Fear of cyber attacks could expose businesses to new risks
Data breaches and cyber attacks frequently make the news when well-known companies are the target.
This is good in the sense that it raises awareness of the need to take security seriously, however, the latest Global Risk Management Survey by Gartner finds that fear of attack is causing security professionals to shift their focus away from disciplines like enterprise risk management and risk-based information security in order to concentrate on technical security issues.
"While the shift to strengthening technical security controls is not surprising given the hype around cyberattacks and data security breaches, strong risk-based disciplines such as enterprise risk management or risk-based information security are rooted in proactive, data-driven decision making," says John A Wheeler, research director at Gartner. "These disciplines focus squarely on the uncertainty (as in, risk) as well as the methods or controls to reduce it".
Gartner says that organizations that move away from risk-based disciplines, or fail to adopt them in the first place, fall prey to what it calls fear uncertainty and doubt (FUD) which in turn can lead to reactionary or emotion-based decision making.
The survey shows a worrying movement away from risk assessment, with only six percent focused on enterprise risk management in 2013 compared to 12 percent in 2012. Wheeler says, "As IT risk profiles and postures change in the future, an inevitable shift in focus back to these risk-based disciplines will need to occur. If not, IT organizations may find that more-critical, emerging risks will remain undetected, and the company as a whole will be left unprepared".
In the short-term though it seems that FUD can benefit the security budget. The report finds that 39 percent of respondents have been allocated funds totaling more than seven percent of the total IT budget. This compares with only 23 percent having received a similar amount in 2011.
"These incongruent survey findings seem to validate the observation that risk-based, data-driven approaches are falling to the wayside in favor of FUD-based, emotion-driven activities," says Wheeler. "Or, perhaps more disturbingly, they indicate that those who have concerns are simply burying their head in the sand, rather than proactively addressing emerging threats".
Linking of IT risk indicators to business performance seems to be in decline too with survey respondents indicating a seven percent drop in formal mapping over the last year. Seventeen percent had ceased this activity altogether. Wheeler concludes, "If done correctly, integrated risk and performance mapping exercises can yield tremendous benefits for companies and IT organizations that are seeking to develop a more-effective risk management dialog with business leaders".
The full report Survey Analysis: Risk Management, 2013 is available from Gartner's website.