Book digest: IT Risk - Turning Business Threats into Competitive Advantage

CIOs need to consider vulnerabilities in their organisations rather than threats to their IT environments if they are to protect both properly.

CIOs need to consider vulnerabilities in their organisations rather than threats to their IT environments if they are to protect both properly.

"When you cut down the vulnerabilities you improve the company's ability to survive regardless of any specific threat," said Richard Hunter, Gartner analyst and co-author of a new book, IT Risk - Turning Business Threats into Competitive Advantage.

Each organisation is different and therefore has different weak points, he noted. For example, Barnado's, the children's charity, could function reasonably well without its computer systems, but was much more vulnerable to a loss of reputation. "Access is more important than availability to Barnado's, and the IT governance strategy should reflect that," Hunter said.

Hunter said most CIOs were using the wrong definition of IT risk, which is why they find it hard to persuade boards to give them bigger budgets. "Most CIOs equate IT risk with IT threats such as hacking and viruses, but it is actually about the four As - availability, access, accuracy and agility," he said.

"When you define IT risk in the usual way, you are talking mainly about the first two. But the board is more interested in the other two, because they relate to regulatory and legal compliance, and to the ability of the company to go forward successfully."

For some, agility is key. Hunter pointed to electronics manufacturer Tektronix, which was unable to sell a division because its information systems were so intimately bound up with those of the rest of the company. "It took them two years, £20m and a new ERP system before they could disentangle the division," he said.

Hunter added that CIOs who use only the first two As will often spend 5% to 6% of their total IT budget on security. But if they widened their definition, it was easier to get budgets of 12% to 15% approved. "But the matter of the right amount to spend is unresolved," he said, "and it depends on the company's unique circumstances."

Even so, the most effective use of their IT security budget is to consolidate and simplify their IT assets, he said. A proper risk management approach rested on three elements: a well-structured foundation of IT assets, a good risk governance process, and a risk-aware culture in the whole organisation.

"Complexity comes with proliferation of technologies, and that increases the number of end-point systems you have to apply and manage, which increases your risk," Hunter said. "Simplifying your technology platform mitigates risk down the whole IT risk threat pyramid."

Hunter noted research by Phil Howard at the University of Washington, which found that of 550 data breaches in the US over the past 25 years, 60% were due to "organisational malfeasance" rather than hackers. More than 6 million personal records a month are "bleeding" from companies, Howard estimated.

"It is getting just too risky for them to ignore," Hunter said. "A lot of companies are now asking for very detailed explanations of how they and their business partners develop and apply risk mitigation policies and processes, especially for handling sensitive and management information. If they can see evidence of managment inattention, or a lack of control or process sloth, they will go elsewhere."

Hunter referred to the recent admission by TGX that 45 million accounts had been breached. However, in the next quarter sales were up 9% and the share price was close to its historical high, even though the company said it would cost around £70m to sort out the mess.

Hunter said that did not include claims for hundreds of millions of dollars in compensation and punitive damages being prepared by banks that had to warn their customers of the breach.

"Customers were less worried about the theft of their credit card data than about their debit cards or Social Security numbers, but the incident was and is a disaster for TGX," Hunter said.

Companies should put in place business continuity plans and practice their tactics. "Like any muscle, a business continuity plan will improve with exercise," he said.

Companies rather than hackers are mostly to blame for data breaches, according to a study by Phil Howard, an assistant professor of communication at the University of Washington, and Kris Erickson, a UW geography doctoral student.

They reviewed breached‑record incidents reported by major US news media between 1980 to 2006. The total names exposed was about 1.9 billion, roughly nine records per American adult.

Malicious intrusions by hackers made up a minority (31% ) of 550 confirmed incidents between 1980 and 2006 60% were attributable to organisational mismanagement such as missing or stolen hardware, insider abuse or theft, administrative error, or accidentally exposing data online. The rest were unspecified.

The number of reported incidents more than tripled in 2005 and 2006 (424 cases) compared to the previous 24 years (126 cases). This was probably a result of California's law on data breaches and similar legislation adopted by other states, said the researchers.

The education sector, primarily colleges and universities, amounted to less than 1% of all lost records, but accounted for 30% of all reported incidents.

A single 2003 incident, which exposed 1.6 billion records held by Acxiom, an Arkansas‑based company that stores personal, financial and corporate data, dwarfed all others. In that case, the offender controlled a company that did business with Acxiom and had permission to access some files on Acxiom's servers. But he illegally hacked into other records and then tried to conceal the theft, prosecutors charged.

Read more on IT risk management