Employee-owned mobile devices riskiest

More than half of information technology leaders in the US believe that any employee-owned mobile device poses a greater risk to the enterprise than mobile devices supplied by the company, according to a new member survey by ISACA. Yet 27% still believe the benefits of employees using personal devices outweigh the risks.

The 2011 ISACA IT Risk/Reward Barometer found that 58% of US information security and IT audit professionals view mobile devices owned by employees as posing the greatest risk, compared to 33% who chose one of work-supplied smartphones, laptops/netbooks, tablet computers, broadband cards or flash drives.

IT organisations are increasingly being asked to manage the growing trend of “BYOD” (bring your own device) as employees take advantage of more powerful and affordable mobile devices that let them work from any location.

“BYOD presents both opportunities and threats. It lets both employees and organisations take advantage of the latest technology innovations at limited cost to the organisation. Unfortunately, it also introduces new vulnerabilities, due to the limited ability of most organisations to effectively manage and secure employee-owned devices accessing their information infrastructure,” said John Pironti, CISA, CISM, CGEIT, CRISC, CISSP, advisor with ISACA and president of IP Architects, LLC. “Organisations should educate their employees on their BYOD security requirements and implement a comprehensive mobile device policy that aligns with the organisation's risk profile.”

The IT Risk/Reward Barometer, now in its second year, helps gauge current attitudes and organisational behaviours related to the risks and rewards associated with IT projects and emerging trends. The study polled 2 765 IT leaders from around the world, including 712 respondents from the US. To see the full results, visit www.isaca.org/risk-reward-barometer.

The percentage of UK respondents who viewed devices owned by employees as most risky (61%) was similar to US members, while only 36% of members in India and 33% in China shared this opinion.

Despite their concerns, IT professionals are pragmatic about balancing risks with rewards and are actively involved in managing mobile security. Twenty-seven percent of US respondents felt that the benefits of employees using their own mobile devices for work activities outweigh the risks, and another 36% view risks and benefits as evenly balanced. More than eight out of 10 have a security policy in place for mobile computing - although 32% of those admit their policy needs updating or communicating.

Cloud computing, another key IT trend, is growing in acceptance. This year's Barometer shows that the number of enterprises that do not use cloud for any IT services has decreased by five points to 21%, and those that plan to use it for mission-critical IT services has increased four points to 14%. This shift in attitude matches a growing spend on the cloud model as enterprises seek lower total cost of ownership, greater efficiency and increased flexibility.

“Cloud computing isn't new; it's an evolution of IT that is growing in popularity with the C-suite as a viable and cost-effective IT resource enabling businesses to be more agile,” said Robert Stroud, CGEIT, international vice-president of ISACA and service management, cloud computing and governance evangelist at CA Technologies. “Because security is still a concern with cloud services, organisations recognise that they must take measured risk in cloud deployment. But it's a calculated risk they will take because they know that stifling the use of cloud computing to avoid risk could actually stifle business growth.”

Cloud computing is one of the issues on the agenda at ISACA's World Congress: INSIGHTS 2011 conference 27-29 June near Washington DC. Senior-level government officials and executives from Fortune 500 companies will share expertise on emerging technologies in the context of business value and compliance at this inaugural event.

Despite a sluggish economic recovery, a surprisingly high percentage (40%) of respondents expect their organisation's staffing requirements for information security to increase over the next year, with an additional 55% expecting to remain at current levels. Similarly, 34% expect risk management staffing requirements to go up, with only 5% expecting requirements to drop.

“Today's rapid acceleration in data volume, IT complexity and privacy regulations are fuelling a need for a greater focus on information security and risk management. ISACA is seeing a similar growth in interest in its CRISC and CISM certifications, as professionals seek to better understand and demonstrate proficiency in the critical areas of managing security and risk,” said Ken Vander Wal, CISA, CPA, international vice-president of ISACA.

ISACA's CISM certification programme is developed specifically for experienced information security managers. CRISC is designed for IT professionals who have hands-on experience with risk identification, assessment, evaluation, response and monitoring. Since it was established one year ago, the CRISC certification has been earned by more than 8 000 professionals.

Overall, this year's IT Risk/Reward Barometer indicates that striking a balance between reducing risk and enabling reward is evolving toward a more strategic, cross-enterprise view. Integration of IT risk management into overall enterprise risk management is up slightly over last year's results, and survey participants felt that the best way to improve risk management is to improve its coordination with enterprise risk management. While compliance (26%) and avoiding negative incidents (22%) are still the primary drivers behind managing IT risk, a close third is now aligning functionality with business needs (18%). Underscoring that performance motivators seem to be on the rise, the percentage of respondents who identified “improving the balance of risk-taking with risk-avoidance to improve return on investment” as the top driver doubled from 2010 to 2011.

“Managing information and the technology used to transform it into competitive advantage is a boardroom imperative. As forward-thinking leaders roll IT risk into their overall enterprise risk management, they will be far better positioned to reap the rewards of new technologies like mobile and cloud without feeling overwhelmed by the risk,” said Vander Wal.