Does The Boardroom Create A Barrier To Better Security?

IT security is important. We all know this, whether our working life sees us sitting at the boardroom table or at a cash register at the point of sale. Its importance varies depending upon your role in an organisation, however, it is people who sit around boardroom tables who decide upon where it sits as a strategic - and thus investment - priority.

A recent Dell survey of nearly 1,500 companies worldwide revealed that companies invest about 20 per cent of their overall budget in IT, and of that figure 17 per cent is spent on security. Interestingly, companies that have not been the victim of an attack or failure of some sort tend to invest just 12 per cent of their IT budget in security, while those who have been breached invest 18 per cent. This seems to prove that companies really do seem to learn from their own mistakes.

The same survey also found that 87 per cent of companies have experienced a security breach at some point, with losses for those firms approaching $1 million (£594,000). Yet only 18 per cent consider predicting and detecting previously unnoticed threats as a top security concern today. Do IT security people really believe that what they don't know can't hurt them?

A variety of barriers to successful IT security exist. From the survey, resources and/or workload constraints were cited as a barrier by 49 per cent of respondents, while budgetary constraints came second, with 46 per cent identifying it as a major obstacle to success in securing organisations globally.

That a lack of resources and budgetary constraints are holding back IT security will hardly come as a surprise to most as we creep out of a major global recession. One of the reasons this is the case is that "management" still believes security is "restriction and denial" and in its pursuit of revenue, security is frequently considered a "phase two" feature that is secondary to "business functions."

In recent times, the top priority for the people whose responsibility it is to hold onto the company purse strings has been to rein in expenditure. And, according to the survey, these people do not rate IT security highly enough – 37 per cent of those surveyed reckon there is a lack of buy-in at the top level and 36 per cent say there is a lack of understanding. Incredibly, 31 per cent of respondents suggested people at board level did not see a connection between security and revenues.

One recent high-profile story that should focus the minds of the people at the top table is that of Beth Jacob – the now former CIO of US retailer Target. Jacob tendered her resignation at the start of March after Target suffered a drop in sales, as the personal data for up to 110 million accounts may have been breached during the run-up to Christmas.

The cost for Target's data breach is estimated (at the time of writing) to be as much as $61 million (£36 million) - and while $44 million (£26 million) of that was covered by insurance, it is surely enough of a figure to persuade many that security is a very real threat to business and that it's really important to take a proactive approach and step up to this challenge.

Kevin Norlin is the vice president of Dell Software EMEA