Many of the findings from Computer Weekly’s inaugural
CIO Index were fascinating and troubling, but none more so than
the fact only one in three CIOs believes IT security is adequately
funded in their organisation at present.
This first survey was primarily focused on IT business value,
but the impression remains that too few boards are willing to see
the value that lies in ensuring that security is a priority.
It would seem that security remains too intangible for some
businesses to give it the attention it deserves. Perhaps it is only
those organisations that have suffered major losses or reputational
damage on the back of security lapses which are prepared to invest
adequately to head off future problems.
Smaller businesses, in particular, are having to face up to the
fact that their under-investment in security may one day come at a
price. The DTI Security Breaches Survey highlighted the fact that
small businesses are being disproportionately hit by computer
crime, which is costing UK businesses an estimated £10bn a year –
an increase of 50% in the past two years.
It seems fair to assume that this vulnerability is closely
related to investment levels. More than 30% of small firms are
still spending less than 1% of their IT budget on security, while
larger firms have significantly increased their investment in
security over the past two years, spending between 4% and 5% of
their IT budgets on security.
But as the CIO Index makes clear, the feeling remains among many
IT directors that even this level of investment is not enough.
CIOs and IT directors of business large and small need to
continue to push the message that security is a key priority – and
more money is required.