The main problem facing the information security industry is the lack of communication between corporate boards and IT decision makers, according to research released this week from IT security firm Articon-Integralis.
IT security vendors realize they must find a clearer way to show the correlation between investment in IT security and the less tangible costs of cybercrime. They plan to do this by analyzing spending versus risk.
"We should de-mystify the whole thing," said Philip Wicks, UK Marketing Director for Articon-Integralis. In the past, IT security firms focused on selling as much technology as possible to IT managers. But now that most companies are slashing expenses, corporate boards are making spending decisions.
While 61% of IT decision makers think business directors are becoming more aware of the issues around IT security, 79% have no confidence in senior managers' ability to understand the technology, an Integralis survey showed. Integralis surveyed 146 IT managers in the UK. The company plans to create an ongoing barometer of IT security-spending patterns in Europe, quarter by quarter by October 2001. Similar surveys will follow in France and Germany before the autumn.
The marrying of technology and business decision-making processes is becoming a key issue for the IT industry. In the current economic climate, technology must pay. Nowhere is this truer than in IT security spending, where technology costs can be astronomical, which means decisions have to be approved at board level. And there are lots of vendors competing for business.
In most cases, firms investing in IT security are paying for something bad not to happen (i.e. not revenue generating,) which makes the sell even harder. Consequently, firms like Integralis are conducting research into what drives decisions behind IT security investments to improve their revenues.
Scare-mongering is rife in the industry. In the US, research from the FBI and other law enforcement agencies found that white collar crime is now costing corporate America more than $400bn a year and rising at a rate of 10% to 20% annually. In the UK, an Ernst and Young survey of the top 1,000 companies found that nearly 70% had been defrauded, and that the fraud involved an employee in 80% of cases.
Often, business managers reacted by burying their heads in the sand. What's the point of investing in a problem that can't be solved? IT managers tend to approach such problems by throwing "out-of-the-box" products at a situation with plenty of gray areas.
Publicity about how difficult it is for companies to install technology to combat viruses and hackers has added to the problem.
Most companies install firewall and anti-virus technologies but these are partial solutions to a multi-faceted security problem. It is essential for a company to implemented standards, policies and a decisive blueprint by which to react quickly to security breaches when they occur. Without this, the pieces of IT security implemented don't add up to a cohesive whole.
This is a major reason why the IT security industry as a whole is becoming much more services-focused. Outsourcing the management of their security is becoming a popular choice among large and small enterprises. Security vendors are finding that revenues are often easier to come by when advising companies how to institute security policies and install products.
the451 (www.the451.com) is an analyst firm that provides timely, detailed and independent analysis of news in technology, communications and media. To evaluate the service click here.