For many years, IT security tended to be an afterthought in many corporate budgets. When times are good, the CFO and CIO often allot money towards the purchase of new hardware rather than new data encryption software, whose value is harder to quantify. When times are bad, funding for security is often among the first areas to be slashed.
But perhaps not this time. Despite the worst economic downturn in 30 years, finance executives now seem to be focusing on addressing IT security as a critical business issue. Or so suggest the responses to PricewaterhouseCoopers’ 2010 Global State of Information Security survey. The 7,200 business executives surveyed worldwide say that IT security can’t now be ignored.
The study reveals that global leaders appear to be ‘protecting’ the information security function from budget cuts— nearly two out of every three respondents (63%) expect spending to either increase or stay the same—in spite of the worst economic downturn in decades.
But expectations of IT security are also much higher. The IT security function and its leaders are now tasked with helping the company address an acute set of crisis-related risks and opportunities such as those associated with new business models, M&A transactions, successive waves of layoffs, a shifting regulatory landscape, cost-cutting drives in other parts of the enterprise, and major shifts in a key competitor’s strategy.
Change of Heart
According to the survey, five factors are persuading companies that it is time to make IT security a corporate priority. Forty-one percent say business continuity and disaster recovery has elevated the importance of security among the top brass. Thirty-nine percent indicate that the economic downturn is adding to their sense of urgency. The other three important drivers are internal policy compliance (38%); regulatory compliance (37%); and company reputation (32%).
Worries over terrorism, climate change and natural disasters may be fanning the increased importance being placed on business continuity. Then there are the fears about cyber-crime. Security companies predict that social networks, cloud computing, e-mail messages, and mobile devices will become prime targets for cybercriminals in 2010, additional reasons for CFOs to give importance to IT security.
For Ted DeZaballa, national managing partner for security and privacy at international consultancy Deloitte, the biggest threat in 2010 is organised crime stealthily moving to exploit an individual’s computer in order to infiltrate the larger enterprise. Organisations “simply don't understand how exposed they are,” he says.
Cost of Complacency
There has been a frightening increase in the volume of data breaches. According to MSN, the number of personal records--data like Social Security numbers, medical records and credit card information tied to an individual--that has been exposed to hackers has skyrocketed to more than 220 million records in 2009, compared with 35 million in 2008. That represents the largest collection of lost data on record. The majority of 2009’s data loss stems from a single source: U.S. credit card processing firm Heartland Payment Systems.
Dr. Larry Ponemon, founder and chairman of the Ponemon Institute in the U.S., conducted a study of 43 companies that suffered a data breach in 2008. He estimates that the incidents cost the companies US$6.6 million per breach, up from US$6.3 million in 2007 and US$4.7 million in 2006. Ponemon says that in 2008, the per-victim cost of a data breach was US$202, up from US$197 in 2007, and from US$138 when the study was launched in 2005.
“The simple conclusion to these numbers is clear: the financial impact for a company that experiences a data breach is significant and rising,” notes Ponemon. The costs in the wake of a data breach are mounting because of lost business and legal defense, which grew in 2008, while costs of customer support, notification and free services such as credit monitoring decreased, according to the study.
Enhanced Security Capabilities
To their credit, many CFOs and CIOs have been busy bolstering the capabilities of their security departments over the past year. One of the clearest improvements, the PwC survey says, has been an expansion in leadership positions—such as for chief information security officers (from 29% in 2008 to 44% in 2009), for chief security officers (from 27% to 41%), and for chief privacy officers (from 21% to 30%).
With more robust leadership also comes an improvement in planning, notes the survey. Nearly two out of every three respondents (65%) now report that their organisation has an overall information security strategy—and nearly half (48%) point to having an identity management strategy in place.
Consistent with a steady evolution toward a more mature, well championed, strategy-led approach to information security is evidence of gains in areas such as compliance testing (from 44% to 51%), risk assessments conducted by third parties (from 26% to 36%), integration of privacy and compliance plans (from 36% to 44%), and incident response coordination with third parties handling company data (from 27% to 35%).
