security breaches will harm their corporate reputation as
well as their revenues.
Key findings from the Symantec "IT Risk
Management Report," February 2007:
Connecting IT Risk and IT Performance
Several round-table attendees remarked upon the relationship between IT Risk Management and best practices
for improving IT processes and governance. According to
one participant, “IT Risk Management should be baked
into procedures. Procedures should be compliant and have
controls. Procedures ensure things are done the right way.”
• 66 percent of all companies expect a
regulatory non-compliance issue once
every five years
• 60 percent expect at least one IT incident to
affect their organization every year
• 20 percent expect a major data loss to
occur at least once per year
Standardization and automation can also greatly reduce the time and costs associated with addressing IT
risk whenever a new project starts. To illustrate this point, To fully address IT risk, several attendees commented
one attendee noted that when a group needs a server for that employee training was a fundamental. “We see the
a new business project, his group builds the server in the need for constant education and re-education,” said a
same way every time using standard procedures. In this Senior IT Director from a federal government agency.
way, the server is basically pre-certified by his company’s
standards for security and compliance. Taking the First Step
IT Risk Management is increasingly becoming a board
Aligning IT with the Business level issue, and more companies are investing in IT Risk
IT risks often result from growth initiatives, outsourc- Management programs to help reduce exposure. Key ele-
ing, partner relationships, acquisitions, mobile device use, ments to any such program are a thorough assessment
and other dynamic changes to the IT environment driven of risk, upper management support, cooperation of the
by business initiatives. Although IT bears responsibility business groups, and end-user training.
for implementing technology and defining IT policies, Assessment is often the best place to start. According
executives agreed business alignment for IT Risk Man- to one attendee, “Assessment is the foundation for quan-
agement was crucial. tifying risk. This lets us prioritize projects so we can work
Some managers suggested a co-responsibility approach on those with more serious risk first. Without assessment
where an IT person would be involved in any new proj- and prioritization, we don’t know which end of the funnel
ect from the start so that risk could be discussed at every we’re dealing with – so we’d be all over the place.”
step of the project.
Executive sponsorship was also identified as a key el- Symantec Solutions for IT Risk Management
ement of a successful IT Risk Management program. Symantec offers an extensive range of products and
Some attendees held a strong opinion that “risk manage- services to help customers manage IT risk, performance,
ment has to come from the top.” and cost. Our consultants have worked with 95% of the
Fortune 500, and possess an average of 15 years experi-
Addressing the Human Element ence in IT Risk Management disciplines. Select ser-
Data stored on company systems can be protected vices offerings include IT risk assessments, technology
through a variety of technical measures including access deployment, IT process optimization, managed security
controls, antivirus, encryption, content filtering, intrusion services, and outsourcing solutions. Q
prevention systems, backup software, and more. But cop-
ies left on a printer can just as easily give an unauthorized
employee, contractor or visitor the information they need
to expose a company to risk.
Your Next Step
For more information go to
www.symantec.com/globalservices.
