SOURCE: Symantec

February 05, 2007 08:00 ET

Symantec Report Identifies Shortcomings in Approaches to Mitigating IT Risk

Organizations Anticipate Security Breaches, Believe They Are Less Effective at Process Controls, and Demonstrate Misalignment Within Their Own Internal IT Organization Regarding Risk Perception

CUPERTINO, CA -- (MARKET WIRE) -- February 5, 2007 -- Symantec Corp. (NASDAQ: SYMC) today released the Symantec IT Risk Management Report, highlighting that 60 percent of respondents expect at least one major IT incident per year that could halt or disrupt a critical part of the business. The Symantec IT Risk Management Report, a new report aimed at helping executives and IT operational personnel understand the critical elements involved in an effective IT risk management strategy, is based on input from quantitative and qualitative survey research conducted over a twelve month period ending October 2006. Symantec collected information from more than 500 respondents from IT managers to top IT executives in organizations with worldwide operations, in a wide representation of industry segments.

"The ING Renault F1 Team's IT infrastructure is critical to our relationships with customers and partners and therefore, we are committed to managing IT risk as part of our larger business strategy," said Graeme Hackland, IT manager, ING Renault FI Team. "In today's environment, understanding our exact risk profile and how we can better prioritize our resources to ensure an effective IT risk strategy is top of mind."

Organizations Anticipate Security Breaches, Incidents

The Symantec IT Risk Management Report survey data indicated that a majority of respondents expect to be impacted by some type of security or compliance incident in the next one to five years. Specifically, 66 percent of respondents expect a major regulatory incident at least once every five years. Additionally, 58 percent of respondents expect a major data loss caused by events such as data center outage, corruption of data, or breach of security systems, at least once every five years.

Deployment of Process Controls Falls Behind Technology Controls

Effective IT risk management requires a strong combination of expertise and investment in process controls and technology controls. The most effective IT risk management programs use defined controls that combine well-chosen technologies and best-practice processes. The Symantec IT Risk Management Report revealed that professionals surveyed at all levels of organizations, across industries, scale, and geographic reach, view their organizations' capabilities with technology controls as more effective than with process controls.

The report findings indicated that authentication, authorization, and access was the process control rated highest for effectiveness, with 68 percent of respondents rating their organization more than 75 percent effective. The report also underlined a specific process control problem in identifying, classifying and managing IT assets. Only 38 percent of respondents rated themselves more than 75 percent effective in implementing asset inventory, classification, and management process controls. These controls are of fundamental importance in building an IT risk management program which reflects the organization's priorities. Without careful risk assessment, all assets are likely to be treated equally, where some may be overprotected and others under protected.

"Organizations are beginning to see the value in taking a proactive, rather than reactive approach to their IT risk management strategy," said Jon Oltsik, senior analyst at Enterprise Strategy Group. "Effective IT risk management requires organizations to assess both their technology and processes, as well as have clear understanding and agreement about different risks that may impact their systems, and their overall business."

Misalignment Exists Within Internal IT Organizational Roles Regarding Perception of Risk

The Symantec IT Risk Management Report revealed a noticeable difference in the way IT staff and IT executives view their organization's IT risk exposure, particularly around perceived risk related to both business process and compliance risk. For example, 8 percent of IT executives rate business process risk as critical to their IT operations compared to 22 percent of IT directors, and 23 percent of IT executives rate compliance risk as critical to their IT operations compared to 16 percent of IT directors.

Symantec believes that strong alignment between all areas of IT and the business must exist in order for IT risk management investments to be successful. These differing internal IT viewpoints could even create risk by producing poor coordination with the larger business. This may result in over- or under-investment in controls, leading to wasted resources and ineffective IT risk management programs.

"As organizations are growing more and more dependent on their IT systems to conduct business, IT risk has become a primary concern for business leaders and one that should be addressed as part of a larger business risk management strategy," said Greg Hughes, executive vice president, Symantec Global Services. "The Symantec IT Risk Management Report offers organizations a comprehensive view of IT risk perceived by various organizations worldwide."

Holistic Approach to IT Risk Management Yielded Fewer Incidents

Data from the Symantec IT Risk Management Report identified a trend related to Best-in-Class organizations. In this report, Symantec defines Best-in-Class organizations as the top 25 percent of respondents who rated their effectiveness in implementing 16 control areas. These organizations experience higher levels of compliance and business process risk, but lower levels of IT incidents. A detailed analysis revealed that Best-in-Class organizations perform with high effectiveness across a variety of controls, including process controls, creating a holistic approach. The data also indicated that lower-performing organizations typically focus on a small number of more tactical technology controls rather than implementing a broad range of control areas.

The Symantec IT Risk Management Report provides organizations with the benchmarks and recommendations that they need to evaluate the effectiveness of their own IT Risk Management strategy.

The Symantec IT Risk Management Report is available on Symantec's Web site at

About Symantec

Symantec is a global leader in infrastructure software, enabling businesses and consumers to have confidence in a connected world. The company helps customers protect their infrastructure, information, and interactions by delivering software and services that address risks to security, availability, compliance, and performance. Headquartered in Cupertino, Calif., Symantec has operations in 40 countries. More information is available at

NOTE TO EDITORS: If you would like additional information on Symantec Corporation and its products, please visit the Symantec News Room at All prices noted are in U.S. dollars and are valid only in the United States.

Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

Contact Information