| UK companies don’t treat information security as a risk management issue: IDC survey A whitepaper by market intelligence and advisory firm IDC, sponsored by Cable & Wireless and Nokia, urges businesses to recognise the value of IT security not just as a cost but as a way of persuading stakeholders that risk is being managed effectively. Despite a high level of boardroom interest in IT security decisions, only 13 percent of businesses attempt to demonstrate the value of IT security expenditure by actively tracking its return on investment (ROI). In a survey of 100 UK CIOs, CTOs and IT directors
to evaluate the changing perceptions of IT security in a business,
IDC discovered conflicting views about its value: “Risk management assessments are becoming an increasingly important way of measuring a company’s success due to the growing focus on corporate governance and management accountability,” said Gordon Morris, analyst, IDC. “Now that IT is firmly recognised as a business enabler, with IT security commanding the highest priority, taking a risk management approach to prove the value of IT security provides companies with a meaningful way to measure its business benefit. Many organisations try to do this with direct ROI models, but this fails to reflect the business value provided by an effective security policy.” The whitepaper also examines the value of outsourcing to help mitigate risk in IT. IDC’s research found that fewer than 10 percent of respondents outsource any of their IT security functions. However, the whitepaper recommends that by partnering with third party experts, companies gain a level of expertise in IT security that would be expensive to replicate internally. In turn, this expertise demonstrates proactive risk mitigation to an organisation’s stakeholders.
•Date:
7th August 2003 • Region: UK
•Type: Article •Topic:
Information
security
|