Gains were evident even in the technology arena. The drumbeat of double-digit advances across virtually every key area of security technology in 2008 had made it unlikely that a comparable surge would occur again in 2009. But occur they did—such as automated account de-provisioning (from 27% to 38%), security event correlation software (from 35% to 43%) and even biometrics (from 19% to 30%).
Decline in Security Outsourcing
What has declined, according to survey, is outsourcing to third parties. The worst economic recession in decades has apparently compelled more companies to spend less on outsourced security services and do more in-house. While 31% of respondents are relying on outsiders to help them manage day-to-day security functions, only 18% say they plan to make security outsourcing a priority in the next 12 months.
When it comes to specific functions, the shift has already begun. In 2008, 30% of respondents said they were outsourcing management of application firewalls, compared to 16% in 2009. Respondents cited similar reductions in outsourcing of network and end-user firewalls. Companies have also cut back on outsourcing encryption management and patch management.
At the same time, more companies are spending money on these and other security functions. Sixty-nine percent said they're budgeting for application firewalls, up slightly compared to the past two years. Meanwhile, more than half of respondents said they are investing in encryption for laptops and other computing devices.
The results surprise Mark Lobel, a partner in the security practice at PricewaterhouseCoopers. "When you think about it logically, some IT organisations have the resources and maturity to manage their operating systems and patches, but many don't," he observes. "Hopefully, the numbers simply mean IT shops have grown more mature in their security understanding."
Security Approach in 2010
Now comes the hard part. How do you make sure your company’s information is secure? The message this year isn’t new or different from other years, says PwC. It’s just more urgent. The survey results reveal that companies are looking hardest at—and placing their highest expectations on – initiatives that:
• Address the “big risks” first;
• Improve data protection;
• Invest in disciplined alignment with the security strategy; and
• Increase efficiency and reduce cost.
Many companies are also considering adopting a recognised security framework as a means of preparing for an expected wave of upcoming regulatory requirements.
“The keys to justifying and optimising security spending are to ensure that security and risk control practices are meeting explicit business objectives and, crucially, to persuade the business to take ownership of risk,” says Jay Heiser, research vice president at Gartner.
However, Heiser warns that companies are unlikely to achieve these critical goals if they are not careful about four common risk management mistakes:
- Providing All Business Units Same Level of Protection. The same level of protection, or the same level of security spending, can’t be simultaneously effective and economically viable for each business unit, much less for every component within a single business unit. An optimal level of security spending takes into account the assessed level of risk, avoiding overspending and overprotection. Business managers should be offered a relatively small number of risk management profiles that are designed to meet different use cases for data sensitivity and risk.
- Making Plans Based on What the Security Organisation Wants, Not What the Business Needs. Security professionals have historically made technology-centric investment, implementation and deployment decisions based on what they believe is required, rather than on what the business needs. It is impossible to defend security plans, and the budgets they require, if they aren’t based on business objectives. If business managers can’t or won’t provide information about risk significance of their business processes, then high-level managers must step in and mediate.
- Making Risk-Related Communications Too Complex for the Business to Understand. Security professionals must develop a consistent way to express and articulate the security-criticality of specific IT systems, information assets and business processes. Gartner recommends a simple three level scale – high, medium and low – to provide a common reference point for articulating the business criticality of IT that can potentially be used for a corresponding set of risk management service levels.
- Allowing LOB Managers to Transfer Their Risk to the IT Organisation and the IT Security Organisation. Line of business (LOB) managers are only too willing to take advantage of the IT organisation’s and IT security’s willingness to accept residual risks, making the mistaken presumption that IT’s “standard offering” will effectively address any form of IT risk. Such an approach makes the IT organisation, or the IT security organisation, the scapegoat for security failures and any consequent reduction in perceived service or flexibility. Internal “market forces” can help align risks with benefits, if all systems and information assets are ‘owned’ by specific business managers who are accountable for any failures in security or continuity.
If this year proves to be a “trial by fire,” as PwC predicts, these strategies will be enormously valuable—not just in limiting damages to assets and reputations and mitigating risks but also in positioning companies for the recovery period and stronger business performance in the years ahead.
About the Author
Melba-Jean V. Bernad is a contributing editor at CFO Innovation.