Many enterprise IT security budgets may be focused too heavily on protecting credit card data and customer personal information rather than safeguarding more valuable corporate secrets.
Forrester Research Inc.,
That was the conclusion of a global survey of 305 people with primary responsibility over IT security budgets, conducted by Forrester Research Inc. CISOs value company earnings and financial information the most, yet the majority of IT security spending is aimed at protecting less valuable data, according to the survey, which was commissioned by Microsoft and RSA, the security division of EMC Corp.
The survey found most security spending is driven by compliance initiatives, which focuses on protecting less valuable custodial data in the form of customer personally identifiable information and credit card numbers. The data makes up a smaller proportion of a company's assets, about 38%, while 62% of valuable enterprise assets typically make up corporate secrets. But those in charge of the security budgets allocate dollars evenly, devoting half of the security budget to protecting corporate secrets, in the form of strategic plans, sales forecasts and financials and the other half to protecting custodial data as part of a compliance program.
IT security budgets:
Security jobs survey finds fewer budget cuts, lower security salaries: The period of declining IT security budgets as a result of the global recession may be coming to a close, according to a survey by security certification firm ISC-squared.
Mapping the path toward information security program maturity: Amid tight information security budgets, it can be hard to recommend the best ways to invest new dollars or focus new resources.
Expert: Information security spending often restricts innovation: In the opening keynote at the Black Hat USA 2009 conference, a former Google executive urged security pros to stop spending money on technologies that place restrictions on employee innovation.
Companies are protecting against having a high profile data breach, rather than preventing outsiders from accessing corporate intellectual property
"Catastrophic toxic data spills are dramatic and expensive, and they garner the most headlines. But for most enterprises, secrets are more valuable than custodial data," according to the Forrester report, "The value of corporate secrets."
The Forrester survey reached people at organizations in the United States, Europe, Australia and New Zealand. It found that many firms need to do a better job identifying valuable assets and weighing the risk of losing those assets. Once the most valuable assets are identified, spending on security can be allocated to better protect corporate secrets while maintaining a strong compliance program.
"I don't think we're calling for a wholesale reevaluation of how enterprises invest," said John Chirapurath, senior director of the Identity and Security Business Group at Microsoft. "It calls attention to the need to recognize the pitfalls and take the opportunity to assess risk in an organization and remediate that risk appropriately."
The survey also found a contrast in vertical industries. Firms in the manufacturing, information services, professional, scientific and technical services and transportation accrue between 70% and 80% of their information portfolio value from corporate secrets. But healthcare firms and governmental entities reported 60% or more of the value of their information assets are custodial data assets, such as patient medical records.
Insider threats being neglected
The focus on compliance has put more of an emphasis on preventing employee mistakes rather than securing the critical corporate secrets. While employee mistakes in the form of a lost smartphone or laptop and email leakage happen more often (57% of incidents), Forrester found that the loss of sensitive corporate data by a malicious insider is 10 times costlier on a per-incident basis.
The survey found the average cost for lost smartphone incidents was about $12,000 per incident, while lost laptops and accidental leakages cost $26,000 per incident. Meanwhile, a malicious theft by an insider costs about $363,000 per incident.