT Risk Management Process Effectiveness
100% 80% % of respondents 60% 40% 20% 0% Authent., Organizational Incident Authorization, Structure Response Access <10% effective 25% effective IT Policy Assessment, Management, Audit Architecture 50% effective Training, Awareness Operational Asset Inv., Design Classification, Management >90% effective

75% effective

Figure 4: Ratings of organizations effectiveness at IT Risk Management processes, ordered left-to-right in decreasing order of perceived effectiveness.

Authentication, Authorization and Access was rated highest for effectiveness, with 68% of respondents rating their organizations more than 75% effective. Asset Inventory Classification and Management was lowest, with only 38% rating their organizations more than 75% effective. The findings show that most IT professionals feel their organizations are most effective deploying tactical controls for which they are accountable: organizational structure, and authentication, authorization, and access. They rate themselves moderately effective at policy-setting and compliance, assessment and audit, and incident response. And few felt they performed effectively in employee and IT staff training and awareness, operational design, or asset management. The data show that the path from basic performance to best practice requires moving IT Risk Management programs away from a reactive posture, designed for protection against malicious external threats. Instead, programs should raise IT Risk awareness and spread avoidance and mitigation efforts throughout their organizations. Respondents rated Asset Inventory Classification and Management least effective of all their deployments. Yet this discipline is fundamental to build an IT Risk Management program that reflects the organizations priorities. Without careful risk assessment, all assets are likely to be treated equally, so that some will be overprotected and others underprotected.

16

Technology effectiveness
Figure 5 below represents how effective organizations are in deploying technology controls:
IT Risk Management Technology Effectiveness
100% 80%

% of respondents

60% 40% 20% 0%

Network, Protocol, Host Security <10% effective

Physical Security

Resilient Secure Data Infrastructure Lifecycle Management 50% effective

Secure Systems

Config. Perform. Secure and Change Management Application Management Development >90% effective

25% effective

75% effective

Figure 5: Ratings of organizations technology effectiveness, ordered left-to-right in decreasing order of perceived effectiveness.

Network Protocol and Host Security and Physical Security were the top-rated technology control deployments, with 80% and 77% of respondents, respectively, rating their organizations more than 75% effective. These are the strongest ratings of all controls, process or technology. Configuration and Change Management received such ratings from only 55% of respondents, and Performance Management from just 52%. Secure Application Development was least-frequently rated effective, with only 43% rating their deployments 75% effective or higher. The low ratings of configuration and change and performance management deployments are significant. Organizations use these technologies to understand the configurations and performance levels of IT assets so they can minimize service disruptions and increase throughput. These deployments are critical in keeping systems stable, performing effectively, and up to date. Poor configuration and change management also constrains efforts to adapt and modernize systems for new opportunities or threats. Although the survey identifies change management as a problem area, there are recent signs of improvement. In their ITIL Change Management Maturity Benchmark Study,5 Evergreen Systems noted that, IT executives are increasingly integrating and internalizing change management procedures, processes and tools as core components of the organization. We will see in Section 4 that these disciplines are important drivers of performance improvements in IT organizations.

17

The role of secure application development is growing, as IT professionals recognize its effectiveness in preventing exploitation of application vulnerabilities by eliminating them at the source. The technology requires substantial early investments in tools and skills, so while secure application development proves very cost-effective over time, it remains in an early stage of adoption at most organizations.

Technology and Process effectiveness index

To compare organizations effectiveness deploying IT Risk Management processes and technology by industry, geography, organization size and respondent job role, we defined two indexes. The first averages ratings for eight process controls, the second for eight technology controls. We set levels to classify organizations as Strong, Good, Weak or Poor at implementing and deploying these controls. Figure 6 compares these effectiveness ratings. It shows that organizations are generally more effective implementing technology than they are processes: 33% rated Strong on the Technology Effectiveness Index; only 25% on the Process Effectiveness Index.
IT Risk Management Process vs. Technology Effectiveness
Effectiveness Index 100% 80% % of respondents 60% 40% 20% 0% Process Poor Weak Good Technology Strong

Figure 6: Effectiveness indexes of organizations, rating implementation effectiveness of technology and process controls; each index averages eight individual factors. Organizations implementations are generally stronger for technology controls.

Process effectiveness lags behind technology despite the recent industry focus on processes, using frameworks such as ITIL, ISO and COBIT.6 For a closer look, we analyzed the data according to demographic categories. The relative strength of technology over process effectiveness was robust across industry, organization size, operating region, and professional role of respondents, with just a few variations, specifically:

18

 only in Government, Healthcare and Manufacturing did effectiveness deploying process controls even approach parity with effectiveness deploying technology controls; in no case were process controls rated more effective. large organizations and global organizations (often the same) were more effective deploying both technology and process controls, but every classification showed greater effectiveness with technology controls than with process controls. ratings of overall effectiveness from Managers were higher than those from either Directors or Executives; again, all groups rated their organizations more effective with technology than with process controls for IT Risk Management.

