British CIOs won’t spend anything like as much on information security next year as their international competitors – despite the fact that 60% of that group say ongoing economic conditions and the increased number of security threats out there warrant more spending.
The data is from the 8th Global State of Information Security Survey, conducted by PricewaterhouseCoopers (PwC) and which is generally regarded as the most authoritative annual study in the field; it is in any case the largest of its kind, with in 2010 some 13,000 executives and information security professionals around the world being questioned in depth about their security plans and policies. (The UK cohort was 640 IT leaders.)
The authors say that just 31% of UK companies contacted plan to increase spending on information security in the next 12 months compared to 52% of the group as a whole. That puts it, allegedly, "out of step with the rest of the world when it comes to planned spending on information security".
This reluctance to spend also has to be seen in a context where globally, over the last four years business impacts – including financial losses as well as compromises to brands and reputations – have more than tripled in some cases, so up as much as 233%.
That often arises, of course, through careless or porous commentary on social networks – and, oops, here again we ain’t flashing the cash. In the UK only 32% of respondents said their organisation has implemented the "necessary" [sic] technologies needed to support social networking and other Web 2.0 exchanges (blogs, wikis) which "compares unfavourably with 60% globally".
You may or may not agree that this is a serious area yet – but PwC does. "Lack of focus on social networking can expose organisations to a variety of risks, including loss or leakage of information, damage to a company’s reputation, illegal downloading of pirated material, and identity theft," cautions William Beer, director of the its OneSecurity practice. "It’s not a passing fad and the real challenge will be how to integrate it with the more well-established operational models."
Reluctance or inability? The survey is ambivalent here – maybe reflecting the mindset of the CIOs whose views were sought. It is not too surprising that the challenging economic and business environment we’re experiencing in the UK post-recession is having a negative impact on security spending, says Beer. But such spending restraints may risk "seriously undermin[ing] the ability of organisations to protect their most sensitive data."
Outsourcing and supply chain concerns were also singled out as significant drivers of security spending by the survey – but, again, the UK is somewhat out of step with the global trend as a larger proportion of UK respondents said their business partners (68%) and suppliers (66%) had been weakened by economic conditions (68 and 66% respectively).
The survey also says UK firms are increasingly turning to insurance as a way to protect themselves from theft or misuse of assets like sensitive data and customer records: over a third (38%) said their organisation has an insurance policy and a quite startling 83% said their company has collected on such a claim, compared to just 13% globally.
In other words – we’d rather pay insurers to try and repair the damage post-breach than invest in IT to block the danger upfront?
These results I do say surprise and concern me to the extent that by relying on insurance, we are taking a gamble the bad thing won’t happen… and of course, paying insurance is over the longer term surely a more costly option?
But this survey is also bad news for suppliers. I think it says we’ve stopped listening. The onus is surely back on the industry to get us interested enough again to find the money. Yes, we are all grown ups, but risks are being run here that are surely scary for us all in British ICT.