The use of risk assessments is fairly widespread, with 79% of survey respondents conducting them, though not all companies then put the work to full use. Of those doing assessments, 76% use them to develop security policies, but just 41% use them to drive purchasing and planning.
Of course, it doesn't take an MBA to know that risk management is about more than just IT and data security. Businesses engage in risk analysis all the time when they roll out new products, manage marketing budgets, and make capital investments. IT teams need to tap into that knowledge and perspective at their own companies.
Electric Insurance spends about 20% to 25% of its project planning time on risk analysis and management, says Michael Hannigan, manager of systems engineering and support. Because the entire process, from planning to postproduction, includes risk analysis, Hannigan finds potential problems are identified and addressed early. Fixing a problem after the fact is many times more expensive than repairing it in the design stage. In Electric Insurance's case, risk management is already part of the culture-not surprising for a financial company. We should all be so proactive.
Much of the considerable up-front cost of a risk assessment will stem from doing asset and risk analysis; determining the value of projects, product lines, and services; and then assigning risk to each. But it's a process that pays off over time.
"You have to have a strategy," Hannigan says. "Big IT projects, like identity management and password management, are very expensive to implement, but where do you want to be in three or five years, and what's the easiest way to get there? You don't want multiple silos of security. You want to standardize and not deviate from those standards unless there are compelling, justifiable reasons to do so."
In a testament to the brisk security product industry, when we asked what measures are taken to mitigate risks, the No. 1 answer, cited by 72%, is throw technology at problems. There's nothing wrong with that-technical problems require technical solutions-but compare it with some of the more strategic possibilities: A mere 18% institute role-based access to sensitive data.
Given the effort and money needed for focused risk management, measuring the success of the ongoing process is critical. Sixty percent of survey respondents use internal audits to evaluate whether risk management efforts are paying off, and just under half use regulatory compliance as the measure. Neither of these steps is as effective as inviting expert penetration testers to do their worst, a fact not lost on financial services companies, of which 69% measure success with independent audits. Overall, the number's just 43%.
Who controls-and is accountable for-all these budget dollars? In 63% of companies, the IT budget funds risk management initiatives, and this holds true regardless of industry. More interesting, 69% of companies with risk management plans say that, long term, the process will save them money. Only 22% say the risk management effort will be an ongoing budget hit. This is a refreshing comeback against the doom and gloom of perpetual costs that often surround risk management.
While we didn't ask the source of cost savings, we can infer benefits from other questions. Risk assessments primarily are used to develop mitigation policies and fix vulnerabilities; that can yield process-oriented efficiencies, such as leveraging databases to simplify asset management and policy compliance. Similarly, understanding the source of vulnerabilities and fixing root causes extend efficiencies across a company. Regulatory compliance also generally benefits from risk management, whether it's improved infrastructure security and storage management or identity management and documenting processes.