Best in Class: IT Risk and incident expectations

To help understand what makes organizations stand out as Best in Class at IT Risk Management, we divided 310 respondents into quartiles according to their overall effectiveness in the 16 process and technology controls identified earlier. The classifications were: Best in Class top quartile (76th or better percentile, n=77) Better second (51st to 75th, n=78) Good third (26th to 50th, n=77) Worst fourth (25th or worse n=78) For each quartile, we calculated and plotted separate indexes for regulatory and operational IT Risk (across 6 compliance and 7 business-process IT Risk areas), together with the rates at which respondents expected IT incidents. Results appear in Figure 7.
Perceived IT Risks and Incidents by IT Risk Management Effectiveness
by Quartile 5 4 Index 3 2 1 Worst Good Better Best

Compliance Risk

Business Process Risk

Incidents

Figure 7: Expected IT incident rates and two categories of IT Risk for organizations in each IT Risk Management performance quartile. IT incident expectations decline with effectiveness, despite increasing perception of IT Risk.

19

These results show that organizations rated more effective at managing IT Risk also experience higher levels of both Regulatory and Operational Risk. We had anticipated higher incident rates at high risk levels, either because negative impacts are more likely where risk exposure is higher, or because organizations base their perceptions of risk on incident expectations. The data show the opposite: effective organizations expect fewer incidents despite operating in riskier environments. This result suggests that by building awareness of exposure to IT Risks and improving technology and processes for mitigating them, organizations may actually reduce incident rates below the levels experienced by less-effective firms operating in safer environments. The result also cautions organizations not to count on a low-exposure operating environment to protect them from incidents without effective technical and process controls.

Effective IT Risk Management performance

The relationship between organizations IT Risk Management controls and expected incident rates deserves a close look. For example, weve seen that despite facing the studys highest levels of risk, best-in-class organizations expect the lowest realization of IT Risk, measured as incidents. Clearly, they are doing something right what is it? When we fielded the research, we believed that the 16 process and technology controls identified in earlier sections would prove to be effective defenses or countermeasures, reducing an organizations exposure to both external and internal IT Risks. To test this hypothesis, we used data from performance quartiles identified in the preceding section to plot organizations effectiveness in deploying each individual process or technology control. In the radar graphs of Figure 8, gaps between the concentric polygons reveal differences in effectiveness from one performance quartile to another for example, the jump in Training and Awareness process effectiveness between the Worst and Good groups in Figure 7. Asymmetries in the polygons reveal imbalances in effectiveness for example, the high estimates of Network Protocol, Host Security technology effectiveness for all quartiles in Figure 8. The lowest-performing quartile shows modest performance in two process areas (organization and authentication/authorization/access) and two technology areas (network and physical security). These areas are the most tactical in scope and straightforward in implementation, and therefore where most organizations get started. They have deployed other controls lightly or not at all, and assess their deployments as fairly ineffective.

20

Effectiveness with Controls for Managing IT RIsk Process Controls

by Quartile Asset Inv., Classify, Mgmt. 5 4 Org. Structure Assesment, Audit 3 2 Authent., Author., Access 1 Training, Awareness

IT Policy Mgmt., Architect Incident Response

Operational Design

Technology Controls
by Quartile Perform. Mgmt.

Network, Protocol, Host Security

Secure Systems

Physical Security

Secure Appl. Development

Resilient Infra.

Config. and Change Mgmt.

Secure Data Lifecycle Mgmt.

Worst

Good

Better

Best

Mean

Figure 8: Process (top) and technology (bottom) control effectiveness scores for organizations in each performance quartile. Organizations with higher performance show effective performance across most or all measures (shown as distance from the graphs center), rather than heavy emphasis on a few.

Moving from the lowest quartile to the highest reveals a clear trend. More-effective organizations increase the number of controls they deploy, and raise the effectiveness of deployment of each control. Organizations in the top two quartiles begin to experience diminishing returns in areas such as physical security and authentication, authorization, and access, and much better returns on measures such as configuration and change management, data lifecycle management, operational design, training and awareness, and others. The path from good to great IT Risk Management, then, involves moving from tactical, technical, and reactive to strategic, expansive, and proactive measures. It also requires a balanced program to evaluate all 16 measures and optimize incremental investments of people and dollars to achieve the greatest impact.

21

Critical connections face unique risks, and require special defenses.

Section 3

Aligning IT and business risks

Organizations manage risks so that they can pursue opportunities while keeping costs under control. Aligning differing perspectives on and activities toward IT Risk among technical staff, managers and executives, and across departments and regions is critical to avoid gaps, duplication, and waste.

