META, Bull issue pan-European survey on return on investment of IT security

Only 20% of European organisations have achieved a maturity level that allows them to confront security challenges proactively

- High heterogeneity of investments in IT security

- The seven "Golden Rules" for successful investment

- The best practices to make IT security programs succeed

META Group and Bull announce today the publication of a survey on the business value and the return on investment of IT security in large European enterprises and government organisations.

This survey results from face-to-face interviews with chief information security officers (CISOs) considered to be opinion leaders. The interviewees represented large organisations with between 9 500 and 70 000 end-users. Research was conducted in the UK, Germany, France, Spain, Italy and the Nordic countries. Participants in the research were distributed across the manufacturing, finance, telecommunications, government and utility sectors.

More than ever, IT security is becoming a key issue for the enterprise. The growing openness of information systems (Internet, e-commerce, mobility, WiFi, etc) and the new regulations that are emerging in Europe and in the US place IT security among today`s main concerns for executives and chief information officers.

At the same time, the return on investment (ROI) is a growing concern. Security represents an important financial issue, both in its intrinsic cost (it usually represents from 5% to 10% of IT investments) and in its consequences (the possibility of large losses due to attacks). However, the ROI of security is - due to its own nature - difficult to calculate.

How can security officers choose between different security projects to best protect the enterprise? How to ensure the success of investments in IT security? What value do these investments create, and how do they contribute to the business? What are the errors to avoid and the best practices to follow?

The META Group / Bull survey explored these issues in depth.

1) A weak link between security and the enterprise business processes.

As a first result, the survey highlights the weakness of the link between security and the enterprise business. While security investments are relatively higher in the core business functions related to value production - such as R&D in manufacturing, supply chain and e-commerce management - few organisations manage risks so as to optimise the creation of a trusted infrastructure, tightly matched to the business.

2) Heterogeneous investment levels, based on cost justification rather than value measurement.

Varying levels of security investment are observed, depending on industry sector, geography, business function, and the security awareness / maturity level of the specific enterprise. However, the definition of what exactly constitutes a "security investment" varies between enterprises, making security budgets, accounting and comparison heterogeneous.

The survey shows that - to define their budgets in security - enterprises focus more on cost justification than on value measurement.

Value measurement is rarely exploited. Few enterprises draw a link between the roll-out of an enterprise-wide security platform and better operational capability for the IT function. The easiest programs to justify are those related to virus protection - as the frequency of virus attacks makes it relatively straightforward to measure savings directly in terms of hours or days saved per end-user - and those related to identity management.

3) Today, less than 20% of European organisations have achieved a level of organisational and process maturity that allows them to confront security challenges proactively.

Most companies still confront these challenges in the reactive mode.

Trek to the summit

00Days

:

00Hrs

:

00Min

:

00Sec

Based on the experience of their successes, their difficulties and their failures, the CISOs interviewed in the META Group / Bull survey put in evidence the following elements:

For security managers, the most frequent causes of failure are:

* Not being involved from the start in large IT projects.

* Not involving corporate and operations managers more tightly in IT security planning.

* Not piloting security initiatives from the processes to secure (rather than from the technology).

* Not taking the cultural specificity of each enterprise into account.

The META Group / Bull survey made it possible to group the best practices into seven "golden rules" essential for enterprises to define, develop and roll-out IT security programs successfully.

1. For the majority of European enterprises, cost-efficiency is the primary way of communicating the value of security initiatives. Because 70% of IT organisations are still perceived by their stakeholders as cost centres rather than value centres, a traditional ROI approach based on identifiable cost reduction (anti-virus, identity management, etc) will be the most effective means for "selling" security initiatives to the business.

2. Security technology must support enterprise policies and processes. The survey highlights the fundamental importance of the collaboration between IT security teams and line-of-business `sponsors` and chief information officers to ensure the effectiveness of security projects. The survey also underlines the importance of modular, stage-by-stage program implementation for IT security projects.

3. Security infrastructure programs should "ride" the budget process for enterprise-wide strategic applications or core infrastructure whenever possible. The META Group / Bull survey highlights the interest of improving security by central - ie corporate-initiated- investments in infrastructure.

4. Building awareness and successful communications are key to successful security program implementation. A communications policy adapted to the enterprise culture has proven to offer CISOs increased credibility. As a result, security organisations should raise the stakes in the marketing of security in the enterprise.

5. Risk assessments are key to security budgeting and to define priorities of investments. The META Group / Bull survey recommends that organisations always have their risk assessments performed by a reputable external auditor, to avoid biased assessments.

6. Enterprises must assume that the future will be far more complex than the past. The survey underlines the importance of anticipating the increased complexity of the future IT environment. A technology- and platform-independent approach to security management is an important factor in reducing complexity.

7. The full business value of security can only be measured in relation to a business process that generates value. Making a link between security and processes is a key strategy for unlocking the business value that security can enable. For example, virtually all enterprises use organisational risk assessments as input to their security budgeting process. But only one of the CISOs interviewed has integrated business value into the assessments.

The complete and detailed survey, including graphics and numerous quotes from CISOs, is available directly from Bull upon request.

http://www.bull.com/security/roi-survey.htm.