Monday, January 18, 2010

How much do you spend on IT Security? Do you really know?

By Stuart Okin , managing director of Comsec Consulting UK
Published: May 1 2009 09:37 | Last updated: May 1 2009 09:37

What a business is spending on its IT could amount to 2 per cent of revenue – a figure that should make everyone sit up and think.
Consider a global hi-tech company, operating in about 20 countries, with a user population of 10,000 and revenues of £850m. Such a company would need to make sure the following areas have all been attended to:

● Process activity – such as risk assessments, audit and penetration tests
● People activity – such as awareness campaigns, security and compliance training
● Development activity – such as re-coding applications with security vulnerabilities
● Technical controls – such as AV, firewalls, intrusion detections systems, patch management
● Operations and incident management – monitoring network and security
● Fraud prevention – including investigation services

The heads of security within companies I have spoken to over the past couple of months do not know how much they spend on IT security. But the cost of IT security could be between 0.01 and 2 per cent of revenue. In the case of imaginary company, this would equate to a potential £17m.

I have been working with a large enterprise in pulling together a model to understand the true cost of IT security. Both my sponsor and I believe we can produce huge financial savings, through standardisation, consolidation, better utilisation of what is in place, improved supplier management, and implementing fraud mitigation solutions.

Any change programme requires investment. The first step, therefore, is to work out what is spent today on IT security, in order to make a business case for investment.
One head of security I spoke to at a large financial organisation, called their IT security “a cottage industry within the company”. This is because the last few years have seen the security agenda break up into a fragmented model – it has been pushed away from the centre.

This does have some benefits, as it moves security closer to the coal face, resulting in improved awareness and responsiveness, but it can also lead to silo thinking, with the implementation of costly point solutions, localised standards and isolation of good practices.

The concern I have is that if a business does not know what it has across the entire organisation, then how does it know whether it has the appropriate tools and operations in place to minimise risk to the business.
Businesses should use the recession to open up opportunities: for IT security leaders, this means being proactive in order to help the business save money and improve the overall security environment.

However – be warned – this will mean the IT security leader will need to take on responsibility and accountability.

Copyright The Financial Times Limited 2009