23

Aligning IT Risk strategy to organizational goals

Aligning their operations to support organizational strategy is a top priority for IT executives worldwide. An effective IT Risk Management program creates an IT Risk profile that supports the businesses larger objectives, accepting more risk where business impact is low, and managing risk more closely in areas where the most is at stake. IT Risk Management strategy the importance of alignment
Aligning IT to business strategy has been a consistent theme in the IT professional and industry press for years. Yet progress is slow: CIO Magazine recently reported their readers number-one priority for 2007 was again aligning IT and business goals.7 Why is alignment so important, and how can an IT Risk Management program advance it? When business and IT operate in alignment, clearly-visible links identify which IT assets and operations support business operations and the value they create. This visibility transforms IT from a cost center to a driver of business value. Alignment clarifies how IT resources may be deployed to bring products to market faster, deliver more effective service to customers, and generate new revenue streams for the business. Aligning an organizations IT Risk strategy to business strategy is as important as operational alignment. Organizations risk profiles differ according to their lines of business and the strategies they pursue to maximize their effectiveness. Just as IT departments align their operations to best support those business objectives, they must align their Risk Management strategies as well investing most heavily to mitigate those risks with greatest potential for business impact, and assuming greater exposure in those areas whose likelihood and impact are lower. Whatever an organizations risk profile and level of risk tolerance, risk mitigation typically means the ability to manage a larger risk portfolio. Alignment closes gaps between organizational and IT Risk strategies that would leave the organization critically exposed to internal and external risks of all kinds. It also cuts duplication and over-investment that wastes resources and creates unnecessary IT complexity and cost. Finally, a well-prepared IT Risk Management plan also guides system design and decision-making, resulting in higher operational efficiency, greater capacity for innovation, and lower IT costs. As a result, an effective strategy for mitigating IT Risk may both protect an organization against incidents, and reduce IT cost and complexity.

24

Our survey data identified lack of alignment on assessments of IT Risk within IT departments themselves, and between IT departments and the organizations they serve.

Achieving internal alignment on IT Risk

The survey classified respondents jobs into Executive, Director, Manager, and Professional categories. Since the latter group includes non-IT employees, consultants, and third parties, the analysis concentrates on the first three groups. Respondents reported the level of IT Risk they perceived, first in complying with regulatory and policy requirements, and second in carrying out business operations. Figure 9 shows the level of compliance risk perceived across the range of professional responsibilities in the survey. The results show an organizational chasm between the ranks of Managers who implement IT programs and therefore bear responsibility for the internal risk exposures and shortcomings of the organization and senior Executives who set direction for the organization, and bear responsibility for its exposure to external risks. The chasm appears in the assessment of Critical risks at the Director level. Directors were least likely to perceive compliance risk as Critical: only 16% did so, against 22% for Executives and Managers. Assessments of High risks were close to parity: 44% of Directors rated their compliance risk as High, the same as Managers and two percentage points below Executives.
Perception of Compliance IT Risk by Professional Responsibility
by Job Role 100% 80% % of respondents 60% 40% 20% 0% Executive Low Director Moderate High Manager Critical Professional

Figure 9: Ratings of organizations compliance IT Risk by respondents in four job categories. Directors reported lower levels of compliance risk than Executives or Managers.

25

Figure 10 repeats the analysis for IT Risk introduced by Business Processes. Misalignment of IT Risk perceptions was even more dramatic, but in the opposite direction: 22% of Directors perceived Business Process Risk as Critical, against only 8% of Executives and 12% of Managers.
Perceptions of Business Process IT Risk by Professional Responsibility
Job Role 100% 80% % of respondents 60% 40% 20% 0%

Executive Low

Director Moderate High

Manager Critical

Professional

Figure 10: Rating of organizations' business process IT Risk by respondents in four job categories. Directors reported lower levels than either Executives or Managers.

Disagreements among the ranks continued with process and technology effectiveness ratings. Section 2 revealed different effectiveness ratings for deployment of process and technology capabilities. A closer look shows that while 39% of IT managers report their organizations 75% or more effective in implementing technology capabilities, only 27% of executives agreed. Again, IT professionals differ by job role in assessing their risk-management environments. Of course, since these respondents were drawn from different organizations, alignment may be better within organizations than the job-role analysis suggests. But the systematic differences seen among Executive, Director and Manager perceptions were outside expectations based on differences in experience with a regulation or technology. The survey data, as well as discussions with respondents, revealed that the operational staff closest to implementation of IT programs may be the most inwardly-focused, and have the highest awareness of specific weaknesses. Senior executives most removed from day-to-day operations may share a high perception of IT Risk, but with perceptions based on awareness of external factors and concern for the unknown. The Director level which would ideally bridge these operational and strategic viewpoints to facilitate alignment may be biased toward tactical operational risks over external or regulatory risks, due to their direct accountability for operational IT Risks.

26

Alignment the business side

Collecting data for this study at IT conferences and roundtables, we heard a recurring theme about alignment. Respondents told us that training users about IT and security risks, for example, ranked among their greatest challenges. Recall that in Figure 4 of Section 2, we saw that Training and Awareness ranked third from the bottom in effectiveness among eight process controls. They insisted that technology-based controls can only go so far, and that effective mitigation of IT Risk requires behavioral changes by end users throughout the organization. Two elements were frequently cited as necessary to encourage behavioral change. The first was quantification of value to the organization as a whole. Until an organizations stakeholders understand the impact of lost information, unavailable systems, and non-compliant processes in terms that are meaningful to them lost sales, dissatisfied customers or reduced productivity, for example sustained focus will remain out of reach. Dramatic examples of extreme but infrequent events such as major failures and 100-year natural disasters provide insufficient motivation to do more than the minimum. The second element is culture. Organizations have different risk profiles to which IT Risk programs should be tuned. But they may also incorporate different workforces and cultures that will accept different levels of IT policy awareness and compliance. For example, a company with tens of thousands of employees averaging 24 years of age may require a very different policy for IM use and Web access on company systems and time than smaller companies with older workforces. Selective enforcement and highly visible actions may be more effective than stringent policies that are unenforceable because they fail to align with the organizations culture.

