Recent publicity about cyberattacks and data security breaches has increased IT risk awareness among CIOs, chief information security officers (CISOs) and senior business executives. However, Gartner, Inc.'s 2013 Global Risk Management Survey found that fear of attack is causing security professionals to shift focus away from disciplines such as enterprise risk management and risk-based information security to technical security. This shift in focus is driven by what Gartner analysts refer to as fear, uncertainty and doubt (FUD), which often leads to reactionary and highly emotional decision making.
"While the shift to strengthening technical security controls is not surprising given the hype around cyberattacks and data security breaches, strong risk-based disciplines such as enterprise risk management or risk-based information security are rooted in proactive, data-driven decision making," said John A. Wheeler, research director at Gartner. "These disciplines focus squarely on the uncertainty (as in, risk) as well as the methods or controls to reduce it. By doing so, the associated fear and doubt are subsequently eliminated."
IT risk management programs and approaches differ by industry and by company, according to the unique business needs and requirements that an IT organization must support. Gartner views the spectrum of IT risk management program activities enabling one or more of the following five functions:
- Technical security
- Risk-based information security
- IT operations risk — formalized risk management across multiple disciplines, such as security, privacy, business continuity management (BCM) and compliance
- Operational risk — IT operations risk plus business operational risk, supply chain risk and more
- Enterprise risk management — operational, credit and market-risk-centralized function with executive and board-level visibility
Gartner believes that organizations that either shift away from risk-based disciplines or simply fail to adopt them will find themselves at the mercy of the FUD trap. The survey results showed movement away from these disciplines, with only six percent focused on enterprise risk management in 2013 versus 12 percent in 2012. Mr. Wheeler said that as IT risk profiles and postures change in the future, an inevitable shift in focus back to these risk-based disciplines will need to occur. If not, IT organizations may find that more-critical, emerging risks will remain undetected, and the company as a whole will be left unprepared.
While FUD can lead to negative management behaviors, it can also lead to positive budget impacts for an IT risk management program. In the short term, this can be a benefit to the program through the ability to add staff and resources to an area that is typically cost-constrained. In fact, 39 percent of this year's survey respondents have been allocated funds totaling more than seven percent of the total IT budget. That compares with only 23 percent of survey respondents receiving a similar amount in 2011.
However, the added budget resources are not a given for future years. Unless there is a strong IT risk management program in place to support the future need for similar levels of budget allocation, the resources will soon evaporate. Determining the IT risk management program's current level of maturity, as well as the desired state of maturity, is a great first step to building a strong program. Gartner recommends that CIOs, CISOs and senior business executives assess the current maturity of their IT risk management program, and create a strategic road map for risk management to ensure continued funding.
At the management levels, IT risk management governance is weakening. Compared with Gartner's 2012 survey results on the use of IT risk management steering committees, many companies are shifting away from formal risk management governance structures. Overall, in 2013, 53 percent of survey participants reported using either informal IT risk management steering committees or none at all. This compares with 39 percent in 2012.
"These incongruent survey findings seem to validate the observation that risk-based, data-driven approaches are falling to the wayside in favor of FUD-based, emotion-driven activities," said Mr. Wheeler. "Or, perhaps more disturbingly, they indicate that those who have concerns are simply burying their head in the sand, rather than proactively addressing emerging threats."
Mr. Wheeler said that regular communication about emerging IT risks with board members and business leaders will result in better decision making and, ultimately, more desirable business outcomes.
Survey participants also indicated that progress is slowing to link IT risk indicators and corporate performance indicators. Not only did activity supporting the formal mapping of key risk indicators (KRIs) to key performance indicators (KPIs) decline by seven percent from 2012 to 2013, but mapping also ceased altogether for 17 percent of survey respondents in 2013, versus eight percent in 2012. Again, this shift in activity could very well be a result of the FUD-based, emotion-driven approaches.
"If done correctly, integrated risk and performance mapping exercises can yield tremendous benefits for companies and IT organizations that are seeking to develop a more-effective risk management dialogue with business leaders," said Mr. Wheeler. "However, if done incorrectly, the exercise can become time and resource consuming, often resulting in an unwieldy process that ultimately fails."