Symantec IT Risk Mgmt Report 2 (2008)

Get Started. It's Free
or sign up with your email address
Symantec IT Risk Mgmt Report 2 (2008) by Mind Map: Symantec IT Risk Mgmt Report 2 (2008)

1. comments

1.1. Despite traditional perceptions associating IT risk primarily with security risks

1.2. Spire Security

1.2.1. bit generic and ambiguous

1.2.2. the entire report is based on an opinion survey; don't expect real evidence of anything

1.2.3. Myth 1: anyone familiar with the entire profession around disaster recovery and business continuity (which is pretty much everyone) knows this already.

1.2.4. Myth 2: huh? I don't get it at all, and I don't think it is a myth.

1.2.5. Myth 3: hmmm, I don't know many folks that feel this way. In fact, most security pros suggest that "security is about process, not product." Now, it happens that I think technology has much more of a part to play than most of my colleagues (no, it isn't "technology alone" but certainly when trying to scale to technology levels, humans alone will fail). So I suppose this myth could be refuting my lone voice, but I doubt that's what they meant.

1.2.6. Myth 4: this one is complete, utter bullshit. You heard it here first. "Rather than experiment and analysis, IT Risk Management relies on the experience accumulated by individuals and organizations as they manage their way across a changing business landscape." What a complete crock! And a copout... and completely unsupportable (though I guess that supports the claim, in a way).

1.3. example summary

1.3.1. Symantec Corp. (NASDAQ: SYMC) today released the Symantec IT Risk Management Report Volume II, revealing that awareness of the importance of IT risk management is increasing, however several myths persist. Despite the finding that practitioners are embracing a more balanced approach that encompasses security, availability, compliance and performance risks, misunderstandings of IT risk management can lead to potential IT system failures, and ultimately impact business continuity. The report also indicates process issues cause 53 percent of IT incidents, while IT often underestimates the frequency of data loss incidents.

1.3.2. "That told us two things: respondents are taking a broader view of IT risk and what constitutes it and they are shifting away from just a security-oriented view to one of availability, compliance and performance," said Jennie Grimes, senior director of Symantec's IT risk management program office.

1.4. Security no longer top IT concern Symantec

1.4.1. background

1.4.1.1. based on symantec report survey 400 IT managers

1.4.2. findings

1.4.2.1. top concern is network availability

1.4.2.2. not security as had been the case in earlier studies.

1.4.2.3. sec training ineffective

1.4.2.3.1. The survey also found plummeting levels of confidence in the abilities of users to keep networks secure. Support for security training fell to below 50 per cent for the first time, as most managers believe that it is ineffective.

1.4.3. rationale

1.4.3.1. "It shows that people are thinking in a more balanced way. IT managers are thinking that availability will bite hardest if the directors get annoyed because the network is down."

2. Symantec Report Home

2.1. Press Announcement Text

2.1.1. Urban Risk Legends Revealed IT Risk — encompassing Security, Availability, Performance, and Compliance elements — is a critical issue for executives and boards of directors.

2.1.2. In this second volume of the IT Risk Management Report, Symantec extends its analysis of IT professionals’ insights into the nature of IT Risk and the most effective ways to manage it, with added focus on Availability and Performance Risks.

2.1.3. This report is intended for executives with responsibilities at the intersection of IT and business risk, including CISOs and vice-presidents of Risk Management, Data Center Operations, and Compliance/Audit. Report insights are based on the collective experience of over 400 IT professionals worldwide, and Symantec’s deep expertise in every element of IT Risk Management. Critical information on key Report differences by industry, geography, control, and size of survey respondent is also provided.

3. Method

3.1. February to October 2007, Symantec surveyed 405 IT Professionals about various aspects of IT Risk Management.

4. Executive Summary

4.1. The Report addresses persistent myths about IT Risk

4.2. which include

4.2.1. adopting a more balanced, less Security-centric view of IT Risk

4.2.1.1. balanced is an interesting choice of words

4.2.1.2. realistic?

4.2.2. more of them now see Availability Risk as critical or serious than any other element

4.2.3. Compliance Risk is more than Security Risk formalized by law: data breaches, outages and disasters may cause irrecoverable losses of customer loyalty, revenue, and company value

4.2.3.1. doesn't quite make sense

4.2.3.2. reputational damage

4.2.4. Reactive or annual project-oriented IT Risk Management is better than nothing. But IT professionals’ expectations of monthly incidents in a constantly-changing global and regional business and technology environment call for a continuous, process-oriented approach

4.2.4.1. again emphasis on operational

4.2.5. IT Risk Management builds on Operational Risk Management and manufacturing quality disciplines, spurred on by Sarbanes-Oxley and other regulations affecting Corporate Governance, and supported by its own emerging frameworks, standards, and best practices

4.2.5.1. confused again it seems

5. Structure

5.1. real approach is dispel IT risk myths

5.2. document structured around 4 myths + intro and conclusion

5.3. intro

5.3.1. intro

5.3.1.1. Not long ago, IT Risk occupied a small corner of Operational Risk—the opportunity loss from a missed IT development deadline.

