IT Risk Management vs. Information Security survey

I was playing catch-up on blog reading and came across this interesting post by a favorite blogging colleague of mine, Anton Chuvakin, "Review of my 2007 Security Prediction: Too Wimpy."

Prediction #4 about Risk Management lead to some very intriguing survey results. Here is a copy of the graphic from those results which says it all...




A personal point I can add here is this actually makes some sense to me.

Here at Securityworks we are 100% focused on talking IT Risk Management. When I talk with customers they are usually talking (strategic = risk) vs. (tactical = security). Another thing to realize is IT risk encompasses more then technical control monitoring/management solutions (that is only 50% of the scope as discussed in my previous post). IT Risk also spans people & processes (e.g., non-technical controls). Since that typically requires getting into process improvement it is naturally discussed as a strategic initiative due to the time/effort associated with it.

So now with 2007 ending and looking ahead to 2008 we should be trying to use this opportunity to be more strategic before tactical day-to-day tasks re-consume us. IT-GRC solutions (which Gartner, Forrester, etc are calling these solution) help you do this! So go ahead, take a look...this is going to be a hot area for 2008 based on what I'm seeing and hearing for a variety of reasons.