Time to Get Serious About IT Risk, IBM Says
October 4, 2010 Alex Woodie
IT is good. IT is beneficial. It’s a truism that information technology helps organizations become more efficient and more competitive. After all, people don’t adopt computers so they can waste their time and fall further behind. But according to a recent risk management study by IBM, organizations should devote more time to understanding the potential downsides and harm that result from the use of IT, and should adopt more formal IT risk management practices.
To get a better idea of how companies deal with risk, IBM Global Business Services interviewed more than 500 IT managers and CIOs for companies around the world, and presented its findings in a 16-page “2010 IBM Global IT Risk Study,” which is available for download at this IBM Web page.
The study’s big finding is that organizations aren’t taking IT risks seriously enough. IBM found that fewer than 50 percent of the companies surveyed have a formal risk management department. Only 12 percent said they took an “expert” approach to mitigating IT risk, which means that there’s room for improvement for the other 88.
The outlook was somewhat better when it comes to preparations for disaster, as 54 percent of companies reported having a “well-crafted” business continuity strategy. That’s good news, and shows that companies are taking the threat of application outages seriously.
But disasters and IT system outages represent just one type of risk that impacts IT. By far, the top IT risk reported by survey respondents is information security. Nearly four out of five IT managers and CIOs say IT security–or being vulnerable to hackers and unauthorized used of company systems–is the number one IT-related risk to their companies. The rest of the list reads as follows: hardware and system malfunction; power failure and physical security; theft; product quality; compliance; natural disasters; e-discovery requests; supply chain failures; and terrorism (in that order).
Companies also take risks when they adopt new applications or technologies. Some of the most potentially dangerous application and technology categories include social networking tools (including Internet sites, instant messaging, and blogs); mobile computing (i.e. smartphones); and cloud computing. IT managers and CIOs say they are concerned about the unauthorized release of confidential data with these emerging applications and technologies. By comparison, the respondents say adoption of virtualization and service-oriented architecture (SOA) is not as risky.
This is not to say that companies should not adopt social networking tools, cloud computing, or smartphones. Indeed, properly implemented, a company can use these applications to increase revenue or profits by more effectively connecting with customers, empowering sales people with pertinent information, and becoming more agile consumers of new applications. But companies should not blindly adopt these applications without understanding the potential risks and taking steps to mitigate them.
So, what can you do to lessen the risk? IBM says that results of the study “confirm that companies need to work harder at educating, communicating and supporting risk management and compliance initiatives across the enterprise,” and take a “unified, holistic” approach to IT risk.