Why alignment on IT Risk matters

Misalignment of perceptions and actions is more than just a source of internal disagreement about IT Risk Management policy; it can itself become a source of IT Risk. Misalignment occurs in two ways, either of which may elevate risk. The first type of misalignment is internal to IT, causing gaps in the way systems and processes are developed, deployed and managed. Invisible until something goes wrong, these gaps may cause sudden unexpected service-level shortfalls, system downtime, and security breaches. Today this disconnect often occurs along organizational lines for example, in the seams between the executives and functions responsible for security, compliance, and operational business continuity and availability. Solutions such as messaging typically require all these functions to converge on a solution that is secure, available, and compliant, yet organizational alignments make convergence difficult to achieve.

27

The second type of misalignment is between the IT function and the rest of the organization. The IT Risk program may not fully reflect or respond to the needs of the organization as a whole, resulting in loss of agility and increased risk. Alternately, organizational units and functions may not have sufficient awareness of their own IT Risk exposures. These disconnects result in ivory tower IT programs that over-invest in risk areas relevant to IT but not necessarily high organizational priorities, or under-invest in areas critical to organizational goals. Both result in lower contributions to the organizations overall success. Active management and mitigation of IT Risk requires IT departments to avoid risks created by misalignment. First, they must make sure their departments are aligned internally. From the CIO to the backup administrator, everyone in the department should share an understanding of IT Risks and priorities, and how they relate to their own areas of responsibility. Second, IT management must work closely with clients and stakeholders in the organization as a whole, enlisting their help to assure that IT priorities reflect the organizations goals and objectives, and to drive compliance with IT Risk Management programs where necessary. In combination, internal and business alignment assures appropriate resource allocation and operational efficiency. Companies following best practices in managing IT Risk incorporate the IT Risk strategy within the organizations annual planning process to ensure alignment within IT and across the organization, and then track performance at an executive level as part of a corporate balanced scorecard.

28

Sample questions
How do your incident expectations measure up to those of the organizations in the survey? Answer these four questions, and check your results against survey norms on the last page of the report: Context: What reflects the expected frequency of the following incidents in your organization? 1. Regulatory Non-Compliance Your enterprise is found to be out of compliance with one or more governing regulations: Never Once every 5 years Once every 2 years Once a year More than once a year 2. Major Information Loss Service impact to your organization, caused by a loss of information, confidentiality, integrity or availability (e.g. data center outage, data corruption, full breach of security): Never Once every 5 years Once a year Twice a year More than twice a year 3. Major IT Impact Severe impact to your IT organization affecting more than 10% of your clients and/or servers halting operations of some critical part of your operations: Once every 5 years Once a year Twice a year 5 times a year More than 5 times a year 4. Minor IT Impact Minor impact to your IT systems affecting less than 10% of your clients and/or servers, hinders the work of individuals or groups: Once a year 10 times a year 20 times a year Every day More than once a day

Answers to self-test on page 47.

29

Your business depends on reliable connections with suppliers, distributors, and customers.

Section 4

Understanding effective Risk Management

Organizations achieve effective IT Risk Management by deploying a broad range of IT technology and process controls. The transition from good to great IT Risk Management is achieved primarily by increasing effectiveness across the full range of measures in a structured, disciplined program that proceeds from a broad assessment of IT Risks to a closed-loop process of continuous improvement.

31

Understanding effective IT Risk Management

How can an organization build its capabilities for IT Risk Management? While there is no single formula or protocol, a broadly-applicable assessment, quantification, design, alignment and measurement program can help organizations marshal their resources effectively to achieve real, lasting improvements in IT Risk Management, often while reducing IT infrastructure and process complexity and cost. Achieving Best in Class IT Risk Management
Few organizations have achieved the level of IT Risk Management performance achieved by Best in Class organizations in this survey. The field is still emerging, and not all organizations are yet organized to deal with IT Risk in an integrated fashion. Nor do all companies face the same levels of IT Risk or share similar risk profiles. The case for change, however, is compelling: organizations are experiencing rising incident rates across the areas of security, availability, performance, and compliance, with significant impact to revenue, reputation, productivity, and cost. According to the Computer Security Institute and the FBI, per-incident costs of unauthor8 ized access to information averaged over $85,000 in 2006, and system downtime costs reached

tens of thousands of dollars per hour.9 It doesnt take long for incidents of this scale to create significant drag on an organization. How can organizations advance from good IT Risk Management practice to great? For organizations trying to manage IT Risks effectively, the challenge includes understanding their portfolio of IT Risks, quantifying and prioritizing them against the organizations risk profile, and developing an effective program of remediation activities. A five-step process can help organizations assess their levels of IT Risk, develop remediation roadmaps, and ultimately build effective, continuous IT Risk Management Programs. While the steps themselves, detailed in Figure 11, may seem familiar, the specific tools and tasks supporting them are very valuable, and linkages between phases help maintain focus and continuity of organizational commitment.

