http://www.computerworld.com/securitytopics/security/story/0,10801,83109,00.html By JAIKUMAR VIJAYAN JULY 16, 2003 Computerworld Inadequate funding remains the single largest obstacle to implementing effective IT security measures at most companies, according to the results [1] of a recently completed global survey by Ernst & Young International. Even so, a majority of the companies surveyed said they rarely or never calculate return on investment when building a case for information security budgets. "Return on investment appears to have fallen out of favor as a measure of the effectiveness of information security spending," Mark Doll, Americas director of Ernst & Young's Security Services division, said in a prepared statement. "It looks like we need to find a credible alternative to conventional ROI approaches in order to secure funds for the information security function." The "2003 Ernst & Young Global Information Security Survey" was conducted over a two-month period in early 2003 and includes responses from more than 1,400 organizations in 66 countries. Not surprisingly, 90% of the organizations surveyed said that IT security is of high importance to them, with 78% identifying risk reduction as the top factor influencing security spending. Even so, information security managers are having a hard time explaining the importance of IT security to overall business needs, the survey showed. "There's a clear disconnect between what organizations define as a major business objective -- protecting their information resources -- and where they allocate funding," Doll said. For instance, barely 51% of those surveyed said their IT security spending was either completely or closely aligned with business needs. More than 34% of organizations rated themselves as less than adequate in their ability to determine whether their systems are currently under attack, whereas more than 33% said their ability to respond to incidents was inadequate. Doll said that many executives focus on well-publicized security issues such as viruses and malicious hackers when they should be looking into less obvious threats, such as disgruntled employees, network links to partners with untrustworthy systems, hardware thefts and insecure wireless access used by employees. "These factors can not only cause serious information security damage but also severely damage a company's reputation," he said. The bulk of security spending at most companies continues to be on technology products, with far less attention being paid to employee awareness and training issues, the survey revealed. Only 29% of those surveyed listed employee awareness and training as a top area of IT security spending. The results suggest the need for companies to communicate information security needs in terms that are meaningful to business stakeholders and to align security and business needs more closely, New York-based Ernst & Young said. The survey's results, especially those relating to ROI, aren't all that surprising, users said. "Showing ROI on security is an interesting problem," said Jonathan Squire, security technical architect at Dow Jones & Co. in Princeton, N.J. "For the most part, if we are doing our job well, you don't notice us. Security is not generally a profit center, so from a dollar perspective, it is very hard to justify spending." Security and IT managers also lack the "experience, training [and] vocabulary" when it comes to articulating a business case for security funding, said Dennis Treece, director of corporate security at the Massachusetts Port Authority (Massport), in Boston. As one of the executives in charge of securing Boston's Logan International Airport, three seaports and a major toll bridge, Treece oversees both physical and IT security for Massport. "IT people come from a culture that sees security as just another point of failure in their networks, another way to decrease network speed and performance," Treece said. "IT people who get made IT security people are too culturally attuned to the network's problems and don't press the case for security strongly enough." Compounding the problem is the fact that security metrics are, in many ways, inherently hard to collect, Treece said. For instance, he said, "how do you collect the number of events that did not happen because your guards were awake?" [1] http://www.ey.com/global/content.nsf/International/Press_Release_-_2003_Global_Information_Security_Survey - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Jul 17 2003 - 04:06:30 PDT