One in six IT professionals see security as an unnecessary expense aimed at keeping auditors happy, a study has revealed.
Just 37.5% of those polled by security firm Turnkey Consulting said IT security is an essential business practice that can deliver a return on investment, down from 43.9% in 2012.
Two thirds of respondents said IT security risks had increased, while 38.2% said they had experienced a fraud incident in 2013, and 30% had experienced a data loss.
The research shows that the role of IT security is still not well understood by business and there is an ongoing reluctance to regard IT security as a business issue.
More than half of respondents said their organisation saw IT security as everyone’s responsibility, down from 64.6% in 2012.
And 40% of respondents reported that their organisation regarded IT and systems security as the sole responsibility of IT, up from 28% in 2012.
More on cyber risk
- FTSE 350 firms complete cyber risk assessment
- Outsourcing: The soft underbelly of cyber risks
- SMEs believes they are immune to cyber attack
- Banks' perception of cyber risks increases after several attacks
To combat these risks, the report said control activities, designed to prevent or detect exceptions in a business process, could be automated.
Only 55% of respondents said they used some automated controls, designed to prevent or detect exceptions in a business process, and planned to increase the number, up from 50% in 2012.
“It is concerning to see that IT security is still not perceived as an integral part of the business,” said Richard Hunt, managing director of Turnkey Consulting.
He said this was of particular concern with corporate systems that have an increasing number of touchpoints with increased mobility and collaboration.
“This streamlines business processes, but it increases the risk to the enterprise,” said Hunt. “To tackle this, an end-to-end approach to security is required to fully secure the organisation’s systems and data.”
The report said: “An end-to-end approach to security is required to fully secure the organisation’s systems and data, so it is concerning to see that IT security is still not perceived to be an integral part of the business.”
More on security automation
- NetCitadel automates security threat assessment and response
- Expert: Security automation can thwart attacks on cloud computing
- Automation key to balancing agility and security, says AlgoSec
- Twitter uses open source to automate security
The research report notes that achieving compliance occupies a growing amount of business resource, as the regulatory environment becomes more complex and the consequence of failure increasingly severe.
“But – paradoxically – in being rigorous about meeting the demands of the auditor, organisations may actually be increasing their exposure to risk,” the report said.
Turnkey’s research also outlined how key technology trends were viewed from a security perspective, with the following key findings:
- Outsourcing: 67.5% of organisations are proactively planning for and managing the IT security risk around outsourcing, up from 53.7% in 2012.
- Big data: 39.5% of organisations planning to invest in big data technology such as HANA are also intending to invest in additional security, up from 25.9% in 2012.
- Mobile: 48.7% of organisations planning to invest in mobile strategies that will include investment in additional security, up from 50% in 2012.
- Cloud computing: 40% of organisations planning to invest in cloud computing will include additional security in their plans, up from 38.8% in 2012.