Cost, ROI worry security decision-makers
Cost is the biggest factor that delays investment in IT security for local companies, a recent survey found.
An IT Security Survey, carried out by ITWeb in partnership with RSA, revealed that cost is by far the biggest hindrance to investment in IT security within South African organisations, as over 60% said it was the high cost that prevented or delayed investments.
The inability to determine return on investment (ROI) and lack of security management skills also ranked high in the survey.
"Organisations need to be mindful that the days of box-dropping some sort of security tool into their environment are long gone," says Ruben Espinosa, regional marketing manager at RSA, commenting on the survey results. "A full, end-to-end view of any IT security project - whether it is purchasing a new tool or service - needs to be adopted that not only looks at the costs around acquisition of the tool, but also implementation to a defined state, training, ongoing maintenance renewals, time and resources allocated to the running of the tool, and identifying key stakeholders."
Espinosa continues: "IT security follows the same principle as any form of security in that it is about risk mitigation. To understand and justify the ROI, an organisation needs to be able to explain how the security investment is able to reduce the risk to the business. So, what is the risk the tool or service is protecting the business against? What would the impact be if the risk materialised? What is the likelihood? And how to test effectiveness. This approach needs to be reviewed regularly and, in particular, before renewing any existing solutions or services that require further expense."
Despite the cost of security being a high consideration, more than 40% of respondents could not estimate what percentage of their IT went towards security investment. A further 40% said it was below 5%, and about 20% said it was above 5%.
It comes as no surprise that IT security is of high and critical importance to most (68%) respondents.
Espinosa notes large financial institutions are typically aware of the criticality of IT security. "This might have something to do with the inherent nature of their business, as they are used to placing their tangible valuable assets in secure areas such as vaults and safety deposit boxes," he says.
However, Espinosa believes the boards of directors in non-financial organisations are not fully aware of their dependence on IT, and it often takes some sort of incident or breach to make them take notice.
Forty-three percent of respondents indicated that their organisation plans to embark on an internal security strategy project within the next six to 12 months.
IT security follows the same principle as any form of security in that it is about risk mitigation.
According to Espinosa, IT security strategies need be closely aligned to the objectives of the business, and a key starting point is aligning IT security to regular business impact assessments.
"What are the key business processes within the organisation, how are they dependent on IT? What are the regulation or compliance requirements? What are new products and services that the organisation is intending to launch?" asks Espinosa.
The top issues addressed in security strategies are network security and visibility (63%), identity and access management (62%), and malware prevention/protection (53%). Also on the list of priorities are access governance as well as general GRC (governance, risk and compliance) solutions.