Inadequate funding remains the single largest obstacle to implementing effective IT security measures at most companies, according to a global survey by Ernst & Young International.
Even so, a majority of the companies surveyed said they rarely or never calculate return on investment when building a case for information security budgets.
"Return on investment appears to have fallen out of favour as a measure of the effectiveness of information security spending," said Mark Doll, Americas director of Ernst & Young's Security Services division.
"It looks like we need to find a credible alternative to conventional ROI approaches to secure funds for the information security function."
The "2003 Ernst & Young Global Information Security Survey" was conducted over a two-month period in early 2003 and includes responses from more than 1,400 organisations in 66 countries.
Not surprisingly, 90% of the organisations surveyed said that IT security is of high importance to them, with 78% identifying risk reduction as the top factor influencing security spending.
Even so, information security managers are having a hard time explaining the importance of IT security to overall business needs, the survey showed. "There's a clear disconnection between what organisations define as a major business objective - protecting their information resources - and where they allocate funding," Doll said.
For instance, onlu just over half of those surveyed said their IT security spending was either completely or closely aligned with business needs. More than 34% of organisations rated themselves as less than adequate in their ability to determine whether their systems are under attack, whereas more than a third said their ability to respond to incidents was inadequate.
Doll said that many executives focus on well-publicised security issues such as viruses and malicious hackers when they should be looking into less obvious threats, such as disgruntled employees, network links to partners with untrustworthy systems, hardware thefts and insecure wireless access used by employees.
"These factors can not only cause serious information security damage, but also severely damage a company's reputation," he said.
The bulk of security spending at most companies continues to be on technology products, with far less attention being paid to employee awareness and training issues, the survey revealed.
Only 29% of those surveyed listed employee awareness and training as a top area of IT security spending.
The results suggested the need for companies to communicate information security needs in terms that are meaningful to business stakeholders and to align security and business needs more closely, New York-based Ernst & Young said.
Jaikumar Vijayan writes for IDG News Service