Are we more concerned with addressing obvious IT risks than having effective IT risk management?
I ask this question after reading Ernst & Young’s 2010 Global Information Security Survey”. The survey has some interesting comments on the top IT security risks from new information technology – including the obvious ones around data leakage, mobile devices, cloud computing, and social media. E&Y report good news, that while risks are perceived as increasing, nearly half see their IT security budget increasing.
But, the statistic that jumps out for me is this: only about 42% of the respondents to the survey have an IT risk management program in place.
How do you ensure you protect the organization from IT-related risks without a solid IT risk management program (preferably integrated with the enterprise risk management program)?
How do you allocate resources to address the more significant information security risks without a risk management program?
It’s great that E&Y provided this information. Next, in my opinion, is more thought leadership on the need for an effective IT risk management program as part of the enterprise-wide risk management program.
What do you think?
By the way, have you completed the survey on GRC, and whether the concept adds value? If not, please see here.