Comapnies fail to grasp security rewards

Companies are still failing to track the returns on their IT security spending, according to a new report from analyst IDC.

Only 13 per cent of the 100 chief information officers, chief technology officers and IT directors surveyed said they tracked the costs and returns on their security purchases, despite nine out of 10 of the executives rating it in their top five priorites, and a shade under 40 per cent as their top IT priority.

But while security is considered important, only 15 per cent of firms regard it as a business investment in risk management.

"There's still a problem with attitude," said Gordon Morris, analyst at IDC.

"Security is a bit of a head-in-the-sand issue. Most board members don't come from an IT background and aren't used to operating in this way. They see IT security as a business cost or, as one person said, a 'necessary evil'."

But IDC added that attitudes are changing at board level as IT managers learn to demonstrate the prudence of risk management tools, although many still find it problematic to build a realistic picture of IT security return on investment (ROI).

Rather than comparing the cost of hardware and software with the cost of a breach in security, companies should look at the larger business benefits involved, said IDC.

"Risk management assessments are becoming an an increasingly important way of measuring a company's success, due to the growing focus on coporate governance and management accountability," added Morris.

"It is true that ROI of security investment may never be known," the report concludes.

"By working with risk management, though, some form of value can be understood and communicated.

"By measuring the effectiveness and value of IT security investment, a platform for providing a meaningful IT security platform can be achieved."

Companies looking to manage their risk are increasingly passing the problem on to third parties, either by outsourcing or moving into partnership with specific security vendors, the report said.

IDC also warned vendors that although risk management was now the key factor in most purchase decisions, scare stories about viruses and other malware were the least effective tool in persuading companies to set a firm security policy.