Spotlight: Symantec report reveals myths and realities of IT risk management
Symantec studies the myths of IT risk management. Source: Matrix Safety Systems  
Symantec today released its IT Risk Management Report Volume II, revealing that while awareness of the importance of IT risk management is increasing, concerns within the healthcare industry persist. 

In regards to the growing need for IT risk management, the report cited the World Economic Forum, which projects a potential worldwide impact of $250 billion, and a sustained U.S. investment in IT of almost $1.2 trillion.

The initial IT Risk Management Report, Volume I, published in February 2007, in which more than 500 surveys were collected, determined that IT professionals identified four primary frameworks associated with IT risk: security; availability; compliance; and performance.

For the current report, Symantec surveyed 405 IT professionals from February to October 2007 about various aspects of IT risk management.

In Volume II, the company “wanted to challenge some wide-held tenets within the IT industry, and with the rigor of some facts, data and statistics, find out if these tenets hold up or not,” Bob Yang, senior director of education services at Symantec, told Health Imaging News.

Yang said that Symantec compiled four key IT myths that were debunked through the course of their research. In regards to overall trends, he said that the majority of companies were taking a much more holistic view in regards to managing their IT risks—while the first report exposed the most emphasis on security, this report exposed a more broad focus across all four frameworks.
1. The first myth is IT risk equals security risk. Yang agreed that while this might have been true a few years ago, it is less true now. An unexpected finding in the study is the emerging concern with data loss; 46 percent of the respondents had worries about data loss.

2. The second myth is IT risk management is just project. The misconception is that buying software, installing it, and launching it allows a company to complete their IT risk process, according to Yang. The data from the report suggests that IT risk management needs to be a continuous process. Actually, the report shows that 69 percent IT managers expect IT failure at least 10 times a year, showing that reoccurring smaller incidents need to be part of the continuous program of awareness and training.
3. The third myth is that technology alone mitigates IT risk. In a collaborative study with MIT Center for IT Research, Symantec and MIT found that 53 percent of the breakdown in IT management, is not caused by a technology failure, but a process failure. Yang exemplified a healthcare provider that was a victim of a virus outbreak, which was able to be quelled in a timely manner. Yet, three months later, a second and a third data center fell victim to the same virus, which shows that no level of knowledge transfer was communicated throughout the company because they had both the technology and knowledge to manage the IT risk.

4. The fourth myth is that IT risk management is a science. Yang said that the biggest component around IT risk management is culture. An entire organization needs to obtain the same level of training and knowledge to ensure that the first level of prevention is in place within an organization.
Yang also said that the survey revealed the lack of confidence in the IT industry. He said that there is considerable “worry that systems will fail, and there is almost an expectation that systems will fail. So, there is work to be done on how to mitigate that risk.” In particular, the healthcare sector felt the least confidence in IT risk management, according to the report.

Of all the industries surveyed, the report found that the healthcare participants anticipated the most incidents of failure compared with any other industry sector. Yang said that the lack of confidence is attributable to the personal nature of the data that is exchanged; and the stringent regulatory nature of the healthcare environment.

“Now in its second year, the IT Risk Management Report provides IT professionals and C-level executives with unparalleled insight into the discipline of IT risk management—ranging from understanding what’s working and what’s not to providing actionable guidance and best practices for effective program execution,” said David Thompson, group president of Symantec IT and services group.

Future research for Symantec will assess the state of deployment and maturity of IT Risk Management programs, including the prevalence of IT risk management initiatives and the use of programs-based best practices.