The current IT environment makes yesterday's look like a relative cakewalk.
Today, IT must ensure that growing volumes of information are secure, increasingly
complex information infrastructures remain up and running, and exacting requirements
from an expanding range of regulatory and audit bodies are fixed and sustained.
All this with budgets that are lower than they once were.
With no outside stimulus plan in the making to alleviate the pressure, IT managers
are being forced to devise their own bailout strategy and yet again find ways
to accomplish more with less -- without throwing good money after bad.
The good news? It can be done. According to a February 2009 report by the IT
Policy Compliance Group (ITPCG), improvements in information security and operational
assurance result in lower financial risk and loss and lower costs for audit.
By following best practices for performance-based budgeting, organizations avoid
overspending on activities that offer a negligible payoff or under-spending
on high-yield activities and, instead, can focus on IT practices that deliver
bottom-line results. Better yet, for the shrinking IT budgets of today, managers
can now focus on the practices that are proving to reduce risks, reduce costs
and improve results.
Giving risk a name and a price
If there is one thing that is clear today, it is that every activity has some
risk associated with it -- including IT use. According to the ITPCG survey,
the top business risks from the use of IT are data loss and theft and business
downtime. In fact, the theft or loss of customer data was rated as the highest
business risk by more than 72 percent of organizations, while business disruptions
and the loss of integrity were rated as the top business risk by 64 percent
and 61 percent of organizations, respectively.
The trouble is, only about one in ten organizations are allocating spending
for the practices that are reducing what are considered the highest priority
risks. What's more, this misalignment comes with a price.
Organizations with the fewest losses or thefts of sensitive information, the
least amount of business downtime, and the fewest deficiencies to correct to
pass audit also have the lowest financial exposure. These high-performing organizations
experience fewer than three losses or thefts of sensitive information, less
than six hours of business downtime, and fewer than three audit deficiencies
a year. And the financial exposure among these organizations is less than 0.5
percent of annual revenue from the loss of theft of customer data, while exposure
from disrupted business ranges from just 0.02 to 0.2 percent of revenue. Furthermore,
these organizations also spend the least on regulatory audit, with average spending
52 percent lower than most other firms.