Managing compliance and IT risk have a common enemy: complexity.

By George V. Hulme, Techweb

While there are differences in how they are carried out, managing compliance and IT risk are cumbersome and go through too many corporate layers. The biggest cost sinks of managing compliance, for instance, are often redundant efforts such as conflicting policies and conducting multiple audits on the same systems and controls. The costs of managing IT risk, especially when it comes to IT security risks, also lay in the complexity of managing multiple information-security defenses.

Just consider the number of technologies that must be managed for IT security at most large enterprises: network firewalls and traffic analyzers, anti-malware at Web gateways, servers, and user end-points. Add to that the 7,000 patches that had to be dispatched to fix software from all vendors released last year. Then there's the skyrocketing number of mobile devices and telecommuters, as travel and energy costs rise. It's no wonder that 62 percent of respondents to the recently released 2008 InformationWeek Strategic Security Study, which queried about 1,100 people, cited complexity as their biggest security challenge. The difficulty of managing it all topped budgets, executive leadership, and technology, as the chief obstacle.

And while there have been victories, such as fewer devastating virus and worm infestations this year, the average cost of security breaches rose from $168,000 to $350,424 in 2007, according to the 2007 CSI Computer Crime and Security Survey. CSI also found that 46 percent of respondents suffered a security incident in the past year.

Interestingly, the InformationWeek survey found that many of the breaches were avoidable. Fully 21 percent of organizations don't conduct security risk assessments, and only 20 percent of companies that do them use the added guidance that can be provided by security auditors, according to the report.

And the failures were not a result of poor funding. A surprising 95 percent of InformationWeek respondents said their security budgets will remain the same, or even increase, in 2008.

Which is why it’s no big surprise that, going forward, IT and risk management governance is high up on the corporate agenda. Organizations are seeking ways to simplify and streamline the people and technologies they’ve already put into place.