Security needs more leadership

Security eats up 10% of IT budgets, so why are incidents costing about $108,000 a time?

Security eats up 10% of IT budgets, so why are incidents costing about $108,000 a time?

The results of KPMG's Global Security Survey, published in the spring, showed that despite dwindling IT budgets the spend attributed to IT security remained high. The research found that the average spend on IT security was $2.6m (£1.6m) - representing 10% of IT budgets overall.

Equally, the future for funding looks rosy: 63% of businesses say they anticipate security spending will go up next year, with the average expected increase at 19%.

But despite this, security incidents are costing these businesses an average of $108,000 per incident. The reality is that a security myopia exists in many organisations, where the focus remains heavily on technology investment, and not enough on security leadership.

The majority of security breaches are caused by people or process failures, and it is security leadership that can help to reduce these people and process failures and reduce the number and severity of security breaches.

Security leadership grows from the commitment of the board and is nurtured by senior management awareness throughout the business. It is needed to ensure that security is underpinned by the right objectives and direction to act as an enabler.

It ensures that security attracts the right resources - not just financial investment - in terms of training and skills since 73% of security staff have no formal security qualifications. Security leadership means that sufficient measures are in place to judge its effectiveness.

The research showed that the level of security commitment and awareness among senior managers varied across industries, but in less than half of the firms that responded to the survey the responsibility for information security was recognised at board level. This is simply not enough.

Equally, responsibility for security is still largely held within the IT function and, despite the increased press coverage of high-profile security breaches, many still see security as a technical "bits and bytes" issue to be addressed by low-level technology specialists.

The problem is that many common security breaches are not caused by technology but by people. People write down passwords; they forget to examine security settings after upgrading systems; PDAs get lost or stolen. Without board-level commitment and drive, security will not be given the necessary resources and attention to ensure that risks are effectively minimised and the importance for security instilled in all employees and championed across the business.

The fact is that closing security loopholes and accurately identifying areas for improvement requires cross-functional leadership and shared commitment with all business managers. Unfortunately, we often find a blame culture that parks security issues until they become security breaches, whereupon the IT department comes under fire for the consequences.

The research showed that in this area, financial service companies buck the trend, perhaps because of regulatory pressures and the perception that money needs more protection than other types of electronic information.

However, as the world becomes more connected, the risks to all kinds of business information increase significantly, and organisations of all types need to consider security without being compelled to do so by regulation.

Security leadership is also about having forward-looking strategies that build in effective forms of measurement. It may sound obvious, but there is still clearly a lack of vision.

Security policies typically have covered areas where there has been most concern and damage in recent years - such as Internet breaches and hacking, virus attacks, data protection and privacy violation. But the areas least covered in security strategies are those most likely to cause concern in the future, such as security of data held on PDAs and wireless network security.

Incident reporting and escalation were also found poorly lacking, as was information classification. The formal measures of security performance are seldom sophisticated enough or wide enough to be of benefit, and value-for-money measures, such as expenditure and efficiency targets, hardly feature.

The danger in all this is that many organisations will fail to capture vital information about how many incidents occur and how much loss the organisation has suffered as a result.

Incident management statistics should form a central part of a security performance measurement regime and should be used to direct security improvement projects.

Ignorance of what is actually occurring within an organisation leads to the establishment of wrong priorities and the wrong allocation of funds.

At a time when IT spend is being cut to the bone, it seems security is, thankfully, faring quite well.

But to drive down the cost of security breaches, businesses must realise that they need both the bite of the budget and the subtle flavours of security leadership.

Robert Coles is European head of information security at KPMG

Read more on Hackers and cybercrime prevention

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.