Monday, 23 February 2009 16:45

IT PCG report: Firms under-spending on IT security relative to financial risks

By Staff Writers
A majority – 68 percent to be precise – of 2,600 companies in North America are under-spending on information security relative to the financial risks and losses they are experiencing, according to the latest benchmark research report of the IT Policy Compliance Group (IT PCG).

The IT PCG says under-spending on security is despite the fact that incremental increases toward the funding of best practices are responsible for financial returns that can exceed more than 200 percent for most organisations.

The report - titled "Managing Spend on Information Security and Audit to Improve Results" – outlines a risk-based approach to budgeting for information security that rewards results; the practices responsible for managing business and financial risks from the use of IT; and the substantial reductions in spending on audit in IT. The research was sponsored by the Computer Security Institute, the Institute of Internal Auditors, Protiviti, ISACA, IT Governance Institute, and Symantec.

Jim Hurley, managing director of IT PCG and principal research manager at Symantec, said today that "like an insurance deductible, all organisations are willing to sustain some level of financial risk and loss from theft of customer data or some level of business downtime from IT disruptions."

However, according to Hurley, “the research findings show that an organisation's loss-tolerance is exceedingly low, and the financial returns for small improvements are extraordinarily high."

The IT PCG report reveals that firms ranked three business risks from IT well ahead of other possible risks: confidentiality of sensitive information; integrity of information, assets and controls in IT; and availability of IT services. The report leverages ongoing benchmarks to measure the performance of firms against these three risk areas.

IT PCG says that the results of the benchmark surveys can be broken up as:
• Worst Outcomes: 19 percent of all firms are experiencing more than 15 losses or thefts of data each year, 80 or more  hours of business downtime from IT failures, and more than 15 audit-failing deficiencies.
• Normative Outcomes: 68 percent of all firms are operating at 'normal' levels experiencing between 3-15 losses or  thefts of data each year, between 7-79 hours of business downtime from IT failures, and between 3-15 audit-failing  deficiencies.
• Best Outcomes: 13 percent of all firms are achieving the best results, experiencing fewer than 3 losses or thefts of  sensitive information each year, less than 7 hours of business downtime, and fewer than 3 audit-failing deficiencies.  The financial returns among these organisations range from 22 percent to more than 3,000 percent annually.

IT PCG also says it is surprised that the difference in outcome between the worst performers and the best performers was not as a result of the size of security budgets. In fact, according to the report, the differences in size of security budgets were negligible, and what mattered was how those budgets were used.
 
"This report is a clear demonstration of the benefits that organisations can achieve from effective management of security, availability and other IT-related business risks," according to Brian Barnier, member of the IT Governance Institute's Risk IT Task Force.
 
"Good practices such as the freely downloadable COBIT framework can help organisations take specific actions to mitigate risk and maximise value.

"The group's findings quantify what has been assumed to be a best practice:  organisations with a top-down approach and a clear owner who has line of authority and visibility to the business lines maintain the most cost-effective and comprehensive information security programs," Barnier said.


BACK TO HOME PAGE

NEW OFFER - ITWIRE LAUNCHES PROMOTIONAL NEWS & CONTENT

Recently iTWire remodelled and relaunched how we approach "Sponsored Content" and this is now referred to as "Promotional News and Content”.

This repositioning of our promotional stories has come about due to customer focus groups and their feedback from PR firms, bloggers and advertising firms.

Your Promotional story will be prominently displayed on the Home Page.

We will also provide you with a second post that will be displayed on every page on the right hand side for at least 6 weeks and also it will appear for 4 weeks in the newsletter every day that goes to 75,000 readers twice daily.

POST YOUR NEWS ON ITWIRE NOW!

INVITE DENODO EXECUTIVE VIRTUAL ROUNDTABLE 9/7/20 1:30 PM AEST

CLOUD ADOPTION AND CHALLENGES

Denodo, the leader in data virtualisation, has announced a debate-style three-part Experts Roundtable Series, with the first event to be hosted in the APAC region.

The round table will feature high-level executives and thought leaders from some of the region’s most influential organisations.

They will debate the latest trends in cloud adoption and technologies altering the data management industry.

The debate will centre on the recently-published Denodo 2020 Global Cloud Survey.

To discover more and register for the event, please click the button below.

REGISTER HERE!

BACK TO HOME PAGE
BACK TO HOME PAGE

ZOOM WEBINARS & ONLINE EVENTS

Channel News

VENDOR NEWS & VIEWS

REVIEWS

Comments

Guest Opinion