How organizations define IT risk is expanding, according to Symantec's second IT Risk Management Report, which also indicates that concerns about network availability have become foremost in the minds of those responsible for managing enterprise networks.
The survey of 405 IT managers, performed between February and November 2007, found that 78 percent of the respondents said that network availability is their number one business-critical risk. Second on the list was security (70 percent), followed by performance (68 percent) and compliance (60 percent).
Jennie Grimes, the senior director of Symantec's IT risk management program office, responsible for developing the annual report, told SCMagazineUS.com today that this is the first time network availability has topped security as the top worry of IT managers.
"The findings told us two important things," Grimes said. "The ways in which respondents define IT risk is broadening and -- with that tight clustering of only 16 points between the most and least concerned issues -- their definition of IT risk is not only broadening, but they're starting to give all four areas almost equal weighting."
She said that the change in attitude is impacting the way in which IT organizations deal with the broad range of IT-related issues they face.
"An organization would now treat a denial-of-service or phishing attack or any of the more traditional security risks exactly the way it would treat the loss of a backup tape or the inability to restore an application server within a certain amount of time," she explained. "It would treat them all as equally harmful or damaging to their business."
Another key finding from the survey: 50 percent of those IT managers responding to the survey now expect to deal with 10 "major" IT incidents a year, up from a single one last year. This signified a dramatic increase from last year, according to Grimes.
"I think that the expected increase in the frequency of major IT incidents could be tied to the first myth, that security is the number one IT risk. If we define a broader set of IT risk incidents, one could expect the rate of incidents occurring to increase, as well. But the increase to almost one a month was dramatic to us," she said.
This points to the need for organizations to take a more programmatic approach to assessing IT risks rather than merely performing an annual risk-management assessment, she added.
The report also indicated that 53 percent of the major IT incidents reported by respondents were caused by failure of a process, not a failure of technology, she said.
"As a technology vendor we would love it if technology is always the answer to stopping IT incidents, but it's not the answer. It's tempting to prove the need for technology to solve problems, but organizations have to work on controls/processes first."