I’ve just been checking out the new Symantec IT Risk Management Report. It’s the result of a year-long study based on interviews with IT executives and professionals around the world. Such surveys are mandatory reading for security managers as they can provide a valuable insight into trends and provide useful collateral evidence for business cases.
So what does this report tell us? Unfortunately, like too many of these surveys, there’s not much that’s of practical use to a CISO. Highlights include unsurprising findings such as the following.
“IT professionals rate themselves more effective in their deployments of technology than of process controls.”
“More-effective organizations – even though they often face higher risk levels – expect fewer incidents than less-effective organizations”.
“Best-in-class organizations perform with high effectiveness across most controls.”
“Differing internal viewpoints on IT Risk, and poor alignment between IT Risk Management programs and overall business objectives, may themselves create risk.”
Poor organizational support for IT Risk awareness and training is both a compelling example of poor alignment, and a major cause.”
“Best-in-class IT Risk management requires a disciplined approach…across people, process, and technology.”
As Basil Fawlty once put it: “Can’t we get you on Mastermind…specialist subject: stating the bleeding obvious…”