Fear of advanced cyber attacks is driving a shift from tried-and-tested, risk-based security tactics, making them more vulnerable to emerging threats, a survey has found.
Fear of attack is causing security professionals to shift focus away from disciplines, such as enterprise risk management and risk-based information security, to technical security, according to Gartner’s 2013 Global Risk Management Survey.
Gartner surveyed 555 organisations in the US, UK, Canada and Germany.
This shift in focus is driven by what Gartner analysts refer to as fear, uncertainty and doubt (FUD), which often leads to reactionary and highly emotional decision making.
"While the shift to strengthening technical security controls is not surprising, given the hype around cyberattacks and data security breaches, strong risk-based disciplines, such as enterprise risk management or risk-based information security, are rooted in proactive, data-driven decision making," said John Wheeler, research director at Gartner.
"These disciplines focus squarely on the uncertainty (risk) as well as the methods or controls to reduce it. By doing so, the associated fear and doubt are subsequently eliminated,” he said.
Gartner believes organisations that shift away from risk-based disciplines or fail to adopt them will find themselves at the mercy of the FUD trap.
More on risk-based security
- Security metrics fail to aid exec understanding, say IT pros
- Security Think Tank: Follow an information-led, risk-based process to protect IP
- Security Think Tank: Web-based app security needs data-centric, risk-based approach
- Understand your security risks
- Security Think Tank: A risk-based approach to security is key to business alignment
- Secure cloud adoption is all about risk, says industry panel
- Time for a security and risk reset, says Gartner
The survey results showed movement away from these disciplines, with just 6% focused on enterprise risk management in 2013, compared with 12% in 2012.
Wheeler said that, as IT risk profiles and postures change in the future, an inevitable shift in focus back to these risk-based disciplines will need to occur.
“If not, IT organisations may find that more critical, emerging risks will remain undetected, and the company as a whole will be left unprepared,” he said.
While FUD sometimes leads to negative management behaviours, Gartner found it can also lead to positive budget impacts for an IT risk management program.
In the short term, this can add staff and resources to an area that is typically cost-constrained.
The survey showed that 39% of respondents have been allocated funds totaling more than 7% of the total IT budget, compared with only 23% receiving a similar amount in 2011.
However, the added budget resources are not a given for future years. Unless there is a strong IT risk management program in place to support the future need for similar levels of budget allocation, Gartner believes the resources will soon evaporate.
Gartner recommends that CIOs, CISOs and senior business executives assess the current maturity of their IT risk management program, and create a strategic road map for risk management to ensure continued funding.
The survey shows that governance of IT risk management is weakening at management levels. Overall, in 2013, 53% of respondents reported using either informal IT risk management steering committees or none at all. This compares with 39% in 2012.
Regular communication about emerging IT risks with board members and business leaders will result in better decision making
"These incongruent survey findings seem to validate the observation that risk-based, data-driven approaches are falling to the wayside in favor of FUD-based, emotion-driven activities," said Wheeler.
"Or, perhaps more disturbingly, they indicate that those who have concerns are simply burying their head in the sand, rather than proactively addressing emerging threats,” he said.
According to Wheeler, regular communication about emerging IT risks with board members and business leaders will result in better decision making and, ultimately, more desirable business outcomes.
Survey participants also indicated that progress is slowing to link IT risk indicators and corporate performance indicators.
Not only did activity supporting the formal mapping of key risk indicators (KRIs) to key performance indicators (KPIs) decline by seven percent from 2012 to 2013, but mapping also ceased altogether for 17% of respondents in 2013, compared with just 8% in 2012.
Gartner believes that this shift in activity could very well be a result of the FUD-based, emotion-driven approaches.
"If done correctly, integrated risk and performance mapping exercises can yield tremendous benefits for companies and IT organisations that are seeking to develop a more effective risk-management dialogue with business leaders," said Wheeler.
"However, if done incorrectly, the exercise can become too time and resource consuming, often resulting in an unwieldy process that ultimately fails,” he said.