InformationWeek Research Report: Risk-Oriented Security

IT teams that manage risk effectively are more agile, more efficient and better aligned to business goals. Despite this, many organizations either do not have an IT risk program, or their programs are not designed to deliver significant business value, drive decision making or influence behavior.

In the recent InformationWeek Analytics survey on IT risk management, only 52% of respondents say they have IT risk management programs in place. Of those, the majority focus their efforts on fulfilling regulatory compliance and reducing security incidents. Worse, only 11% characterize their programs as effective; 56% rate their programs as fair (needing improvement) or worse. Only 35% say their programs are at a maturity level where they are managed or optimized.

There are a number of ways organizations are limiting the value of their IT risk programs. The seven most common are:

• Treating their IT risk activities as a compliance "check box."
• Overly focusing on one type of risk, such as security, business continuity or compliance, and not managing other strategic IT business risks.
• Being reactive and providing tactical solutions.
• Not defining the right relationships with partners, such as compliance, audit and risk management teams.
• Using an overly complex or inconsistent risk assessment methodology (or methodologies).
• Limiting the amount of executive governance or oversight.
• Providing reports that don't clearly allow business and IT management to monitor current risks.

In this report, we'll first discuss the overall concept of a risk-oriented approach to security, then dig into the five steps necessary to get the IT risk portion off the ground.