A study has shown organisations are not getting the full potential from their information security and audit spend, and could squeeze significant savings from their budget if they followed a five point process for more rigorous risk management.
In a benchmark study carried out across 700+ mostly US sites, organisations were ranked according to how well they able to cope with safeguarding the confidentiality of sensitive information, how good they were at preserving the integrity of information, assets and controls in IT, and whether they could ensure the availability of IT services.
The difference in outcome between best and worst performers in these three categories was found to have nothing to do with the size of security budgets. What mattered was how those budgets were used, the security body behind the study has said.
In a new report it recommends that there should be a senior management team whose job is to manage risk, and that that group should be prioritising risks, improving controls, and automating procedures. The team should also be continuously assessing controls and risks, leveraging technical controls, policies and IT change management and carrying out comprehensive reporting.
The outcome of this coordinated approach to risk should be fewer incidents of data loss or theft, lower levels of business downtime and fewer problems with regulatory audit in IT, the IT Policy Compliance Group (ITPCG) has said in its report.
With security budgets equal, some firms are incurring 149 times more costs in data loss than peers, the ITPCG noted.
“Firms operating at the worst levels paid the price, literally, with data loss and theft equalling 9.6% of annual revenue and business downtime costs equalling nearly 3% of annual revenue.”
Its research found that firms with the best outcomes were actually spending between 35% and 52% less on audit fees and expenses.
The study identified that just 13% of all firms are achieving the best results, experiencing fewer than three losses or thefts of sensitive information each year, less than 7 hours of business downtime, and fewer than three audit-failing deficiencies.
The study, sponsored jointly by the Computer Security Institute, The Institute of Internal Auditors, Protiviti, ISACA, IT Governance Institute and Symantec Corp, promotes a risk-based approach to security budgeting that rewards results.
“The research findings show that an organisation’s loss-tolerance is exceedingly low, and the financial returns for small improvements are extraordinarily high” Jim Hurley, MD of the ITPCG and principal research manager at Symantec said.