5.3.1.1.1. not sure that is really op risk

5.3.1.1.2. strategic risk

5.3.1.2. now IT more strategic

5.3.1.2.1. mention WEF study

5.3.1.2.2. a bit hackneyed

5.3.1.3. dependency requires risk mgmt

5.3.1.3.1. A s the world grows more dependent on IT systems and processes, management of IT Risk becomes a practical necessity. Those who neglect this emerging discipline may squander opportunities from fear of trivial or imagined threats, or fail to take elementary precautions against significant threats.

5.3.1.3.2. good point, focus on systems and process

5.3.1.3.3. need RM to have appropriate responses

5.3.2. IT Risk Elements

5.3.2.1. IT Risk encompasses the full spectrum of risks that may affect or result from IT operations

5.3.2.1.1. external natural disasters or changes in government regulation, internal processes that affect product or service quality, IT organizational and datacenter performance, loss of intellectual property, supervisory or legal controls, and much more

5.3.2.1.2. not quite sure that this is the same Op Risk though

5.3.2.2. Symantec differentiates among the four classes of IT Risk elements

5.3.2.2.1. don't really define what an IT Risk Element is

5.3.2.2.2. refer to earlier report

5.3.2.3. Detailed descriptions of these risk elements, with sources and potential impacts, may be found in an earlier report.

5.3.3. Risks Today

5.3.3.1. Talk about an orgs risk profile

5.3.3.1.1. can we measure this?

5.3.3.1.2. say what it is, looks like?

5.3.3.1.3. see earlier report

5.3.3.2. many high profile news stories

5.3.3.2.1. tracked in IT threat report for security

5.3.3.2.2. report for other Risk Elements

5.3.4. Look Back

5.3.4.1. great summary of earlier report

5.3.4.2. people and process improvement over tech

5.3.4.3. but need to have good IT asset inventory as a foundation

5.3.5. This Report

5.3.5.1. new questions but seem to be tech focussed

5.3.6. Progress and Myths

5.3.6.1. IT Risk awareness increases but myths persist

5.3.6.2. but they use the right word - misunderstandings

5.3.6.2.1. Yet in an emerging discipline, this awareness has not yet dispelled a few persistent misunderstandings about the nature and extent of IT Risk, the best ways to manage it, and the shortcuts and traps that lie along the path.

5.3.6.3. but then in the next path switch back to myths

5.4. Myths

5.4.1. IT Risk is Security Risk

5.4.1.1. SCAP in general but ...

5.4.1.2. availability more important than security

5.4.1.3. Despite traditional perceptions associating IT risk primarily with security risks, survey results indicate the emergence of a broader view among IT professionals. Of the survey respondents, 78 percent gave “critical” or “serious” ratings to availability risk as opposed to security, performance and compliance risks, with 70, 68 and 63 percent respectively. The fact that only 15 percent separate the highest and lowest scoring risk-types indicates that IT professionals are adopting a more balanced, less security-centric view of IT risk.

5.4.1.4. The report findings confirmed that security and compliance risks often attract attention because of their high visibility and impact—63 percent of respondents rated data loss incidents as having a serious impact on their business.

5.4.2. IT Risk Management is a project

5.4.2.1. must always adapt to the environment

5.4.2.2. have good reports in security

5.4.2.3. addressed in a single project, or even as a series of point-in-time exercises across budget periods or years, ignores the dynamic nature of the internal and external IT risk environment.

5.4.2.4. incident frequency

5.4.2.4.1. # 69 percent expect a minor IT incident once a month; # 63 percent expect a major IT failure at least once a year; # 26 percent expect a regulatory non-compliance incident at least once a year; # 25 percent expect a data-loss incident at least once a year.

5.4.3. technology alone mitigates Risk

5.4.3.1. controls are key, and process controls are most important

5.4.3.2. provide a simple control categories

5.4.4. really myths?

5.4.4.1. not myths but misconceptions

5.4.4.2. or working hyptheses that can no longer be sustained

5.4.4.3. consequence of maturing processes

5.4.4.4. pragmatism has given way to program

5.4.4.5. or pragmatism has served its purpose

5.4.4.6. IT not well suited to shoulder the burden of IT Risk

5.4.4.7. unlikely heirs of the risk function

5.4.5. IT Risk management is a science

5.4.5.1. some frameworks but no practical guidelines

5.4.5.2. just get started

5.4.5.3. use this art

5.4.5.4. method and methodology

6. IT Risk Elements

6.1. Security

6.1.1. transition from a hacker culture of nuisance virus outbreaks and network vandalism to an underground criminal economy in which bank accounts, compromised servers, passwords and credit cards are bought and sold in bulk

6.2. Availability

6.3. Performance

6.3.1. 53 percent of IT incidents, while IT often underestimates the frequency of data loss incidents.

6.4. Compliance

6.5. comment

6.5.1. Of the survey respondents, 78 percent gave “critical” or “serious” ratings to availability risk as opposed to security, performance and compliance risks, with 70, 68 and 63 percent respectively.

6.5.1.1. ASPC

6.5.1.2. which industry are we talking about

6.5.2. The fact that only 15 percent separate the highest and lowest scoring risk-types indicates that IT professionals are adopting a more balanced, less security-centric view of IT risk.

6.5.3. this is the balanced view