32

IT Risk Assessment and Management Process Step 1 Step 2 Step 3 Step 4 Step 5

Develop Awareness of IT Risks

Quantify Business Impacts

Design Solution

Align IT / Business Value & Implement Solution

Build & Manage Unified Capability

Figure 11: Five-step IT Risk Mitigation process.

Step 1 Develop awareness of IT Risks IT Risk mitigation begins with comprehensive discovery, including: establishing the programs scope (how expansive a view of IT Risk is appropriate?) constructing a risk profile for the organization based on its overall priorities identifying key areas of IT Risk For many companies, the challenge of discovery includes both identifying new areas of risk, often by evaluating the risk profile and assessment against IT best practices, and organizing the dozens or hundreds of IT Risks of which they are already acutely aware. A common question at this stage is, How do I take the issues I already know about and assemble them into a comprehensive, structured framework I can assess and prioritize? A clear framework requires identifying critical IT assets and understanding how they support critical business processes. Critical assets include the technology infrastructure underlying corporate operations, staff with privileged access to information, and the organizations IT operational processes. Assessment should also consider the organizations current requirements, capabilities and vulnerabilities. Requirements include legal obligations such as regulations, contracts, and service level agreements, as well as business requirements such as the privacy, availability, and integrity of business information. Finally, this stage involves identifying and classifying threats, issues, vulnerabilities, and weaknesses, assigning each a priority according to risk. The search for vulnerabilities and weaknesses should cover applications, infrastructure, operations, and organizations.

33

Step 2 Quantify business impacts Quantifying business impacts is typically the most challenging step and the most important. Until they have quantified the impact, positive or negative, of addressing an area of IT Risk, IT leadership may be unable to attract their colleagues attention to it, or the funds needed for mitigation. The currency of the business case varies according to the business and the area of risk. A Web site crash will mean lost revenue or sales for a retailer, negative brand impact or lost viewers for a media company, lost productivity for a manufacturer, and so on. The key is to build a case that makes sense in the local currency, whatever it may be. Quantification of business impacts typically follows a two-phased approach. In the first, the full portfolio of risks is coarsely prioritized based on potential business impacts according to the organizations risk profile and the ease or difficulty of risk mitigation, measured in time, staff resources, and investment. The second phase builds detailed business arguments for only those risks identified as high-impact areas. The model can be iterative, and it should be periodic, linked to the organizational and IT planning cycles. Step 3 Design solution At this point, the organization knows the scope and components of its Risk Management program, its current status, and the priority and quantification of each area of IT Risk. The next step is to design a set of remediation solutions, across the classic elements of people, process, and technology, each with requirements, specifications, goals, and functions. For some organizations this will be a narrowly-focused activity to address the most imminent areas of risk; for others a longer-term program with sequenced waves of initiatives. This phase also includes detailed costing analysis to keep costs and benefits of proposed initiatives aligned to organizational goals. For example, a model might be designed to provide tiered levels of service based on the priorities for different types of data and portions of the business. Solutions that reduce risk frequently also reduce complexity and cost. This is especially true when risks have been introduced by dense or poorly-followed processes, misaligned organizational models, or unclear requirements or policies.

34

Step 4 Align IT and business value; implement solution Although quantification is the most difficult step, most programs success lies in the effectiveness of implementation. Implementation determines whether risk-mitigation initiatives are deployed successfully across people, process, and technology with close involvement of organizational stakeholders, or devolve into local IT projects measured narrowly by software and gear implemented and administrators trained. Closed-loop measurement and continuous improvement are essential. With a coherent system of metrics and performance management capabilities, organizations set the stage for collection of baseline data, performance tracking, and assessment of program effectiveness against the original business case. Step 5 Build and manage unified capability Once implementation of the first wave of IT Risk solutions is underway, organizations should institute programs for continuous improvement and ongoing governance of their IT Risk Management program. As in most change-management programs, IT Risk Management follows a maturity model that begins with tactical basics and evolves to Best-in-Class performance. For most organizations, their position in this maturity model depends on their IT Risk profile and progresses through several waves of organizational, process, and technological change before reaching its goal. By adapting their efforts as their experience and effectiveness grow toward maturity, organizations can avoid or overcome the most common implementation challenges, including: replacing guesswork with quantification and prioritization of IT Risk Management efforts and investments replacing intermittent, reactive projects with a program that delivers consistent improvements over the long run replacing speculation with clear progress against consensus goals to secure the long-term investments needed for mitigation of IT Risks

35

Connections bring both opportunities and risks managing them is everyones job.

Section 5

Risk Mitigation: process and payoff

In order to understand organizations IT Risk strategies better, we classified respondents into profiles based on their level of IT Risk and IT Risk Management effectiveness. While there are many ways to manage risk successfully, the resulting levels of risk and the costs to the organization can vary greatly. The best companies align investment to exposure, to focus attention and resources where they matter most.

