Government departments concerned about IT security should be moving to a more general risk management approach, combining oversight of computer system availability, performance quality and compliance issues as well as technical security measures, according to security specialist Symantec. A report on IT manager and executive attitudes from a range of countries, including Australia and others in Asia, shows specific security oversight being subsumed into a high-level policy remit, with executives being made responsible for the whole panoply of satisfactory computer system results.
"There are a lot of governments that are doing more online delivery of services," said Peter Sparkes, senior manager, consulting services for Symantec for Australia, Pacific and Japan.
"In health they're very worried about data loss, particularly privacy issues, more than a lot of other areas. But we're seeing more concern generally over privacy issues in the last couple of years."
The Symantec survey, conducted last month, included a 28 per cent representation from the Asia-Pacific. It showed 46 per cent of respondents expect a serious data loss at least once a year, particularly credit card information, address lists, Medicare numbers, and anything that is part of an identifier and is useful for identity fraud.
For large organisations such as government departments, banks and telcos, the explosive spread of mobile phones and related devices means organisational borders are becoming porous, as departments link their computer systems with each other, use shared services, and install links with suppliers and clients.
"It's hard for organisations to know where their connections end; 47 per cent of respondents considered these remote devices a serious threat," said Mr Sparkes.
"Most organisations are having trouble managing data and security with these devices, only 34 per cent have an adequate inventory."
The proportion of IT managers concerned about system availability was 78 per cent, on security 70 per cent, performance levels 68 per cent and compliance matters 63 per cent. Given this fairly even level of concern over the whole system, some organisations are inserting high-level risk managers into the executive suite, particularly where computing power is being centralised in strategic centres.
These risk managers would not be involved in day to day work but would set policies and maintain oversight of major issues involving aspects of IT.
"A lot of people see risk management as a one-off," said Mr Sparkes. "We see it as an ongoing issue. As the organisation evolves, changes in the environment and processes means risk management needs to be ongoing."
Under this top-level monitoring, system availability and security stay as technical issues for the IT department, while system performance and computer data in compliance roles need a general executive approach, implementing training programs for staff and compliance procedure reviews.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.