Security eats up 10% of IT budgets, so why are incidents costing
about $108,000 a time?
The results of KPMG's Global Security Survey, published in the
spring, showed that despite dwindling IT budgets the spend
attributed to IT security remained high. The research found that
the average spend on IT security was $2.6m (£1.6m) - representing
10% of IT budgets overall.
Equally, the future for funding looks rosy: 63% of businesses say
they anticipate security spending will go up next year, with the
average expected increase at 19%.
But despite this, security incidents are costing these businesses
an average of $108,000 per incident. The reality is that a security
myopia exists in many organisations, where the focus remains
heavily on technology investment, and not enough on security
leadership.
The majority of security breaches are caused by people or process
failures, and it is security leadership that can help to reduce
these people and process failures and reduce the number and
severity of security breaches.
Security leadership grows from the commitment of the board and is
nurtured by senior management awareness throughout the business. It
is needed to ensure that security is underpinned by the right
objectives and direction to act as an enabler.
It ensures that security attracts the right resources - not just
financial investment - in terms of training and skills since 73% of
security staff have no formal security qualifications. Security
leadership means that sufficient measures are in place to judge its
effectiveness.
The research showed that the level of security commitment and
awareness among senior managers varied across industries, but in
less than half of the firms that responded to the survey the
responsibility for information security was recognised at board
level. This is simply not enough.
Equally, responsibility for security is still largely held within
the IT function and, despite the increased press coverage of
high-profile security breaches, many still see security as a
technical "bits and bytes" issue to be addressed by low-level
technology specialists.
The problem is that many common security breaches are not caused by
technology but by people. People write down passwords; they forget
to examine security settings after upgrading systems; PDAs get lost
or stolen. Without board-level commitment and drive, security will
not be given the necessary resources and attention to ensure that
risks are effectively minimised and the importance for security
instilled in all employees and championed across the business.
The fact is that closing security loopholes and accurately
identifying areas for improvement requires cross-functional
leadership and shared commitment with all business managers.
Unfortunately, we often find a blame culture that parks security
issues until they become security breaches, whereupon the IT
department comes under fire for the consequences.
The research showed that in this area, financial service companies
buck the trend, perhaps because of regulatory pressures and the
perception that money needs more protection than other types of
electronic information.
However, as the world becomes more connected, the risks to all
kinds of business information increase significantly, and
organisations of all types need to consider security without being
compelled to do so by regulation.
Security leadership is also about having forward-looking strategies
that build in effective forms of measurement. It may sound obvious,
but there is still clearly a lack of vision.
Security policies typically have covered areas where there has been
most concern and damage in recent years - such as Internet breaches
and hacking, virus attacks, data protection and privacy violation.
But the areas least covered in security strategies are those most
likely to cause concern in the future, such as security of data
held on PDAs and wireless network security.
Incident reporting and escalation were also found poorly lacking,
as was information classification. The formal measures of security
performance are seldom sophisticated enough or wide enough to be of
benefit, and value-for-money measures, such as expenditure and
efficiency targets, hardly feature.
The danger in all this is that many organisations will fail to
capture vital information about how many incidents occur and how
much loss the organisation has suffered as a result.
Incident management statistics should form a central part of a
security performance measurement regime and should be used to
direct security improvement projects.
Ignorance of what is actually occurring within an organisation
leads to the establishment of wrong priorities and the wrong
allocation of funds.
At a time when IT spend is being cut to the bone, it seems security
is, thankfully, faring quite well.
But to drive down the cost of security breaches, businesses must
realise that they need both the bite of the budget and the subtle
flavours of security leadership.
Robert Coles is European head of information security at
KPMG