While I haven't had a chance to parse the 50-odd pages, the conclusions of the report are baffling. Even more so considering the findings are targeted toward CISOs, risk managers, as well as compliance and audit professionals. I think some of these professionals may find the report condescending, if not downright insulting.
The report highlights four myths that the security vendor says it dispels. While these may be "myths" believed by the layperson, or first-year IT professionals, they're certainly not "myths that need to be dispelled" in security circles. At least not by anyone who has ever tried to walk that careful balance between business need and risk mitigation in the real world.
Now, on to the "myths":
Myth One: IT risk is security risk. Because 78% of its respondents ranked availability as a "critical" or "serious" rating of IT risk, Symantec concludes that the "emergence" of a broader view of IT security is underfoot.
Newsflash: Availability always has been a crucial part of the IT security equation, from defending against denial-of-service attacks that choke Web performance to e-mail worms that drag down communications. In fact, availability is part of the IT Security CIA triad: Confidentiality, Integrity, and Availability.
Myth Two: IT risk management is a project. I've yet to hear any chief security officer, security analyst, or even firewall administrator refer to IT risk management as a "project." In nearly every business large enough to have a CIO, risk, compliance manager, IT security and regulatory compliance are treated as long-term programs, not one-off point projects.
Myth Three: Technology alone mitigates IT risk. I dropped my ham and Swiss-cheese sandwich onto my desk when I read this rib-cracker. Again, I've not come across any CISO, chief risk officer, or industry analyst who thought -- let alone ever said -- that technology alone could mitigate IT risk. Most go by the adage that good security is about People, Process, and Technology -- in that order -- when it comes to mitigating risks. Actually, some of the best IT security and risk management technologies available are designed to keep the process in place, and protect people from themselves. And the importance of security awareness has been ranked very high in most every IT security survey I've ever read. Maybe companies should practice what they preach more habitually, but this not a "myth" to be squashed.
Myth Four: IT risk management is a science. "An emerging business discipline, not a science," is how this report describes IT risk management.
Does this need to be stated? To regard IT security and risk management "as a science" flies in the face of the very nature of the CISO or CRO function. Essentially, their job is help the business execute its mission, while keeping risk below or at tolerable levels. And these types of decisions are not scientific, and often amount to a company "gut check."
A simple example would be deciding whether a wireless LAN deployment creates more risk than business or productivity value. If the WLAN can be cost-effectively secured, a WLAN gets the green light. If not, or if the data residing on that network is too valuable to risk, the WLAN would be a no go. These types of decisions are rarely based on science.
This report is a case of the survey respondents knowing exactly what they were saying. It's the interpretation that is bad. These were not myths to be dispelled; rather, they were the early lectures one would expect to hear in Security 101. Symantec should think more highly of its customers.