View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Software
February 23, 2009

Risk controls boost security spending returns: study

Offers guidance on how to reduce risk and financial loss

By CBR Staff Writer

A study has shown organisations are not getting the full potential from their information security and audit spend, and could squeeze significant savings from their budget if they followed a five point process for more rigorous risk management.

In a benchmark study carried out across 700+ mostly US sites, organisations were ranked according to how well they able to cope with safeguarding the confidentiality of sensitive information, how good they were at preserving the integrity of information, assets and controls in IT, and whether they could ensure the availability of IT services.

The difference in outcome between best and worst performers in these three categories was found to have nothing to do with the size of security budgets. What mattered was how those budgets were used, the security body behind the study has said.

In a new report it recommends that there should be a senior management team whose job is to manage risk, and that that group should be prioritising risks, improving controls, and automating procedures. The team should also be continuously assessing controls and risks, leveraging technical controls, policies and IT change management and carrying out comprehensive reporting. 

The outcome of this coordinated approach to risk should be fewer incidents of data loss or theft, lower levels of business downtime and fewer problems with regulatory audit in IT, the IT Policy Compliance Group (ITPCG) has said in its report.

With security budgets equal, some firms are incurring 149 times more costs in data loss than peers, the ITPCG noted.

“Firms operating at the worst levels paid the price, literally, with data loss and theft equalling 9.6% of annual revenue and business downtime costs equalling nearly 3% of annual revenue.”

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

Its research found that firms with the best outcomes were actually spending between 35% and 52% less on audit fees and expenses.

The study identified that just 13% of all firms are achieving the best results, experiencing fewer than three losses or thefts of sensitive information each year, less than 7 hours of business downtime, and fewer than three audit-failing deficiencies.

The study, sponsored jointly by the Computer Security Institute, The Institute of Internal Auditors, Protiviti, ISACA, IT Governance Institute and Symantec Corp, promotes a risk-based approach to security budgeting that rewards results. 

“The research findings show that an organisation’s loss-tolerance is exceedingly low, and the financial returns for small improvements are extraordinarily high” Jim Hurley, MD of the ITPCG and principal research manager at Symantec said.


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.