Symantec IDs Shortcomings

CUPERTINO, Calif. -- Symantec Corp. (NASDAQ: SYMC) today released the Symantec IT Risk Management Report, highlighting that 60 percent of respondents expect at least one major IT incident per year that could halt or disrupt a critical part of the business. The Symantec IT Risk Management Report, a new report aimed at helping executives and IT operational personnel understand the critical elements involved in an effective IT risk management strategy, is based on input from quantitative and qualitative survey research conducted over a twelve month period ending October 2006. Symantec collected information from more than 500 respondents from IT managers to top IT executives in organizations with worldwide operations, in a wide representation of industry segments.

"The ING Renault F1 Team's IT infrastructure is critical to our relationships with customers and partners and therefore, we are committed to managing IT risk as part of our larger business strategy," said Graeme Hackland, IT manager, ING Renault FI Team. "In today's environment, understanding our exact risk profile and how we can better prioritize our resources to ensure an effective IT risk strategy is top of mind."

Organizations Anticipate Security Breaches, Incidents The Symantec IT Risk Management Report survey data indicated that a majority of respondents expect to be impacted by some type of security or compliance incident in the next one to five years. Specifically, 66 percent of respondents expect a major regulatory incident at least once every five years. Additionally, 58 percent of respondents expect a major data loss caused by events such as data center outage, corruption of data, or breach of security systems, at least once every five years.

Deployment of Process Controls Falls Behind Technology Controls Effective IT risk management requires a strong combination of expertise and investment in process controls and technology controls. The most effective IT risk management programs use defined controls that combine well-chosen technologies and best-practice processes. The Symantec IT Risk Management Report revealed that professionals surveyed at all levels of organizations, across industries, scale, and geographic reach, view their organizations'capabilities with technology controls as more effective than with process controls.

The report findings indicated that authentication, authorization, and access was the process control rated highest for effectiveness, with 68 percent of respondents rating their organization more than 75 percent effective. The report also underlined a specific process control problem in identifying, classifying and managing IT assets. Only 38 percent of respondents rated themselves more than 75 percent effective in implementing asset inventory, classification, and management process controls. These controls are of fundamental importance in building an IT risk management program which reflects the organization's priorities. Without careful risk assessment, all assets are likely to be treated equally, where some may be overprotected and others under protected.

"Organizations are beginning to see the value in taking a proactive, rather than reactive approach to their IT risk management strategy," said Jon Oltsik, senior analyst at Enterprise Strategy Group. "Effective IT risk management requires organizations to assess both their technology and processes, as well as have clear understanding and agreement about different risks that may impact their systems, and their overall business."

Symantec Corp. (Nasdaq: SYMC)