Inadequate funding remains the single largest obstacle
to implementing effective IT security measures at most companies,
according to a global survey by Ernst & Young
International.
Even so, a majority of the companies surveyed said they rarely
or never calculate return on investment when building a case for
information security budgets.
"Return on investment appears to have fallen out of favour as a
measure of the effectiveness of information security spending,"
said Mark Doll, Americas director of Ernst & Young's Security
Services division.
"It looks like we need to find a credible alternative to
conventional ROI approaches to secure funds for the information
security function."
The "2003 Ernst & Young Global Information Security Survey"
was conducted over a two-month period in early 2003 and includes
responses from more than 1,400 organisations in 66 countries.
Not surprisingly, 90% of the organisations surveyed said that IT
security is of high importance to them, with 78% identifying risk
reduction as the top factor influencing security spending.
Even so, information security managers are having a hard time
explaining the importance of IT security to overall business needs,
the survey showed. "There's a clear disconnection between what
organisations define as a major business objective - protecting
their information resources - and where they allocate funding,"
Doll said.
For instance, onlu just over half of those surveyed said their
IT security spending was either completely or closely aligned with
business needs. More than 34% of organisations rated themselves as
less than adequate in their ability to determine whether their
systems are under attack, whereas more than a third said their
ability to respond to incidents was inadequate.
Doll said that many executives focus on well-publicised security
issues such as viruses and malicious hackers when they should be
looking into less obvious threats, such as disgruntled employees,
network links to partners with untrustworthy systems, hardware
thefts and insecure wireless access used by employees.
"These factors can not only cause serious information security
damage, but also severely damage a company's reputation," he
said.
The bulk of security spending at most companies continues to be
on technology products, with far less attention being paid to
employee awareness and training issues, the survey revealed.
Only 29% of those surveyed listed employee awareness and
training as a top area of IT security spending.
The results suggested the need for companies to communicate
information security needs in terms that are meaningful to business
stakeholders and to align security and business needs more closely,
New York-based Ernst & Young said.
Jaikumar Vijayan writes for IDG News Service