Inadequate funding remains the single largest obstacle to implementing effective IT security measures at most companies, according to the results of a recently completed global survey by Ernst & Young International.
Even so, a majority of the companies surveyed said they rarely or never calculate return on investment when building a case for information security budgets.
"Return on investment appears to have fallen out of favor as a measure of the effectiveness of information security spending," Mark Doll, Americas director of Ernst & Young's Security Services division, said in a prepared statement. "It looks like we need to find a credible alternative to conventional ROI approaches in order to secure funds for the information security function."
The "2003 Ernst & Young Global Information Security Survey" was conducted over a two-month period in early 2003 and includes responses from more than 1,400 organizations in 66 countries.
Not surprisingly, 90 percent of the organizations surveyed said that IT security is of high importance to them, with 78 percent identifying risk reduction as the top factor influencing security spending.
Even so, information security managers are having a hard time explaining the importance of IT security to overall business needs, the survey showed. "There's a clear disconnect between what organizations define as a major business objective -- protecting their information resources -- and where they allocate funding," Doll said.
For instance, barely 51 percent of those surveyed said their IT security spending was either completely or closely aligned with business needs. More than 34 percent of organizations rated themselves as less than adequate in their ability to determine whether their systems are currently under attack, whereas more than 33 percent said their ability to respond to incidents was inadequate.
Doll said that many executives focus on well-publicized security issues such as viruses and malicious hackers when they should be looking into less obvious threats, such as disgruntled employees, network links to partners with untrustworthy systems, hardware thefts and insecure wireless access used by employees.
"These factors can not only cause serious information security damage but also severely damage a company's reputation," he said.
The bulk of security spending at most companies continues to be on technology products, with far less attention being paid to employee awareness and training issues, the survey revealed. Only 29 percent of those surveyed listed employee awareness and training as a top area of IT security spending.
The results suggest the need for companies to communicate information security needs in terms that are meaningful to business stakeholders and to align security and business needs more closely, New York-based Ernst & Young said.