37

IT Risk mitigation profiles

The way an organization manages the challenges in its environment can make the difference between a defensive, reactive position and an active posture that gives it the freedom to choose appropriate risks, effective actions, and its own path. Effective mitigation
To explore the limits of risk mitigation, we performed a cluster analysis (n=310) to identify consistent patterns in survey respondents risk exposure, effectiveness of mitigation efforts, and expectation of IT incidents. The analysis revealed three groups in which respondents are similar to one another, but different from those in the two other segments: At-Risk respondents (35%) struggle to cope with IT risk: they see their organizations facing medium to high levels of IT Risk, but demonstrate poor effectiveness in addressing it through mitigating process and technology measures. Organizations with this profile typically expect a high rate of incidents. IT Risk Mitigators (23%) maintain effective IT Risk Management programs, but actually experience low levels of IT Risk. Organizations in this category seem to address IT Risk through overinvestment, ensuring mitigation, but at high costs. IT Risk Balancers (42%) pursue a matching strategy, meeting their organizations high levels of IT Risk exposure with highly-effective mitigation processes and technologies. These organizations are frequently Best in Class. Figure 12 shows the performance of the three groups revealed by the cluster analysis, displaying all five underlying measurements instead of the single composite score used to create the clusters. The most interesting results are from the IT Risk Mitigator cluster. Mitigators, like Balancers, show high process and technology effectiveness yet they face the lowest IT Risk levels of any group. Nothing in their underlying demographics separates Mitigators from Balancers. Instead, it appears that these organizations have chosen IT Risk Management strategies that meet comparatively low levels of IT Risk with investments that keep their mitigation processes and technologies highly effective. Mitigators expect to enjoy low incident rates, but it is possible that the Discovery and Quantification steps of a well-planned IT Risk mitigation program would identify over-investments, signaling excessive costs, and missed opportunities elsewhere.

38

IT Risk Exposure, Control Effectiveness and Incident Experience by Performance Cluster

Compliance Risk Index

Technology Effectiveness

Operating Risk Index

Process Effectiveness Index

Incident Index

At Risk

Balancer

Mitigator

Figure 12: Organizational clusters, showing all five underlying measurements. Mitigators deploy high technology and process effectiveness despite comparatively low levels of compliance and business-process IT Risk.

Figure 13 shows how the groups identified by the cluster analysis would map onto a two-factor grid of IT Risk exposure (bottom axis) and IT Risk Management effectiveness (side axis):
Risk Management Patterns Cluster Analysis

IT RIsk Management Effectiveness

High

IT Risk Mitigators

IT Risk Balancer

Low

IT Risk

Low-Mid IT Risk Exposure

High

Figure 13: Data from the cluster analysis grouped according to IT Risk exposure and IT Risk Management effectiveness, showing that both Balancers and Mitigators deploy highly effective controls despite different levels of risk.

The cluster analysis did not identify a fourth group, occupying the lower-left quadrant and combining low levels of IT Risk and poor implementation of IT Risk Management programs. We suspect that such organizations are underrepresented in our sample because they are less likely than others to participate in surveys about IT Risk Management or attend industry events with IT Risk Management prominent on the agenda.

39

We speculate that this group faces low levels of risk, and implements IT Risk Management programs poorly, if at all. Their IT Risk strategy, which may not be articulated, might be to react to risks one by one as they arise, absorbing incident costs when that reaction is missing, inadequate or too late. Some may self-insure against IT Risks by maintaining reserves of financial assets to help with recovery from incidents.

Risk mitigation: how far?

Can highly-effective IT Risk Management programs ever eliminate IT Risk? Research and common sense suggest not and certainly not at a reasonable cost. IT Risk must be managed, minimizing risk and cost in areas most vital to the organization, without constraining business performance. And as organizations evolve over time, business priorities change, new regulations are enacted, and new external and internal threats to information and infrastructure crop up every day. A changing IT Risk landscape demands consistent, programmatic management to adapt to and mediate new forms of IT Risk. The five-step approach described in Section 4 emphasized the importance of iteration and management to address risk as part of a program of continuous improvement. Organizations that manage their risk portfolios effectively create opportunity: they can make educated, informed decisions on how and when to take on additional risk. Their improved IT Risk Management capacity gives them latitude to innovate and explore a wider range of business options. ITs support of this capacity for flexible innovation is among its greatest contributions to business value.

40

Operational efficiency the same path to a different goal

We undertook this study to understand IT Risk and the effectiveness of technology and process controls in managing that risk. We assumed Balancer and Mitigator organizations worked primarily to reduce organizational risk and while true, it may not be the full story. Organizations may also choose to invest in process and technology improvements with a primary goal of increasing operational efficiency. Lower risk levels in the Mitigator cluster and lower incident rates among the Best-in-Class would then be by-products of investments made for operational effectiveness. Our results dont speak to their motivations. But regardless of the motivations, these disciplines have positive impacts. Risk-management investments pay off by reducing incidents and freeing organizations to compete with greater confidence, agility, and success.

