Finding the right balance between risk and reward is an ongoing challenge for our profession. Too much control can stifle innovation and growth. Too little may result in greater pay-offs, but can also expose your organization to much higher risks. This year’s annual IT Risk/Reward Barometer, a global survey conducted by ISACA, shows that this balancing act is evolving, but that concerns and approaches vary widely by region.
The 2011 IT Risk/Reward Barometer polled 2,765 IT leaders globally, looking at both governance of enterprise IT and attitudes toward such emerging technologies as mobile devices and cloud computing. You can view the full results at www.isaca.org/risk-reward-barometer; I’d also like to share my observations on regional trends and differences.
“Bring Your Own Device”
A growing number of employees are using their own portable devices to access work information. This trend, nicknamed BYOD for “Bring Your Own Device,” is changing the perception about what poses the biggest risk to the business. In countries such as Canada, the UK and US, the majority felt that any employee-owned device—no matter what type—was riskier than anything supplied by IT. The latter category included work-supplied smart phones, laptops/netbooks, tablet computers, broadband cards or flash drives, so that covers a lot of possible scenarios. Other countries singled out a particular device. In China, flash drives (29 percent) far outranked “any employee-owned device” (32 percent). Similarly, laptops/netbooks were viewed as greater threats than employee-owned devices in Mexico. These differences can be explained by numerous factors, ranging from the rate of smart phone adoption by country to highly publicized stories about leakage of classified data through the loss of company-issued USB drives. This is an area where the “human factor” is going to be critical, since technology alone cannot safeguard data, especially on devices the organization does not own.
Cloud Adoption on the Rise
Compared to last year’s Risk/Reward Barometer, we are seeing a growing acceptance of cloud computing around the world. The number of respondents who state they plan to use cloud computing in 2011 (including both mission-critical and non mission-critical applications) is as high as 36 percent in India and 39 percent in the US. Countries such as China and the UK are not too far behind, at 31 percent and 33 percent respectively. When we compare year-over-year results, there is a decrease in the number of enterprises not using use cloud computing for any IT services and a rise in those that plan to use it for mission-critical IT services. Organizations continue to consider security and privacy issues surrounding data located off-premise and many use private clouds or a hybrid, public-private model. But the growing adoption of cloud computing indicates that business and IT leaders are seeing enough benefits to move forward with this architecture.
Staffing Needs and the New, More Mature Face of IT Risk Management
The 2011 IT Risk/Reward Barometer has some interesting data points on surprisingly robust projections for staffing requirements (at least 30 percent of enterprises in all regions project an increase in information security and risk management positions over the next 12 months), and increasingly mature and more strategic IT risk management function that is more integrated with enterprise risk management than before (see results to question 1).
Do you think employee-owned mobile devices should be allowed? Is your organization using cloud computing for mission-critical services? What is the biggest motivator behind your organization’s IT risk management activities? Is it compliance? Need for business alignment? Incident avoidance? I look forward to hearing how your thoughts compare to this year’s results.
Ken Vander Wal, CISA, CPA
International Vice President, ISACA
We welcome your comments! Please log in using the Sign In button at the top right of this page and then leave your comment in the box at the end of the post.
To view all blog posts, please click on the ISACA Now button in the blue box on the left.