Improving security remains a pressing objective for enterprise IT, according to a recent survey by Forrester Research. But as for the funding to tackle this priority, CIOs must find ways to do more with less. Among IT decision-makers at companies of more than 20,000 employees, 67 percent called significant security upgrades a priority or a critical priority in 2006. And at companies of 5,000 to 19,999 employees, 63 percent of IT execs said the same. The conundrum: despite management's high expectations for security, the budget to achieve security goals has shrunk.
Information security's slice of the IT budget fell to 7.8 percent in 2006, from 8.9 percent in 2005. That drop was more significant when looking only at North American companies – 6.9 percent in 2006, down from 8.3 percent in 2005. (Forrester surveyed 1,214 North American and European IT decision-makers.)
Why the drop? For one thing, upper management continues to be skeptical of security investments, says Khalid Kark, senior analyst at Forrester Research. Security technology is mature enough that business-side executives expect standardisation, measurement and accountability, which is tough since both security risks and ROI are hard to quantify, Kark notes.
To help reduce costs, IT security execs should prioritise integration and seek product suites that provide a single dashboard view of myriad technologies or inputs, he says. But don't ignore the important role that people and processes play either, says Kark. "There's a huge risk reduction if you educate employees."
Create a proactive and holistic security strategy.
First, examine how breaches actually occur, then base product purchase decisions on that information. (Forrester found a gap between installed security products and how data breaches occur.) Second, create a security awareness program; many breaches are due to ignorance. Third, identify and shore up vulnerable points in the company workflow.
Market information security to upper management.
When briefing management regarding data breaches, show the value of security and the consequences of unmitigated risk. Also, be vocal about the current and future threat landscape: Don't wait until you need funding for a specific project to begin talking about it.
Translate security's value into financial terms.
For example, one company converted blocked spam into money saved by figuring out how much time (in terms of wages) unwanted emails would cost each employee.