Information Security Needs More Investment
After significantly increasing their information security budgets and efforts in 2010, technology, media and telecommunications (TMT) companies generally held steady on their information security activities, budgets, governance and reporting in 2011, according to the results of Deloitte 2011 TMT Global Security Survey.
That said, information security threats have increased on multiple fronts over the past 12 months including “hacktivists,” cyber criminals and state-sponsored actors intent on targeting intellectual property, customer information and increasing business disruption.
Coupled with the increased use of emerging technologies to enable business, such as the cloud, mobile devices and social media, it’s not surprising that information security breaches were reported by 75 percent of the 138 global organizations surveyed – an increase over the previous year.
The overarching message is clear: TMT companies need to significantly up their investments in information security to appropriate manage the real risks to the business and address the public imperative of improved information security.
“The threats to information have never been at a higher level, and in today’s hyper connected world there is no such thing as an isolated threat. Unfortunately, many TMT organizations are investing a smaller portion of their IT budget than in previous years on information security,” said Irfan Saif, who leads Deloitte’s security and privacy services to the TMT industry.
Deloitte’s survey shows that more than half of the respondents report spending between just 1 and 6 percent of their information technology budget on information security. Moreover, more than half (52 percent) of respondents indicated that their expenditures on security are falling behind or just starting to catch up to previous years’ investment levels.
“This level of investment and attention is insufficient to effectively address a corporate responsibility to manage risk and the public imperative of improved information security,” Saif added.
Chief Information Security Officers (CISO), who are primarily responsible for information security at most organizations, are stretched far beyond a reasonable bandwidth, according to the survey. Many CISOs, including 51 percent of survey participants also handle business continuity management, disaster recovery planning, physical security and risk management.
“Information security should not be viewed as just a CISO activity. There needs to be more C-level attention to security and a corporate climate that fosters proactive management of growing security risks. Cross-functional collaboration and ownership is integral to a successful enterprise information security program,” Saif added.
Additionally, CISOs must also manage the growing number of threats introduced by employees themselves via increased use of social media and use of personal mobile devices in the workplace.
Mobile devices are considered the number one security threat for 2012, according to nearly 40 percent of respondents. Although the concept of ‘bring your own device’ offers many potential benefits, it presents many challenges and questions about data confidentiality, employee privacy, application development and distribution, and mobile device support.
Not lost in this year’s survey is the increased scrutiny focused on information security – and corresponding increased regulatory efforts by governments around the world to protect the public. As a result, compliance with information security regulations and legislation is rated the top security initiative for TMT companies.
“Information security is essential to our modern way of life and TMT organizations are at the center of the action,” explained Rhoda Woo, national managing director of security & privacy, Deloitte & Touche LLP.
“Improved information security isn’t just a good business practice for TMT organizations but a public imperative. The level of investment and resource effort has to match the rising security challenges in order to be effective.”