Some 90% of organisations rate information security as a top priority for achieving their overall business objectives, according to the findings of the 2003 Ernst & Young Global Information Security Survey released on Tuesday.
The survey, conducted by global audit and business advisory firm Ernst and Young, shows that insufficient budget is the number one obstacle to effective information security and was cited by 56% of the 1 400 organisations surveyed. This was followed closely by resource priorities.
The survey says this is not surprising, in view of the tight economic picture that prevailed in most nations during the survey period.
The survey sample represents 26 industries from 66 countries, and the majority of respondents (60%) were chief information officers, chief information security officers and other information technology executives.
”Scarcity of funds is a major problem,” said Grant Brewer, partner in charge of Information Security at Ernst & Young.
”This appears to be compounded by the fact that 51% of the chief information officers, chief information security officers and other technology executives surveyed believe they are successfully aligning security spending with their key business objectives.”
Another prominent issue connected with information security is the motivating power to mitigate risk. More than a third of organisations (78%) identify risk reduction as their top influencer when they are considering expenditures of information security solutions.
According to Brewer, the survey shows that there is a clear gap between what organisations define as a major business objective, protecting their information resources and where they allocate funding. The survey found that nearly 60% of organisations say they rarely or never calculate return on investment (ROI) for information security spending and therefore do not value ROI as a measure of information security spending effectiveness.
”This shows that return on investment appears to have fallen out of favour as a measure of the effectiveness of information security spending,” said Brewer.
The survey results highlight a significant difference between types of spending on information security and 83% of organisations list technology spending as the largest component of their information security budgets.
Moreover, only 29% of organisations list employee awareness and training as a top area of information security spending and only 35% of organisations say they have continuous education and awareness programs.
According to the survey, viruses and worms are the leading information security concern and continue to generate the most media and public attention. Among other findings are: More than 34% of organisations rate themselves as less than adequate in their ability to determine whether their systems are currently under attack; More than 33% of organisations say they are inadequate in their ability to respond to incidents; Only 34% of organisations claim to be compliant with applicable security-driven regulations; and 78% of organisations identify risk reduction as their top influencer of information security spending. – Sapa