Four major risk management mistakes

Gartner highlights major mistakes businesses make in risk management

September 18, 2009

Gartner highlights major mistakes businesses make in risk management

Enterprise security budgets have always been difficult to justify, and the global economic crisis is making this critical process even more difficult, according to Gartner.

Corporate security professionals face a complex situation as they work with highly constrained financial and staffing resources to manage and mitigate a rapidly changing and expanding risk environment.

“Most corporate IT expenditures are inevitably under intense scrutiny during this period of economic uncertainty and IT security and risk management – although less radically affected than overall IT budgets – is no exception,” said Jay Heiser, research vice president at Gartner. “The keys to justifying and optimising security spending are to ensure that security and risk control practices are meeting explicit business objectives and, crucially, to persuade the business to take ownership of risk.”

However, Heiser warned that security professional are unlikely to achieve these critical goals if they fall into one of four common risk management mistakes:
1.    An optimal level of security spending takes into account the assessed level of risk, avoiding overspending and overprotection. Business managers should be offered a relatively small number of risk management profiles that are designed to meet different use cases for data sensitivity and risk.
2.    Security professionals have historically made technology-centric investment, implementation and deployment decisions based on what they believe is required, rather than on what the business needs. If business managers can’t or won’t provide information about risk significance of their business processes, then high-level managers must step in and mediate.
3.    Security professionals must develop a consistent way to express and articulate the security-criticality of specific IT systems, information assets and business processes.
4.    Internal “market forces” can help align risks with benefits, if all systems and information assets are ‘owned’ by specific business managers who are accountable for any failures in security or continuity.

“Simple, manageable risk assessment frameworks, explicit acceptance of residual risk and security service level agreements (SLAs) will make it possible to deliver sound enterprise security, and to defend security budgets against cutbacks,” said Mr Heiser. “The first step that IT risk managers can take towards better alignment with the business is not to treat business managers as a problem that needs to be solved, but rather to regard them as customers who need secure and reliable computing services.”