Enterprise Strategy Group | Getting to the bigger truth.TM

Good Data on IT Risk Management

Over the past few years, I’ve seen anecdotal evidence suggesting a change in the way large organizations approach information security. Regulatory compliance has been the primary driver in the past but my instincts told me that many enterprises were moving away from a “check box” mentality toward a more formal IT Risk Management framework.

Recently, I read a great report from Ernst & Young that supports this thesis. The report can be downloaded here:

According to the report, 78% of large organizations have a formal IT Risk Management function and that investments in these programs is increasing.

That’s the good news. The bad news is that many of these programs remain immature works in progress. When respondents were asked which factors posed a challenge to their IT risk management program:

* 42% responded, “competing objectives”
* 40% responded, “multiple risk assessments”
* 31% responded, “staff resources to support information technology risk management”
* 29% responded, “level of risk tolerance”

My takeaway is that many IT risk management efforts are still performed tactically in silos rather than in a standard fashion across the enterprise. Skills and resources remain scarce, and large organizations are still unsure what the output data tells them.

This report is very insightful and should be a “must-read” for CISOs, CIOs, and Chief Risk Officers as it provides a clear assessment guideline. What’s more, it could be used as a roadmap for fixing some urgent problems.

To me, this is very important. The checkbox mentality doesn’t work — just ask Federal government agencies how effective FISMA is. That said, IT risk management remains more art than science.

We as a security community and industry need to put our collective heads together to solve this problem soon.

Related posts:

  1. Interesting Data about Data Breaches
  2. Welcome to SNW! Ignore storage security at your own risk!
  3. HP Buys ArcSight: More Than Just Security Management
  4. Interesting Audience Data from the Symantec Government Symposium
  5. Data Breach activity is getting worse

Tags: Ernst & Young, , IT Risk Management

All views and opinions expressed in ESG blog posts are intended to be those of the post's author and do not necessarily reflect the views of Enterprise Strategy Group, Inc., or its clients. ESG bloggers do not and will not engage in any form of paid-for blogging. Click to see our complete Disclosure Policy.

Add a comment

Search
© 2010 Enterprise Strategy Group, Milford, MA 01757 Main: Fax:

Switch to our mobile site