Link: IT Decisions – Security
Only 13% of the 100 chief information officers, chief technology officers and IT directors surveyed tracked the costs and returns on their security purchases, despite nine out of ten of the executies rating it in their top five priorites – and a shade under 40% as their top IT priority.
But while security is considered important, only 15% of firms regard it as a business investment in risk management.
‘There’s still a problem with attitude,’ said Gordon Morris, analyst at IDC.
‘Security is a bit of a head-in-the-sand issue. Most board members don’t come from an IT background and aren’t used to operating in this way. They see IT security as a business cost, or as one person said a necessary evil.’
IDC added that attitudes are changing at board level as IT managers learn to demonstrate the prudence of risk management tools – although many still find building a realistic picture of IT security return on investment problematical.
Rather than comparing the cost of hardware and software with the cost of a breach in security, companies should look at the larger business benefits involved, IDC said.
‘Risk management assessments are becoming an an increasingly important way of measuring a company’s success due to the growing focus on coporate governance and management accountability,’ said Morris.
‘It is true that ROI of security investment may never be known,’ the report concludes.
‘By working with risk management, though, some form of value can be understood and communicated. By measuring the effectiveness and value of IT security investment, a platform for providing a meaningful IT security platform can be achieved.’
Companies looking to manage their risk are increasingly passing the problem onto third parties, either by outsourcing or moving into partnership with specific security vendors, the report said.
IDC also warned vendors that while risk management was now the key factor in most purchase decisions, scare stories about viruses and other malware was least effective tool in persuading companies to set a firm security policy.