"Most corporate IT expenditures are inevitably under intense scrutiny during this period of economic uncertainty and IT security and risk management " although less radically affected than overall IT budgets " is no exception," said Jay Heiser, research vice president at Gartner. "The keys to justifying and optimising security spending are to ensure that security and risk control practices are meeting explicit business objectives and, crucially, to persuade the business to take ownership of risk."
However, Mr Heiser warned that security professional are unlikely to achieve these critical goals if they fall into one of four common risk management mistakes:
1) Taking a 'One Size Fits All Approach to Security and Risk Management The same level of protection, or the same level of security spending, can't be simultaneously effective and economically viable for each business unit, much less for every component within a single business unit. An optimal level of security spending takes into account the assessed level of risk, avoiding overspending and overprotection. Business managers should be offered a relatively small number of risk management profiles that are designed to meet different use cases for data sensitivity and risk.
2) Making Plans Based on What the Security Organisation Wants, Not What the Business Needs Security professionals have historically made technology-centric investment, implementation and deployment decisions based on what they believe is required, rather than on what the business needs. It is impossible to defend security plans, and the budgets they require, if they aren't based on business objectives. If business managers can't or won't provide information about risk significance of their business processes, then high-level managers must step in and mediate.
3) Making Risk-Related Communications Too Complex for the Business to Understand Security professionals must develop a consistent way to express and articulate the security-criticality of specific IT systems, information assets and business processes. Gartner recommends a simple three level scale " high, medium and low " to provide a common reference point for articulating the business criticality of IT that can potentially be used for a corresponding set of risk management service levels.
4) Allowing LOB Managers to Transfer Their Risk to the IT Organisation and the IT Security Organisation Line of business (LOB) managers are only too willing to take advantage of the IT organisation's and IT security's willingness to accept residual risks, making the mistaken presumption that IT's "standard offering" will effectively address any form of IT risk. Such an approach makes the IT organisation, or the IT security organisation, the scapegoat for security failures and any consequent reduction in perceived service or flexibility. Internal "market forces" can help align risks with benefits, if all systems and information assets are 'owned' by specific business managers who are accountable for any failures in security or continuity.
"Simple, manageable risk assessment frameworks, explicit acceptance of residual risk and security service level agreements (SLAs) will make it possible to deliver sound enterprise security, and to defend security budgets against cutbacks," said Mr Heiser. "The first step that IT risk managers can take towards better alignment with the business is not to treat business managers as a problem that needs to be solved, but rather to regard them as customers who need secure and reliable computing services."
More information is available in the Gartner research note entitled "Four Risk Management Mistakes That Threaten Your Security Budget". The report is available on Gartner's website at http://www.gartner.com/DisplayDocument?ref=g_search&id=994712&subref=simplesearch
Mr Heiser will provide more detailed analysis on the key issues facing the information security industry at the Gartner Information Security Summit 2009, taking place 21-22 September, at the Lancaster London hotel. Gartner analysts, industry experts and IT security practitioners will deliver unbiased, realistic analysis of the current state of information security, as well as an independent vision of how things will evolve over the long term. For complete event details, please visit the Gartner Information Security Summit website at www.europe.gartner.com/security. Members of the media can register by contacting Holly Stevens at [email protected]
About Gartner Gartner, Inc. (NYSE: IT) is the world's leading information technology research and advisory company. Gartner delivers the technology-related insight necessary for its clients to make the right decisions, every day. From CIOs and senior IT leaders in corporations and government agencies, to business leaders in high-tech and telecom enterprises and professional services firms, to technology investors, Gartner is the indispensable partner to 60,000 clients in 10,000 distinct organizations. Through the resources of Gartner Research, Gartner Executive Programs, Gartner Consulting and Gartner Events, Gartner works with every client to research, analyze and interpret the business of IT within the context of their individual role. Founded in 1979, Gartner is headquartered in Stamford, Connecticut, U.S.A., and has 4,000 associates, including 1,200 research analysts and consultants in 80 countries. For more information, visit www.gartner.com.