Gartner Blog Network

How Do You Know When Your Security and Risk Program Is Failing?

by John A. Wheeler  |  October 28, 2014  |  1 Comment

This week, I’m at our Gartner Symposium/ITxpo in Sao Paulo, Brazil and will be hosting a roundtable session to discuss ways to transform a failing security & risk program. While many security & risk professionals are keenly focused on evaluating potential security threats and plugging holes in their networks, fewer are focused on what’s most important – their ability to anticipate and respond effectively when the inevitable threat becomes reality.

How do you know if you can anticipate and respond effectively to an IT risk event? Well, the answer lies within another question – How do you know when your security & risk program is failing?

Identifying a failing security & risk program is much like a doctor diagnosing a patient that is at risk for a heart attack or stroke. The doctor will ask the patient a series of questions to determine their lifestyle and its impact on the patient’s future cardiovascular health. Likewise, Gartner has a series of questions to determine the “lifestyle” of the security & risk program and its impact on the company’s ability to anticipate and respond to an IT risk event. The key questions include:

  1. Are you focused on the most critical IT risks to the business?
  2. Are you continuously monitoring these critical IT risks?
  3. Do you have a forward-looking approach to identify emerging IT risks?
  4. Are you driving the right behaviors to optimize your IT risk profile?
  5. Are you taking too much IT risk or not taking enough?
  6. Do you have a full view of all the IT risks?
  7. Can you prepare and quickly coordinate a full response to an IT risk event?

If you answer “no” to any of these questions, then your security & risk program is most likely failing. Answering “yes” to all of the questions is a good indicator of effectiveness, but it also requires discipline to revisit the questions on a regular basis. One of the best ways to revisit these questions regularly is to use them as a basis for dialogue with your board of directors and senior executives. How do you establish this ongoing dialogue? Discuss with me at our Brazil Symposium this week or read my latest research at


Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: digital-risk  enterprise-risk-management  it-risk-management  

Tags: digital-risk-2  it-risk-management-2  it-security-and-risk  risk-management  

John A. Wheeler
Global Research Leader - Risk Management Technology
9 years at Gartner
30 years IT Industry

John A. Wheeler is global research leader for risk management technology solutions and professional services. His areas of specialty include integrated risk management, executive leadership and corporate governance. Follow him on Twitter @JohnAWheeler Read Full Bio

Thoughts on How Do You Know When Your Security and Risk Program Is Failing?

  1. francisco alejandro viana canizalez says:

    la seguridad es un problema serio que tengo encima, ya que el ISP local (administrador de servicios de Internet), tiene intervenida mi conexion, intercepta mi informacion, ha creado directivas que me impiden el acceso a mi informacion personal, mi identidad aparece como no definida, la configuracion del DNS la manipulan cuando les conviene, etc. asi es que necesito ayuda al respecto.

    espero sus orientaciones.

    gracias por su atencion.

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.