January 24, 2011, 4:07 PM — Information is the lifeblood of business. Valuable corporate data is available to employees, business partners and contractors. It is accessed locally, in the cloud and virtual environments, providing instant access to non-public sensitive information. Making matters worse, employees typically do not ask permission to load third-party software or applications on their laptops and mobile phones -- devices that are connected to their companies' networks and data stores.
The convenience and business value of "information anywhere" comes with risk. While companies want to support devices, software and applications that enable employees to get the job done, they must do so while carefully monitoring and managing business risks related to the use of information and IT.
One solution for information anywhere is "information security everywhere," but this is impractical and unachievable. Organizations need to determine when convenience results in too much risk and what should be done to limit risks. This is a major challenge, especially when you consider that most organizations cannot answer the simple question, "What is our information risk today?"
Also see Bill Brenner's look at how CISOs have evolved toward true risk management in the last five years
Only 8% of organizations can determine what the color of their information risk is today within a day or the same week, according to benchmark research on the state of business risks related to the use of information and IT conducted by the IT Policy Compliance Group. Furthermore, 2% of organizations cannot answer this question at all or the response is delayed by nine months or more; 70% of organizations are unable to answer this question within three months and 20% take between one week and three months. Poorly defined business risk, inadequate gathering of information, ill-equipped reporting systems and un-prioritized controls contribute to these unreasonable delays.
Getting priorities right
The IT Policy Compliance Group found there are significant differences in how well organizations are prepared to meet the challenges of information anywhere and anytime and in the ability to define and manage the business risks. Organizations experiencing the lowest business risks related to the use of IT can answer the color of their information risk today because they have the right organizational processes, controls and reporting systems in place.