Symantec Finds Scope of IT Risk Widening
Network availability now tops security among IT managers' concerns, while worries grow beyond hackers to include misplaced equipment and thumb drives.
Symantec has released is second-annual Risk Assessment survey and the results show that the definition of "risk" is expanding, as are the threats facing IT.
The survey of 405 IT managers, undertaken between February and November 2007, found that their top concern is network availability -- with 78 percent citing it as a business-critical or serious risk.
The finding marked the first time that network availability surpassed security among IT managers' concerns.
"That told us two things: respondents are taking a broader view of IT risk and what constitutes it and they are shifting away from just a security-oriented view to one of availability, compliance and performance," said Jennie Grimes, senior director of Symantec's IT risk management program office.
But while IT managers' concerns are multiplying, confidence in their ability to keep a reign on things is slipping. More than half, 53 percent, said they expected a major IT incident related to those four issues.
Yet only a third said they had good management, configurations and backup plans.
Part of the reason for this is due to risk's increasing scope. A year ago, the industry considered risk incident to be hacking attacks. Now, the term includes human error -- like losing a laptop or backup tape, failing an internal audit and poor-performing applications.
The other problem is that with so many laptops being lost or stolen and insecure technologies, ranging from instant messenger to USB thumb drives, entering the workplace, IT is getting away from the people who live by it.
"I do believe the infrastructures are getting more complicated and I do believe that the notion of the perimeter of the network -- traditionally having been a physical thing -- is shifting to the human being and is causing complexity to increase," Grimes said.
One possible reason for the drop in confidence is that the definition of IT and its influence on companies have also grown -- so much so that IT has become the lifeblood of firms.
In recent years, the discussion among C-level executives has been how IT is expected to drive profits. Now the situation is beyond that, where companies simply can't function without it.
"Organizations are realizing how much they rely on IT," Grimes said.
For example, she said she noticed that many large firms now have a new executive in the ranks, the vice president of IT risk management, whose job is to deal with risks to the IT infrastructure.
Grimes said she's met about 40 now, all relatively new to the position.