Over the past few years, I’ve seen anecdotal evidence suggesting a change in the way large organizations approach information security. Regulatory compliance has been the primary driver in the past but my instincts told me that many enterprises were moving away from a “check box” mentality toward a more formal IT Risk Management framework.
Recently, I read a great report from Ernst & Young that supports this thesis. The report can be downloaded here:
According to the report, 78% of large organizations have a formal IT Risk Management function and that investments in these programs is increasing.
That’s the good news. The bad news is that many of these programs remain immature works in progress. When respondents were asked which factors posed a challenge to their IT risk management program:
* 42% responded, “competing objectives” * 40% responded, “multiple risk assessments” * 31% responded, “staff resources to support information technology risk management” * 29% responded, “level of risk tolerance”
My takeaway is that many IT risk management efforts are still performed tactically in silos rather than in a standard fashion across the enterprise. Skills and resources remain scarce, and large organizations are still unsure what the output data tells them.
This report is very insightful and should be a “must-read” for CISOs, CIOs, and Chief Risk Officers as it provides a clear assessment guideline. What’s more, it could be used as a roadmap for fixing some urgent problems.
To me, this is very important. The checkbox mentality doesn’t work — just ask Federal government agencies how effective FISMA is. That said, IT risk management remains more art than science.
We as a security community and industry need to put our collective heads together to solve this problem soon.
Related posts:
Tags: Ernst & Young, FISMA, IT Risk Management
Name (required)
Mail (will not be published) (required)
Website
Your email:
