The report - titled "Managing Spend on Information Security and Audit to Improve Results" – outlines a risk-based approach to budgeting for information security that rewards results; the practices responsible for managing business and financial risks from the use of IT; and the substantial reductions in spending on audit in IT. The research was sponsored by the Computer Security Institute, the Institute of Internal Auditors, Protiviti, ISACA, IT Governance Institute, and Symantec.
Jim Hurley, managing director of IT PCG and principal research manager at Symantec, said today that "like an insurance deductible, all organisations are willing to sustain some level of financial risk and loss from theft of customer data or some level of business downtime from IT disruptions."
However, according to Hurley, “the research findings show that an organisation's loss-tolerance is exceedingly low, and the financial returns for small improvements are extraordinarily high."
The IT PCG report reveals that firms ranked three business risks from IT well ahead of other possible risks: confidentiality of sensitive information; integrity of information, assets and controls in IT; and availability of IT services. The report leverages ongoing benchmarks to measure the performance of firms against these three risk areas.
IT PCG says that the results of the benchmark surveys can be broken up as:
• Worst Outcomes: 19 percent of all firms are experiencing more than 15 losses or thefts of data each year, 80 or more hours of business downtime from IT failures, and more than 15 audit-failing deficiencies.
• Normative Outcomes: 68 percent of all firms are operating at 'normal' levels experiencing between 3-15 losses or thefts of data each year, between 7-79 hours of business downtime from IT failures, and between 3-15 audit-failing deficiencies.
• Best Outcomes: 13 percent of all firms are achieving the best results, experiencing fewer than 3 losses or thefts of sensitive information each year, less than 7 hours of business downtime, and fewer than 3 audit-failing deficiencies. The financial returns among these organisations range from 22 percent to more than 3,000 percent annually.
IT PCG also says it is surprised that the difference in outcome between the worst performers and the best performers was not as a result of the size of security budgets. In fact, according to the report, the differences in size of security budgets were negligible, and what mattered was how those budgets were used.
"This report is a clear demonstration of the benefits that organisations can achieve from effective management of security, availability and other IT-related business risks," according to Brian Barnier, member of the IT Governance Institute's Risk IT Task Force.
"Good practices such as the freely downloadable COBIT framework can help organisations take specific actions to mitigate risk and maximise value.
"The group's findings quantify what has been assumed to be a best practice: organisations with a top-down approach and a clear owner who has line of authority and visibility to the business lines maintain the most cost-effective and comprehensive information security programs," Barnier said.