Global survey says funds a problem in protecting information systems
CIOs and CISOs need to make a better business case for information security investments and need to get better at explaining how information security is relevant to a company's business strategy, a new survey by Ernst & Young has revealed.
The 2003 Ernst & Young Global Information Security Survey found that, with budgets under continued pressure, spending on technology, education, training and infrastructure to support information security is slipping further down the corporate priority list.

More than half of the 1,400 companies representing 26 industries across 66 countries including Sri Lanka that were surveyed in the study cited insufficient budgets as the number one obstacle to effectively safeguarding their information.
Though scarcity of funds is a major problem, it appears to be compounded by the fact that barely half of the chief information officers, chief information security officers and other technology executives surveyed believed they successfully aligned their spending with their key business objectives, the report released to the Sri Lankan media said.

There's a clear disconnect between what organizations define as a major business objective protecting their information resources and where they allocate funding, a representative of Ernst & Young's Technology and Security Risk Services, said.

Few organizations are influenced by a broad spectrum of factors, including opportunities and benefits, when addressing information security. Mostly they take a one-dimensional, risk-averse approach rather than an holistic one, he said.
According to Ernst & Young, three initiative organizations that can undertake to strengthen the performance of their organization's security programme are:

  • communicate information security issues in terms that are meaningful to
    stakeholders;
  • align security and business objectives throughout the organization; and
  • backup talk about security concerns with action.

Traditionally, calculating the return on investment in information technology has been a critical factor in building a business case for further investment. However, 60 percent of companies surveyed said they rarely or never calculate return on investment as part of building their business case for information security.

The return on investment appears to have fallen out of favour as a measure of the effectiveness of information security spending, the Ernst & Young representative said.

It looks like we need to find a credible alternative to conventional ROI approaches in order to secure funds for the information security function. The survey results also highlighted a significant difference between types of spending on information security.

Eighty-three percent of organizations listed technology spending as the largest component of their information security budgets, and only 29 percent said the majority of their information security budget is spent on employee awareness and training.

"Having the technology in place is crucial but ensuring people know how to take the greatest advantage of the technology is equally important," a Ernst & Young representative said.

Other key findings included:

  • more than one-third of organizations rated themselves as less than adequate in their ability to determine whether their systems were under attack;
  • one-third of organizations describe their ability to respond to incidents as inadequate; and
  • only 34 percent of companies claimed to be compliant with applicable security-driven regulations.
Back to Top  Back to Business  

Copyright © 2001 Wijeya Newspapers Ltd. All rights reserved.
Contact us: | Editorial | | Webmaster|