Meta Group: security programmes ignore key infrastructure

Almost one in three organisations do not include key parts of their IT infrastructure - anything from servers and networks to PCs...

Almost one in three organisations do not include key parts of their IT infrastructure - anything from servers and networks to PCs - in their formal security programmes.

That is one of the stark findings of a survey by research organisation Meta Group into business IT security strategy.

Meta found that most organisations made security investments in response to security breaches, rather than as part of a planned programme of business-driven investment.

Some 71% of organisations surveyed cited damage to company image after a breach as the main driver for security investment, 70% feared legal liabilities, while 60% said lost revenues resulting from a breach were the key issue.

The Meta survey revealed 36% of organisations reported a security breach during the past two years with a further 18% admitting that they did not know whether they had been hacked.

Tom Scholtz, vice president of global networking strategies at Meta, warned of the huge potential for unmanaged risk as a result of reactive, rather than pro-active security policies. "In the past, companies have mistakenly addressed security and privacy concerns primarily through the use of technology. Information security management must be regarded a business issue which is driven by senior management and reflected throughout the organisation," he said.

"Many IT and business executives are still sceptical about the levels of financial and technological investment required. However, by undertaking a coordinated corporate security strategy, a company can reduce duplication in security spending, it can take control of complex infrastructures and ultimately, it will reduce its security risk."

The survey did find a shift by some organisations towards the establishment of dedicated security teams, with 60% of large organisations (10,000 plus users) deploying them. However companies across Europe were seen to be slower in establishing these groups compared with their US counterparts.

Almost half the organisations surveyed (43%) said they reviewed security policy annually, but Meta said the experience of its analysts was that most organisations reviewed security every two to three years.

Identifiable security budgets were found to be lower than expected at less than 2% of a company's IT budget. However, more than 70% of respondents indicated that further security expenditure was incorporated in other business investments.

Meta interviewed 521 IT and security professionals for the Security Adoption and Deployment Strategies report.

Read more on IT risk management