Fear of Attacks is Shifting Focus From Tried and True Risk-based Tactics
Recent publicity about cyberattacks and data security breaches has increased IT risk awareness among CIOs, chief information security officers (CISOs) and senior business executives. However, Gartner, Inc.'s 2013 Global Risk Management Survey found that fear of attack is causing security professionals to shift focus away from disciplines such as enterprise risk management and risk-based information security to technical security. This shift in focus is driven by what Gartner analysts refer to as fear, uncertainty and doubt (FUD), which often leads to reactionary and highly emotional decision making.
"While the shift to strengthening technical security controls is not surprising given the hype around cyberattacks and data security breaches, strong risk-based disciplines such as enterprise risk management or risk-based information security are rooted in proactive, data-driven decision making," said John A. Wheeler, research director at Gartner. "These disciplines focus squarely on the uncertainty (as in, risk) as well as the methods or controls to reduce it. By doing so, the associated fear and doubt are subsequently eliminated."
IT risk management programs and approaches differ by industry and by company, according to the unique business needs and requirements that an IT organization must support. Gartner views the spectrum of IT risk management program activities enabling one or more of the following five functions:
Gartner believes that organizations that either shift away from risk-based disciplines or simply fail to adopt them will find themselves at the mercy of the FUD trap. The survey results showed movement away from these disciplines, with only six percent focused on enterprise risk management in 2013 versus 12 percent in 2012. Mr. Wheeler said that as IT risk profiles and postures change in the future, an inevitable shift in focus back to these risk-based disciplines will need to occur. If not, IT organizations may find that more-critical, emerging risks will remain undetected, and the company as a whole will be left unprepared.
While FUD can lead to negative management behaviors, it can also lead to positive budget impacts for an IT risk management program. In the short term, this can be a benefit to the program through the ability to add staff and resources to an area that is typically cost-constrained. In fact, 39 percent of this year's survey respondents have been allocated funds totaling more than seven percent of the total IT budget. That compares with only 23 percent of survey respondents receiving a similar amount in 2011.
However, the added budget resources are not a given for future years. Unless there is a strong IT risk management program in place to support the future need for similar levels of budget allocation, the resources will soon evaporate. Determining the IT risk management program's current level of maturity, as well as the desired state of maturity, is a great first step to building a strong program. Gartner recommends that CIOs, CISOs and senior business executives assess the current maturity of their IT risk management program, and create a strategic road map for risk management to ensure continued funding.
At the management levels, IT risk management governance is weakening. Compared with Gartner's 2012 survey results on the use of IT risk management steering committees, many companies are shifting away from formal risk management governance structures. Overall, in 2013, 53 percent of survey participants reported using either informal IT risk management steering committees or none at all. This compares with 39 percent in 2012.
"These incongruent survey findings seem to validate the observation that risk-based, data-driven approaches are falling to the wayside in favor of FUD-based, emotion-driven activities," said Mr. Wheeler. "Or, perhaps more disturbingly, they indicate that those who have concerns are simply burying their head in the sand, rather than proactively addressing emerging threats."
Mr. Wheeler said that regular communication about emerging IT risks with board members and business leaders will result in better decision making and, ultimately, more desirable business outcomes.
Survey participants also indicated that progress is slowing to link IT risk indicators and corporate performance indicators. Not only did activity supporting the formal mapping of key risk indicators (KRIs) to key performance indicators (KPIs) decline by seven percent from 2012 to 2013, but mapping also ceased altogether for 17 percent of survey respondents in 2013, versus eight percent in 2012. Again, this shift in activity could very well be a result of the FUD-based, emotion-driven approaches.
"If done correctly, integrated risk and performance mapping exercises can yield tremendous benefits for companies and IT organizations that are seeking to develop a more-effective risk management dialogue with business leaders," said Mr. Wheeler. "However, if done incorrectly, the exercise can become time and resource consuming, often resulting in an unwieldy process that ultimately fails."
Additional information is available in the report "Survey Analysis: Risk Management, 2013." The report can be found on Gartner's website at www.gartner.com/resId=2606115.
About the Gartner 2013 Global Risk Management Survey
The Gartner 2013 Global Risk Management Survey was addressed to employees who are responsible for privacy, IT risk management, information security, business continuity or regulatory compliance. Gartner surveyed a total of 555 organizations in the U.S., Canada, the U.K. and Germany in April and May 2013 to help understand how risk management planning, operations, budgeting and buying are performed, especially in areas such as risk management, information security, business continuity management, IT compliance and privacy.
Gartner, Inc. (NYSE: IT) is the world's leading research and advisory company. The company helps business leaders across all major functions in every industry and enterprise size with the objective insights they need to make the right decisions. Gartner's comprehensive suite of services delivers strategic advice and proven best practices to help clients succeed in their mission-critical priorities. Gartner is headquartered in Stamford, Connecticut, U.S.A., and has more than 13,000 associates serving clients in 11,000 enterprises in 100 countries. For more information, visit www.gartner.com.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.