According to a new member survey by global IT association ISACA, 61 percent of information technology leaders in the UK believe that any employee-owned mobile device poses a greater risk to the enterprise than company-supplied devices do, as opposed to 31 percent who said a mobile device supplied by the company is riskiest*. When asked, ”What is the riskiest behaviour you are aware of an employee doing with a mobile device that has access to the corporate network?”, storing company data in an unsecured manner was reported as the riskiest by 48 percent of the respondents; losing the device was said to be the riskiest by 26 percent. Just 23 percent of respondents believe that the benefits of employees using personal devices for work activities outweigh the risk to the enterprise.
Despite their concerns, IT professionals are pragmatic about balancing risks with rewards and are actively involved in managing mobile security. More than 8 out of 10 have a security policy in place for mobile computing¾although 31 percent admit their policy needs updating or communicating.
“The Risk/Reward Barometer is a reliable and trusted indicator for senior IT and business managers. The opportunities and rewards in IT are there, but new risks and cyber threats are rapidly becoming part of our day-to-day reality. Protection and risk management are more important than ever, and they should be seen as strategic priorities.” said Rolf von Roessing, CISA, CISM, CGEIT, CISSP, international vice president of ISACA.
The global 2011 ISACA IT Risk/Reward Barometer surveyed IT professionals who are members of ISACA. This year’s study revealed some interesting geographical differences:
* In the US, 58 percent say employee-owned mobile devices pose the greatest risk, compared to 33 percent who chose a work-supplied device*.
* In Europe, 45 percent chose personal mobile devices as the riskiest vs. 46 percent who chose a work-supplied device.
* Just 36 percent of members in India and 33 percent in China shared the opinion that personal devices posed the greatest risk.
IT organizations are increasingly being asked to manage the growing trend of “BYOD” (bring your own device) as employees take advantage of more powerful and affordable mobile devices that let them work from any location.
“Mobile devices usually are not under the full physical control of the enterprise. However, they still should be managed, controlled and secured by enterprise-wide policies, standards and procedures. Creating a mobile device strategy will help ensure that risks are accounted for and managed appropriately,” said Ramsés Gallego, CISM, CGEIT, CISSP, SCPM, CCSK, ITIL, COBIT Foundations, Six Sigma Black Belt, who is a member of ISACA’s Guidance and Practices Committee and chief evangelist officer of Entel IT Consulting. “Establishing a program that creates value for the business and properly leverages available technology, while mitigating risks, is very challenging and difficult. However, a mobile devices enterprise strategy should always start with a comprehensive policy and finish with a full device lifecycle support program.”
The IT Risk/Reward Barometer is based on March 2011 online polling of 2,765 ISACA members worldwide. The European results are based on 657 respondents, of which 147 are UK-based. The study, now in its second year, helps gauge current attitudes and organizational behaviours related to the risks and rewards associated with IT projects and emerging trends.
Both UK and European respondents are still slow to embrace cloud computing, considered a key IT trend by other regions, as 47 and 43 percent respectively believe the risks outweigh the benefits. One third of respondents in Europe use cloud computing, and and 30 percent of organisations in both regions say they do not currently use cloud computing for any IT services. Twenty percent of the UK sample added that they have not finalised their plans with regard to cloud computing at the time of the survey. The three frequently cited cloud concerns are data security, loss of control, and issues surrounding ownership of data.
This is in stark difference to the US where this year’s Barometer shows that the number of enterprises that do not use cloud for any IT services has decreased by 5 points to 21 percent, and those that plan to use it for mission-critical IT services has increased four points to 14 percent. This shift in attitude matches a growing spend on the cloud model as enterprises seek lower total cost of ownership, greater efficiency and increased flexibility.
Cloud computing is one of the issues on the agenda at ISACA’s World Congress: INSIGHTS 2011 conference 27-29 June near Washington DC. Senior-level government officials and executives from Fortune 500 companies will share expertise on emerging technologies in the context of business value and compliance at this inaugural event.
Despite a sluggish economic recovery, a surprisingly high percentage (43 percent) of respondents expects their organization’s staffing requirements for information security to increase over the next year, with an additional 51 percent expecting to remain at current levels. Similarly, 40 percent expect risk management staffing requirements to go up.
“Today’s rapid acceleration in data volume, IT complexity and privacy regulations are fuelling a need for a greater focus on information security and risk management. ISACA is seeing a similar growth in interest in its CRISC and CISM certifications, as professionals seek to better understand and demonstrate proficiency in the critical areas of managing security and risk,” said Ken Vander Wal, CISA, CPA, international vice president of ISACA.
ISACA’s CISM certification program is developed specifically for experienced information security managers. CRISC is designed for IT professionals who have hands-on experience with risk identification, assessment, evaluation, response and monitoring. Since it was established one year ago, the CRISC certification has been earned by more than 8,000 professionals.
Overall, this year’s IT Risk/Reward Barometer indicates that striking a balance between reducing risk and enabling reward is evolving toward a more strategic, cross-enterprise view. Thirty-two percent of UK survey participants felt that the most important action an enterprise can take to improve IT risk management is to provide executive management with a “single view of risk,” closely followed by improving coordination between IT risk management and overall enterprise risk management at 30 percent; and increasing risk awareness among employees at 29 percent. Unfortunately, budget limits are cited as an organisation’s greatest hurdle when addressing IT-related business risk at 36 percent.
Compliance is still the primary driver behind managing IT risk (23 percent); however, avoiding negative incidents is now joint-second alongside aligning functionality with business needs¾both scoring 22 percent.
“Managing information and the technology used to transform it into competitive advantage is a boardroom imperative. As forward-thinking leaders roll IT risk into their overall enterprise risk management, they will be far better positioned to reap the rewards of new technologies like mobile and cloud without feeling overwhelmed by the risk,” said Vander Wal.