Inadequate funding remains the single largest obstacle to implementing effective IT security measures at most companies, according to the results of a recent global survey by Ernst & Young International.
Even so, a majority of the companies surveyed said they rarely or never calculate return on investment when building a case for information security budgets.
“Return on investment appears to have fallen out of favour as a measure of the effectiveness of information security spending,” said Mark Doll, Americas director of Ernst & Young’s Security Services division. “It looks like we need to find a credible alternative to conventional ROI approaches in order to secure funds for the information security function.”
The 2003 Ernst & Young Global Information Security Survey includes responses from more than 1,400 organizations in 66 countries.
Not surprisingly, 90 per cent of the organizations surveyed said that IT security is of high importance to them, with 78 per cent identifying risk reduction as the top factor influencing security spending.
Doll said that many executives focus on well-publicized security issues such as viruses and malicious hackers when they should be looking into less obvious threats, such as disgruntled employees, network links to partners with untrustworthy systems, hardware thefts and insecure wireless access used by employees.
The bulk of security spending at most companies continues to be on technology products, with far less attention being paid to employee awareness and training issues. Only 29 per cent of those surveyed listed employee awareness and training as a top area of IT security spending.