41

Conclusions
An organizations assets, operations, and personnel may be brought to harm by internal or external threats carried out or weaknesses exposed across IT networks and systems. Managing IT Risk in service of your organizations mission is the subject of this report, and the purpose of this series. In a major year-long study, IT professionals reported significant gaps and shortcomings in their organizations deployments of controls to help them manage IT Risk. Respondents rated their organizations more effective at implementing risk-management technology than processes across the full range of industries, geographies, organization size and professional responsibilities. And they saw particular problems in managing IT assets and configuration and change control both areas of critical importance in bringing IT Risks under control. Respondents also displayed different perspectives on risk based on their individual responsibilities, and identify serious problems aligning and coordinating IT Risk Management with the broader goals of their organizations. Misalignment is itself a source of IT Risk, from risk exposures created by gaps between IT and organizational perceptions and priorities, and overinvestment in areas of low organizational priority, sapping resources more effectively deployed elsewhere. Best-in-class organizations even though they face higher levels of IT Risk anticipate fewer incidents, due to careful investments that maintain high effectiveness over the entire range of technology and process controls. The report outlines a five-step process to help organizations put consistent, measurable, longterm programs in place, avoiding over- and under-investment, and achieving steady improvements measured against consensus goals. Managing IT Risk is everyones job. From the CIO to the backup administrator, everyone should share a common understanding of IT Risks, their priorities, and how they relate to their individual areas of responsibility. IT management must work closely with their business clients to assure those priorities reflect the goals and objectives of the business as a whole. In combination, internal and business alignment assures appropriate resource allocation and operational efficiencies.

42

43

Appendix
Methodology
Data collection Between October 2005 and October 2006, Symantec collected 528 responses from IT professionals attending IT events worldwide. Respondents completed survey questionnaires and submitted results in person. Respondents were offered and received a report comparing their responses to a benchmark group. To ensure candid responses and protect participants privacy, Symantec contracted a third party, Ecosystems LLC of Vienna VA to collect, process, aggregate, and protect the confidentiality of survey results on behalf of Symantec. Survey instruments Symantec collected 528 records using two survey instruments. The first, with 218 respondents, covered Compliance Risk, Incident Rate, Technology Effectiveness and Process Effectiveness. The second added a section on Business Process Risk and additional questions about Compliance Risk, Technology Effectiveness and Process Effectiveness. An additional 310 individuals responded to the expanded survey. Most questions were identical on both surveys, so we combined those results for a sample size of 528. Additions and improvements to the second survey prevented use of the full record set for every analysis. As a result, much of the report reflects the 310 responses from the second survey, with the larger sample size and more complete set of questions.

Demographics
We fielded both versions of the survey to a broad demographic group, and identified the industry, number of employees, respondent job role and global or regional coverage of the respondents business operations. These demographics provided the variables for much of our analytical work. Industry was classified into 37 segments, assembled into seven groups. The Other industry group comprises Agriculture, Mining, Construction, Retail, Wholesale and Energy.

44

Respondents by Industry
Public Sector Financial Services Services Manufacturing Other Telecom, Media Healthcare 0 10 20 30 40 50 Number of Respondents Survey 2 60 70 80 90

Survey 1

Figure A1: Breakdown of 528 responses by industry. Please see the text for details.

We collected 161 and 308 job-role classifications from Surveys 1 and 2, respectively. We attribute the lower response rate for job roles in Survey 1 to privacy concerns among European respondents. The Professional role includes business, consultant and other non-IT job functions.

Respondents by Professional Responsibility

Executive

Director

Manager

Professional

20

40

60

80

100

120

Number of Respondents Survey 1 Survey 2

Figure A2: Breakdown of responses by respondents professional responsibilities. Please see the text for details.

45

We measured organization size according to number of employees. As seen below, 215 respondents from Survey 1 and 299 respondents from Survey 2 reported the total employee count at their organization.
Respondents by organization size
> 20,000 employees 5,001 to 20,000 employees

1,001 to 5,000 employees < 1,000 employees 0 10 20 30 40 50 Number of Respondents Survey 1 60 70 80 90 100

Survey 2

Figure A3: Breakdown of responses by organization size. Please see the text for details.

We asked respondents to indicate the major areas of the globe in which their organizations had operations. This question allowed respondents to pick multiple geographic regions, so the number of responses exceeds the number of respondents. Since we did not identify headquarters country, specific attribution of responses to geographic regions is not possible. We can, however, understand risk-management behavior in terms of geographic scale of operations and globalization.
Respondents by organization operating regions
Asia Pacific

EMEA

Latin America

North America

50

100

150

200

250

300

350

Number of Respondents Survey 1 Survey 2

Figure A4: Breakdown of 528 responses by respondent organizations operating region. Please see the text for details.

46

We collected 92 of the 528 total responses during events conducted in Europe and South Africa, most during events based in the United Kingdom. Where appropriate, we compared these to the rest of the data set. Please see the report text for details.

