Companies reluctant to spend on IT security despite knowing risks

IT directors are finding it harder than ever to justify spending on IT security to their boards, despite a dramatic growth in the...

IT directors are finding it harder than ever to justify spending on IT security to their boards, despite a dramatic growth in the costs to businesses of the actions of organised hacking groups.

By 2005, politically or financially motivated attacks will account for 60% of the cost to business of security breaches, Nino Moscardini, vice-president of Gartner Consulting, told the British Computer Society's Elite IT directors group last week.

But, David Spinks, EDS' global director of operational risk, said, "IT budgets are harder than they have ever been."

Boards will only take security proposals seriously if they can be shown to save or make money, said Spinks. He advised IT directors to present simple graphs to the board rather than reams of numbers and jargon. "Pictorial representation of risk is most powerful," he said.

IT directors must broaden their understanding of security generally, to become familiar with the Basel II regulatory framework for operational risk. "If you are too focused on IT security, you will miss a trick," Spinks warned.

Directors should be spurred on by the regulatory bodies and rating agencies which, he said, are concerned about "the track record of serious loss from inadequate controls".

Consultant William List said that when seeking to convince the board about the need for IT security, managers should explain it in terms board members will listen to: warn them of the risk of bad press coverage, court action, loss of revenue, increased costs, or loss of business.

However, IT security measures count for nothing, said Peter Wood of First Base Technologies, when people can walk into an organisation from the street armed with just a clipboard and pen and then go into the machine room and steal a tape. He warned of rogue cleaners who could plug a simple keyboard logger into the back of a computer and harvest it for passwords the following day.

What do you think?

It is budget time for IT departments. What are your priorities for the next year? What is driving those priorities and how do you sell projects to the board? Tell us in an e-mail >> reserves the right to edit and publish answers on the website. Please state if your answer is not for publication.

IT spend will rise where ROI is proved >>

Read more on IT risk management