Update: Money seen as biggest obstacle to effective IT security

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/story/0,10801,83109,00.html

By JAIKUMAR VIJAYAN 
JULY 16, 2003
Computerworld

Inadequate funding remains the single largest obstacle to implementing 
effective IT security measures at most companies, according to the 
results [1] of a recently completed global survey by Ernst & Young 
International.

Even so, a majority of the companies surveyed said they rarely or 
never calculate return on investment when building a case for 
information security budgets. 

"Return on investment appears to have fallen out of favor as a measure 
of the effectiveness of information security spending," Mark Doll, 
Americas director of Ernst & Young's Security Services division, said 
in a prepared statement. "It looks like we need to find a credible 
alternative to conventional ROI approaches in order to secure funds 
for the information security function." 

The "2003 Ernst & Young Global Information Security Survey" was 
conducted over a two-month period in early 2003 and includes responses 
from more than 1,400 organizations in 66 countries. 

Not surprisingly, 90% of the organizations surveyed said that IT 
security is of high importance to them, with 78% identifying risk 
reduction as the top factor influencing security spending. 

Even so, information security managers are having a hard time 
explaining the importance of IT security to overall business needs, 
the survey showed. "There's a clear disconnect between what 
organizations define as a major business objective -- protecting their 
information resources -- and where they allocate funding," Doll said. 

For instance, barely 51% of those surveyed said their IT security 
spending was either completely or closely aligned with business needs. 
More than 34% of organizations rated themselves as less than adequate 
in their ability to determine whether their systems are currently 
under attack, whereas more than 33% said their ability to respond to 
incidents was inadequate. 

Doll said that many executives focus on well-publicized security 
issues such as viruses and malicious hackers when they should be 
looking into less obvious threats, such as disgruntled employees, 
network links to partners with untrustworthy systems, hardware thefts 
and insecure wireless access used by employees. 

"These factors can not only cause serious information security damage 
but also severely damage a company's reputation," he said. 

The bulk of security spending at most companies continues to be on 
technology products, with far less attention being paid to employee 
awareness and training issues, the survey revealed. Only 29% of those 
surveyed listed employee awareness and training as a top area of IT 
security spending. 

The results suggest the need for companies to communicate information 
security needs in terms that are meaningful to business stakeholders 
and to align security and business needs more closely, New York-based 
Ernst & Young said. 

The survey's results, especially those relating to ROI, aren't all 
that surprising, users said. 

"Showing ROI on security is an interesting problem," said Jonathan 
Squire, security technical architect at Dow Jones & Co. in Princeton, 
N.J. "For the most part, if we are doing our job well, you don't 
notice us. Security is not generally a profit center, so from a dollar 
perspective, it is very hard to justify spending." 

Security and IT managers also lack the "experience, training [and] 
vocabulary" when it comes to articulating a business case for security 
funding, said Dennis Treece, director of corporate security at the 
Massachusetts Port Authority (Massport), in Boston. 

As one of the executives in charge of securing Boston's Logan 
International Airport, three seaports and a major toll bridge, Treece 
oversees both physical and IT security for Massport. 

"IT people come from a culture that sees security as just another 
point of failure in their networks, another way to decrease network 
speed and performance," Treece said. "IT people who get made IT 
security people are too culturally attuned to the network's problems 
and don't press the case for security strongly enough." 

Compounding the problem is the fact that security metrics are, in many 
ways, inherently hard to collect, Treece said. For instance, he said, 
"how do you collect the number of events that did not happen because 
your guards were awake?" 

[1] http://www.ey.com/global/content.nsf/International/Press_Release_-_2003_Global_Information_Security_Survey



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.