To cater for unknown threats, there needs to be a shift in the budget mindset from focusing on security controls that are purely preventative, to being able to detect and respond to security incidents that might materialise as a result of vulnerabilities and exploits to IT assets.
So says Julie Ferreira, senior account executive of RSA, the security division of EMC, commenting on the ITWeb-EMC IT Security Survey conducted during September.
The survey set out to determine the IT security landscape in SA, and to establish what influences IT security investment decisions. There were 490 valid entries in the study.
"To determine exactly how much budget should be adequate will always remain more of an art than a science, but by mapping out the relationship between IT assets and critical business processes, IT security departments can look at the impact a security incident to any of the IT assets will have on the related business process."
Once the impact has been determined, Ferreira adds, IT security departments can then look at what security controls are required to meet the balance between mitigating the risk, the cost of the control, as well as the cost for any capabilities required to detect when these controls have failed and the ability to mitigate the damage as a result of a security control being breached.
Some 32% of the respondents stated only up to 2% of their IT budget spend is invested in security, 15% stated between 5% and 8%, while 11% cited more than 15% of total IT spend.
Commenting on this finding, Ferreira says the actual IT budget for security will vary on the nature of the business, and the impact a security breach or incident may have on that organisation.
"Government, defence, financial, pharmaceutical, and organisations with valuable intellectual property, typically have a higher security spend. What's interesting from a lot of these reports is the amount of IT budget that goes into meeting compliance requirements rather than addressing security concerns where the by-product of improved security would be compliance and not the other way round."
Ferreira believes security comes back to three core areas: people, processes and technology.
"Organisations need to look at how they are adequately addressing each area, and often investing in the right people over the technology will bring greater rewards," she says.
A quarter of respondents stated ROI is one of the reasons investment in IT security is delayed or prevented, while 29% cited cost concerns.