Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Identifying enterprise security risks

What color is your information risk today?

Article comments

Information is the lifeblood of business. Valuable corporate data is available to employees, business partners and contractors. It is accessed locally, in the cloud and virtual environments, providing instant access to non-public sensitive information. Making matters worse, employees typically do not ask permission to load third-party software or applications on their laptops and mobile phones, devices that are connected to their companies' networks and data stores.

The convenience and business value of "information anywhere" comes with risk. While companies want to support devices, software and applications that enable employees to get the job done, they must do so while carefully monitoring and managing business risks related to the use of information and IT.

One solution for information anywhere is "information security everywhere," but this is impractical and unachievable. Organisations need to determine when convenience results in too much risk and what should be done to limit risks. This is a major challenge, especially when you consider that most organisations cannot answer the simple question, "What is our information risk today?"

Only 8 percent of organisations can determine what the color of their information risk is today within a day or the same week, according to benchmark research on the state of business risks related to the use of information and IT conducted by the IT Policy Compliance Group. Furthermore, 2 percent of organisations cannot answer this question at all or the response is delayed by nine months or more; 70 percent of organisations are unable to answer this question within three months and 20 percent take between one week and three months. Poorly defined business risk, inadequate gathering of information, ill-equipped reporting systems and un-prioritized controls contribute to these unreasonable delays.

Getting priorities right

The IT Policy Compliance Group found there are significant differences in how well organizations are prepared to meet the challenges of information anywhere and anytime and in the ability to define and manage the business risks. Organisations experiencing the lowest business risks related to the use of IT can answer the color of their information risk today because they have the right organizational processes, controls and reporting systems in place.

These organizations begin by defining the business risk from the top down and then prioritising them. Risks arise from day-to-day execution of business functions; they include managing cash, sourcing risks, accounts that are deceivable, credit risks, legal risks, market concentration risks, regulatory risks, competitive risks, reputational risks and operational risks.

The most successful organisations are utilising the skills of multiple departments and functions to both define and manage business risks related to the use of IT. Wider participation of more stakeholders enables organisations to prioritise the external pressures, the business risks, identify the core organisational risks related to the use of information and IT assets and use reporting systems to more effectively monitor, manage and balance tradeoffs between policies, risks, exceptions and controls.

With respect to IT controls and operational processes, companies with the lowest business risks employ several unique practices. Nearly three-quarters of these organisations routinely classify sensitive information assets and identify IT assets with access to sensitive information. Nearly two-thirds consistently maintain an inventory of the locations of sensitive information, detect or prevent the leakage of sensitive information and use information security controls to protect sensitive information.

In addition, the IT Policy Compliance Group found that the rate at which risks and controls are evaluated is very different among organisations. There is a direct relationship between outcomes and the elapsed time between the assessments of risk and controls. The organisations with the lowest risks implement very frequent risk and controls assessments with very short elapsed times between assessments (weekly to bi-monthly), while the rate is quarterly or less frequent among organisations experiencing worse outcomes.

Automation drives better outcomes

The level of automation to gather information and produce reports on information risks and controls is also directly related to achieving better outcomes. Simply put, the worst performing organisations have the least automated procedures and the best performers have the most automated procedures to gather information and produce reports focusing on operational, financial, reputation, headline and brand risks related to the use of IT.

Organisations with the lowest business risks automate the collection of information around IT controls and organisational processes and deliver customisable reports connecting the dots between business risks and the use of information and IT. The IT Policy Compliance Group found that 80 percent of the procedures to gather information and produce reports about the business risks related to the use of information and IT assets are automated by organisations experiencing the best outcomes.

In contrast, organisations with the most loss or theft of customer data, the most business downtime and the largest difficulty sustaining audit results are automating just 11-12 percent of the procedures to gather information and produce reports.


More from Techworld

More relevant IT news


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *