Many of the findings from Computer Weekly’s inaugural CIO Index were fascinating and troubling, but none more so than the fact only one in three CIOs believes IT security is adequately funded in their organisation at present.
This first survey was primarily focused on IT business value, but the impression remains that too few boards are willing to see the value that lies in ensuring that security is a priority.
It would seem that security remains too intangible for some businesses to give it the attention it deserves. Perhaps it is only those organisations that have suffered major losses or reputational damage on the back of security lapses which are prepared to invest adequately to head off future problems.
Smaller businesses, in particular, are having to face up to the fact that their under-investment in security may one day come at a price. The DTI Security Breaches Survey highlighted the fact that small businesses are being disproportionately hit by computer crime, which is costing UK businesses an estimated £10bn a year – an increase of 50% in the past two years.
It seems fair to assume that this vulnerability is closely related to investment levels. More than 30% of small firms are still spending less than 1% of their IT budget on security, while larger firms have significantly increased their investment in security over the past two years, spending between 4% and 5% of their IT budgets on security.
But as the CIO Index makes clear, the feeling remains among many IT directors that even this level of investment is not enough.
CIOs and IT directors of business large and small need to continue to push the message that security is a key priority – and more money is required.