Use of Indexes
Indexes used in the report measured total importance or impact of a risk, effectiveness measure, or incident rate across respondents. During the analysis phase, we used the data to create six indexes summarizing the average response to a set of questions. We used each index to compare means across organization demographics or respondent group, and for correlation and comparative analysis. The six indexes used in the analysis are: Compliance Index compliance risks listed on page 11. Business Process Index business process risks listed on page 19. Incident Rate Index incident expectations, as described on page 19. Process Effectiveness Index effectiveness of organizations at implementing process capabilities listed on page 18. Technology Effectiveness Index effectiveness of organizations at implementing technology capabilities listed on page 18. Overall Effectiveness Index combination of the previous two indexes.

Answers to the Self-Test

To score your responses against incident expectations reported by 310 respondents in Survey 2, assign a value of 1 if you selected the least-frequent alternative, 2 for the next, to a maximum of 5 for the most-frequent alternative. Add the four scores, and then compare them to the survey sample using this table: Best in Class = fewer than 6 points

Good performance = 6 to 10 points Underperforming = more than 10 points

47

References
Notes
1

Michael Porter. Competitive Advantage: Creating and Sustaining Superior Performance. (New York: The Free Press, 1985). Information Technology Security Techniques Code of Practice for Information Security Management. (ISO/IEC 17799:2005(E). (Geneva: International Organization for Standardization, 2005). Aligning COBIT, ITIL and ISO 17799 for Business Benefit. (Rolling Meadows, IL: IT Governance Institute and Norwich, UK: Office of Government Commerce, 2005). IT Infrastructure Library, http://www.itil.co.uk. (Norwich, UK: Office of Government Commerce). ITIL Change Management Maturity Benchmark Study. (Sterling, VA: Evergreen Systems, Inc., July 2006). Sunny Gupta. ITIL Adoption. E-Business Blog, http://www.line56.com. (Los Angeles: Line56.com, Oct 13, 2006). CIO Magazine. State of the CIO Survey. http://www.cio.com/state. (Boston: International Data Group, 2007). Lawrence Gordon, Martin Loeb, William Lucyshyn and Robert Richardson. 2006 CSI/ FBI Computer Crime and Security Survey. http://www.goCSI.com. (San Francisco: Computer Security Institute, 2006). From Contingency to Continuity. Information Age, http://www.information-age.com. (London: Infoconomy, Ltd. February 10, 2004)

General References
Adner, Ron. Match Your Innovation Strategy to Your Innovation Ecosystem. Harvard Business Review, April 2006: reprint. Broussard, Frederick, Stephen Elliot, and Tim Grieser. ITIL Penetration is Moving Faster than You Might Think: Some Results of the System Management Software Strategies Study. Framingham, MA: IDC, March 2006. Champy, James. Four Steps to Successful IT/Business Alignment SearchCIO.com. Needham, MA: TechTarget, May 11, 2005. Craig, David, and Ranjit Tinaikar. Divide and Conquer: Rethinking IT Strategy. McKinsey on IT, Fall 2006: 4-13. Froot, Kenneth, David Scharfstein, and Jeremy Stein. A Framework for Risk Management. Harvard Business Review, November-December 1994: reprint. Hughes, Greg. Five Steps to IT Risk Management Best Practices. Risk Management Magazine, July 2006: 34-40. Kolodgy, Charles J., Christian A. Christiansen, Brian E. Burke, Sally Hudson, Allan Carey, Rose Ryan, J.D. Top 10 Predictions for Security in 2006: Countering Crafty Criminals and Insidious Insiders. Framingham, MA: IDC, March 2006. Lassiter, Lee. CIO Guide to Sarbanes Oxley. Edgewater, MD: ReymannGroup, Inc., January 2005. Macauley, Tyson. Operational Risk and Resiliency Frameworks, A tale of five risk management characters and how they fit into your organization. http://www.csoonline.com. Framingham, MA: CXO Media, October 30, 2006. META Group. Enterprise Application Trends. META Trends 2005/2006. Stamford, CT: Gartner, Inc. 2005. Rasmussen, Michael. Enterprise Risk Management, Measuring and Gaining Control of Risk. Cambridge, MA: Forrester Research, Inc., December 29, 2004. Vijayan, Jaikumar. Defending Data will be IT Manager 2007 Focus. http://www.computerworld.com. Framingham, MA: IDG Network, November 8, 2006.

48

NO WARRANTY. The information provided in this document is being delivered to you AS IS and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the information contained herein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice. Copyright 2007 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and INFORM are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

About Symantec Symantec is a global leader in infrastructure software, enabling businesses and consumers to have confidence in a connected world. The company helps customers protect their infrastructure, information, and interactions by delivering software and services that address risks to security, availability, compliance, and performance. Headquartered in Cupertino, Calif., Symantec has operations in 40 countries. More information is available at www.symantec.com

Confidence in a connected world.

For specific country offices and contact numbers please visit our Web site. For product information in the U.S., call toll-free 1 (800) 745 6054.

Symantec Corporation World Headquarters 20330 Stevens Creek Boulevard Cupertino, CA 95014 USA 1 (408) 517 8000 1 (800) 721 3934 www.symantec.com

Copyright 2007 Symantec Corporation. All rights reserved. Symantec and the Symantec logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 1/07 11859849