ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > IT Risk/Reward Barometer reveals regional differences

IT Risk/Reward Barometer reveals regional differences

| Posted at 7:56 AM by ISACA News | Category: Risk Management | Permalink | Email this Post | Comments (3)

Finding the right balance between risk and reward is an ongoing challenge for our profession. Too much control can stifle innovation and growth. Too little may result in greater pay-offs, but can also expose your organization to much higher risks. This year’s annual IT Risk/Reward Barometer, a global survey conducted by ISACA, shows that this balancing act is evolving, but that concerns and approaches vary widely by region.


The 2011 IT Risk/Reward Barometer polled 2,765 IT leaders globally, looking at both governance of enterprise IT and attitudes toward such emerging technologies as mobile devices and cloud computing. You can view the full results at; I’d also like to share my observations on regional trends and differences.


“Bring Your Own Device”

A growing number of employees are using their own portable devices to access work information. This trend, nicknamed BYOD for “Bring Your Own Device,” is changing the perception about what poses the biggest risk to the business. In countries such as Canada, the UK and US, the majority felt that any employee-owned device—no matter what type—was riskier than anything supplied by IT. The latter category included work-supplied smart phones, laptops/netbooks, tablet computers, broadband cards or flash drives, so that covers a lot of possible scenarios. Other countries singled out a particular device. In China, flash drives (29 percent) far outranked “any employee-owned device” (32 percent). Similarly, laptops/netbooks were viewed as greater threats than employee-owned devices in Mexico. These differences can be explained by numerous factors, ranging from the rate of smart phone adoption by country to highly publicized stories about leakage of classified data through the loss of company-issued USB drives. This is an area where the “human factor” is going to be critical, since technology alone cannot safeguard data, especially on devices the organization does not own.


Cloud Adoption on the Rise

Compared to last year’s Risk/Reward Barometer, we are seeing a growing acceptance of cloud computing around the world. The number of respondents who state they plan to use cloud computing in 2011 (including both mission-critical and non mission-critical applications) is as high as 36 percent in India and 39 percent in the US. Countries such as China and the UK are not too far behind, at 31 percent and 33 percent respectively. When we compare year-over-year results, there is a decrease in the number of enterprises not using use cloud computing for any IT services and a rise in those that plan to use it for mission-critical IT services. Organizations continue to consider security and privacy issues surrounding data located off-premise and many use private clouds or a hybrid, public-private model. But the growing adoption of cloud computing indicates that business and IT leaders are seeing enough benefits to move forward with this architecture.


Staffing Needs and the New, More Mature Face of IT Risk Management

The 2011 IT Risk/Reward Barometer has some interesting data points on surprisingly robust projections for staffing requirements (at least 30 percent of enterprises in all regions project an increase in information security and risk management positions over the next 12 months), and increasingly mature and more strategic IT risk management function that is more integrated with enterprise risk management than before (see results to question 1).


Do you think employee-owned mobile devices should be allowed? Is your organization using cloud computing for mission-critical services? What is the biggest motivator behind your organization’s IT risk management activities? Is it compliance? Need for business alignment? Incident avoidance? I look forward to hearing how your thoughts compare to this year’s results.


Ken Vander Wal, CISA, CPA

International Vice President, ISACA


We welcome your comments! Please log in using the Sign In button at the top right of this page and then leave your comment in the box at the end of the post.


To view all blog posts, please click on the ISACA Now button in the blue box on the left.


Survey Analysis

I'm curious about the banking/finance/insurance industries category and the results for question number 8 -Which of the following mobile devices do you believe represents the greatest risk to your enterprise? (n=711).  Is it possible to see this segmented categories response to this particular question?  Thank you
Todd Osborn
Todd160 at 6/8/2011 1:55 PM

Financial services view on mobile devices and threats

Hello Todd,
I'm one of the folks who helped design the survey and I spend quite a bit of time on IT-related operational risk in the financial services space. On your questions, the FS split is:
* Work supplied smart phones 8.4%
* Work supplied laptops/note books 15.0%
* Work-supplied tablets 2.2%
* W-S broadband cards 0.4%
* W-S flash drives 6.2%
* Any employee-owned mobile device 55.9%
* None 7.0%
* Other 4.8%
Hope this is helpful.
Brian Barnier at 6/10/2011 3:13 PM

Survey extension to Africa

Curiously, this survey has not been extended to Africa, as the results show (for both 2010 and 2011). I believe this is a segment being neglected, yet internet and technology use has increased tremendously. The use of mobile devices is on the rise, and so is the use of cloud computing.

Africa-related survey results would be most beneficial for me as an IT risk officer (based in Africa), because they are easier to identify with, as well as identifying any trends to look out for.

Finally, would you also extend some conferences to Africa -preferrably Kenya to begin with :)

Joan at 7/18/2011 2:08 AM
You must be logged in and a member to post a comment to this blog.