When it comes to IT security spending size doesn't matter, it's how the spend is used that counts.
Australian companies were spending little on information security technology, according to a recent Computer Sciences Corporation (CSC) survey. However, this may indicate a changing approach to security issues, not a failure to address them.
CSC found that 34 per cent of the 80 companies surveyed spend less than $10,000 a year on IT systems technology with 23 per cent of respondents spending as little as $10,001 to $30,000 annually, and 19 per cent spending between $30,001 and $60,000.
While these figures show that small dollars are being spent on technology, people, process and education are now being identified as key defences against information security threats. Many are turning towards enhancing what Kevin Shaw, director of security services in the Asia-Pacific region for Deloitte Touche Thomatsu, terms "soft values".
Shaw says that the focus on people, process and education are more important than buying the latest security appliances and software. He believes that security levels cannot be determined by adding up money spent on the firewalls and software integrated into a company's IT framework.
"All the technology in the world will not necessarily address all the risks," he said.
Rob McMillan, executive manager of information assurance with the Commonwealth Bank, agrees with this.
"The issue boils down to ensuring that you have knowledgeable and alert people across the organisation," he said.
If this is the case, improvements in security can even crop up on their own. Many information handling enhancements that result in increased security arise from traditional business process innovations. Identifying which of these improvements can help in addressing security risks is very important.
McMillan agrees that a great deal of security expenditure is implicit, the by-product of overall innovation. This not only suggests that hardware budgets are a poor measure of security, but also makes accurate figures almost incalculable.
Shaw also said that it is quite difficult to calculate ROI on security spending from a "competitive advantage basis", especially if "no assessment of the as is' security profile is made, so no change in state can later be measured".
Not making these calculations any easier is the fact that "many of the returns stated in common business cases for security deployments are qualitative rather than quantitative and address issues such as risk reduction and avoidance," said Shaw, adding that "...executives must learn that security expenditure is more the cost of being in business rather than a cost to the business".
Shaw says that damage to shareholder and consumer confidence, as well as company reputation, is difficult to measure in terms of a 'dollar sign' impact.
Greg Janky, also of Deloitte, says that despite difficulties in calculating appropriate expenditure, companies should be directing 70 per cent of security efforts to people and process, and 30 per cent to implementations of appropriate technologies.
As a managerial improvement, the appointment of a chief security officer (CSO) is becoming an increasingly popular initiative. Deloitte already offer a 'CSO in a box' product in Europe. It sets up the office of the CSO and provides guidance on defining the role and its responsibilities. The product indicates a trend from solely technological solutions towards smart, 'top down', management and the introduction of clear accountability.