Press Release

About ISACA

Over Half of IT Leaders Say Employee-Owned Mobile Devices Are Riskiest

2011 ISACA IT Risk/Reward Barometer also charts growing acceptance of cloud computing and projected increase in information security jobs

Rolling Meadows, IL, USA (1 June 2011)—More than half of information technology leaders in the US believe that any employee-owned mobile device poses a greater risk to the enterprise than mobile devices supplied by the company, according to a new member survey by ISACA. Yet 27 percent still believe that the benefits of employees using personal devices outweigh the risks.

The 2011 ISACA IT Risk/Reward Barometer found that 58 percent of US information security and IT audit professionals view mobile devices owned by employees as posing the greatest risk, compared to 33 percent who chose one of work-supplied smart phones, laptops/netbooks, tablet computers, broadband cards or flash drives. IT organizations are increasingly being asked to manage the growing trend of “BYOD” (bring your own device) as employees take advantage of more powerful and affordable mobile devices that let them work from any location.

“BYOD presents both opportunities and threats. It lets both employees and organizations take advantage of the latest technology innovations at limited cost to the organization. Unfortunately, it also introduces new vulnerabilities, due to the limited ability of most organizations to effectively manage and secure employee-owned devices accessing their information infrastructure,” said John Pironti, CISA, CISM, CGEIT, CRISC, CISSP, advisor with ISACA and president of IP Architects, LLC. “Organizations should educate their employees on their BYOD security requirements and implement a comprehensive mobile device policy that aligns with the organization’s risk profile.”

The IT Risk/Reward Barometer, now in its second year, helps gauge current attitudes and organizational behaviors related to the risks and rewards associated with IT projects and emerging trends. The study polled 2,765 IT leaders from around the world, including 712 respondents from the US. To see the full results, visit www.isaca.org/risk-reward-barometer.

The percentage of UK respondents who viewed devices owned by employees as most risky (61 percent) was similar to US members, while only 36 percent of members in India and 33 percent in China shared this opinion.

Despite their concerns, IT professionals are pragmatic about balancing risks with rewards and are actively involved in managing mobile security. Twenty-seven percent of US respondents felt that the benefits of employees using their own mobile devices for work activities outweigh the risks, and another 36 percent view risks and benefits as evenly balanced. More than 8 out of 10 have a security policy in place for mobile computing – although 32 percent of those admit their policy needs updating or communicating.

Growing acceptance of cloud computing

Cloud computing, another key IT trend, is growing in acceptance. This year’s Barometer shows that the number of enterprises that do not use cloud for any IT services has decreased by 5 points to 21 percent, and those that plan to use it for mission-critical IT services has increased four points to 14 percent. This shift in attitude matches a growing spend on the cloud model as enterprises seek lower total cost of ownership, greater efficiency and increased flexibility.

“Cloud computing isn’t new; it’s an evolution of IT that is growing in popularity with the C-suite as a viable and cost-effective IT resource enabling businesses to be more agile,” said Robert Stroud, CGEIT, international vice president of ISACA and service management, cloud computing and governance evangelist at CA Technologies. “Because security is still a concern with cloud services, organizations recognize that they must take measured risk in cloud deployment. But it’s a calculated risk they will take because they know that stifling the use of cloud computing to avoid risk could actually stifle business growth.”

Cloud computing is one of the issues on the agenda at ISACA’s World Congress: INSIGHTS 2011 conference 27-29 June near Washington DC. Senior-level government officials and executives from Fortune 500 companies will share expertise on emerging technologies in the context of business value and compliance at this inaugural event.

Information security and risk jobs on the rise

Despite a sluggish economic recovery, a surprisingly high percentage (40 percent) of respondents expects their organization’s staffing requirements for information security to increase over the next year, with an additional 55 percent expecting to remain at current levels. Similarly, 34 percent expect risk management staffing requirements to go up, with only 5 percent expecting requirements to drop.

“Today’s rapid acceleration in data volume, IT complexity and privacy regulations are fuelling a need for a greater focus on information security and risk management. ISACA is seeing a similar growth in interest in its CRISC and CISM certifications, as professionals seek to better understand and demonstrate proficiency in the critical areas of managing security and risk,” said Ken Vander Wal, CISA, CPA, international vice president of ISACA.

ISACA’s CISM certification program is developed specifically for experienced information security managers. CRISC is designed for IT professionals who have hands-on experience with risk identification, assessment, evaluation, response and monitoring. Since it was established one year ago, more than 8,000 professionals have applied for and earned the CRISC certification.

IT risk management becoming more strategic

Overall, this year’s IT Risk/Reward Barometer indicates that striking a balance between reducing risk and enabling reward is evolving toward a more strategic, cross-enterprise view. Integration of IT risk management into overall enterprise risk management is up slightly over last year’s results, and survey participants felt that the best way to improve risk management is to improve its coordination with enterprise risk management. While compliance (26 percent) and avoiding negative incidents (22 percent) are still the primary drivers behind managing IT risk, a close third is now aligning functionality with business needs (18 percent). Underscoring that performance motivators seem to be on the rise, the percentage of respondents who identified “improving the balance of risk-taking with risk-avoidance to improve return on investment” as the top driver doubled from 2010 to 2011.

“Managing information and the technology used to transform it into competitive advantage is a boardroom imperative. As forward-thinking leaders roll IT risk into their overall enterprise risk management, they will be far better positioned to reap the rewards of new technologies like mobile and cloud without feeling overwhelmed by the risk,” said Vander Wal.

About the ISACA IT Risk/Reward Barometer

The IT Risk/Reward Barometer is based on a March 2011 online polling of 2,765 ISACA members worldwide. US results are based on a sample size of 712 respondents. To see the full results, visit www.isaca.org/risk-reward-barometer.

About ISACA

With 95,000 constituents in 160 countries, ISACA (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent ISACA hosts international conferences, publishes the ISACA Journal, and develops international IS auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It also advances and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC) designations.

ISACA continually updates COBIT, which helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to the business.

Follow ISACA on Twitter: http://twitter.com/ISACANews

Join ISACA on LinkedIn: ISACA (Official)

Contact:

Kristen Kessinger, +1.847.660.5512, news@isaca.org

Joanne Duffer, +1.847.660.5564, news@isaca.org


What is CISA	What is CISM	What is CGEIT	What is CRISC
Benefits of CISA	Benefits of CISM	Benefits of CGEIT	Benefits of CRISC
How to Become Certified	How to Become Certified	How to Become Certified	How to Become Certified
Register for the Exam	Register for the Exam	Register for the Exam	Register for the Exam
Prepare for the Exam	Prepare for the Exam	Prepare for the Exam	Prepare for the Exam
Taking the Exam	Taking the Exam	Taking the Exam	Taking the Exam
Apply for Certification	Apply for Certification	Apply for Certification	Apply for Certification
Maintain Your CISA	Maintain Your CISM	Maintain Your CGEIT	Maintain Your CRISC

World Congress: INSIGHTS	Training Week	Webinars
North America CACS	eLearning Campus	Virtual Conferences
EuroCACS / ISRM	On-Site Training
Governance, Risk and Control	Exam Review Courses	COBIT EDUCATION
North America ISRM
Latin America CACS / ISRM
Oceania CACS
Asia-Pacific CACS / ISRM


COBIT 5 Home
Product Family
Training & Accreditation
Licensing
Join the Conversation
News
Recognition
FAQs