UK Companies don't treat information security as a risk management issue: IDC survey

A whitepaper by market intelligence and advisory firm IDC, sponsored by Cable & Wireless and Nokia, urges businesses to recognise the value of IT security not just as a cost but as a way of persuading stakeholders that risk is being managed effectively. Despite a high level of boardroom interest in IT security decisions, only 13 percent of businesses attempt to demonstrate the value of IT security expenditure by actively tracking its return on investment (ROI).

In a survey of 100 UK CIOs, CTOs and IT directors to evaluate the changing perceptions of IT security in a business, IDC discovered conflicting views about its value:

• 71 percent of respondents said IT security decisions have a 'medium to very high' level of board involvement;
• At the same time 90 percent place IT security in their list of top five IT priorities;
• Despite this prominence, IT security is not considered a business investment with only 13 percent of the group actively tracking its ROI;
• Only 15 percent of respondents place IT security in the 'risk management' domain suggesting a low understanding of the impact of IT security on a company's risk management strategy.

&quotRisk management assessments are becoming an increasingly important way of measuring a company's success due to the growing focus on corporate governance and management accountability," said Gordon Morris, analyst, IDC. &quotNow that IT is firmly recognised as a business enabler, with IT security commanding the highest priority, taking a risk management approach to prove the value of IT security provides companies with a meaningful way to measure its business benefit. Many organisations try to do this with direct ROI models, but this fails to reflect the business value provided by an effective security policy."

The whitepaper also examines the value of outsourcing to help mitigate risk in IT. IDC's research found that fewer than 10 percent of respondents outsource any of their IT security functions. However, the whitepaper recommends that by partnering with third party experts, companies gain a level of expertise in IT security that would be expensive to replicate internally. In turn, this expertise demonstrates proactive risk mitigation to an organisation's stakeholders

Acknowledgement - This article was originally published in Continuity Central (www.continuitycentral.com), a resource of business continuity information. Copyright © Portal Publishing Limited