Data Breach Survey: Getting the bosses on board

Share this article:
Illena Armstrong, VP, editorial, SC Magazine
Illena Armstrong, VP, editorial, SC Magazine
Check-box security programs sometimes driven by FUD-based arguments still are compelling when fighting other departments for tightly controlled budget dollars. Yet, holistic risk management and security plans driven by strong information security professionals and strongly supported by forward-thinking executive leaders are staking a claim in some large businesses – despite a still concerning economy.

The problem, though, is that the former scenario still dominates. And though some economic indicators support incremental but slow improvements in coming months, others point to many of the Great Recession's effects lingering well into 2011.

IT security spend, then, likely will remain flat this year, according to SC Magazine's fourth annual Guarding Against a Data Breach survey, which was conducted by SC Magazine and ArcSight with research firm CA Walker. Out of the 468 information security leaders participating in the survey, 36 percent expect their budgets for IT security projects and data leakage prevention efforts to increase in 2011, compared to 41 percent out of 399 in 2010. The great majority of respondents – close to 60 percent – expect budgets to stay the same. On the positive side, only six percent face a drop in funding this year compared to 12 percent last year.

So, at least some organizations can still satiate their needs. But just how are these defined?

This takes us back to the original issue. Regulatory mandates are continuing to drive IT security programs. And, as the saying goes: You can get compliant with a sound security program in place, but you might not necessarily get information assets secured with a compliance-based plan. For many information security pros who know this, the reliance on their stakeholders' fears, uncertainties and doubts – the all-too-present FUD – sometimes works. So, they get bits of financial support or resources that allow them to address a particular vulnerability in their networks, a good thing, but still leave other holes gaping for cybercriminals to march right through. And forget about a more strategic, overarching plan.

Solutions to all these challenges aren't simple. But, the consensus among experts commenting on this year's data breach survey suspect it lies somewhere with the need for information security pros to educate their executive leaders to understand (and accept) that well-thought-out, information security programs can enable the business and also satisfy customers' expectations, which might lead to some profit gains. After all, for the first time since the establishment of this survey, possible negative impact to the corporate brand tied with compliance demands is a top driver for security planning. It was an ever so slight change, but a change nonetheless.

For now, those in the information security arena will continue to take what they can get, it seems. If FUD or regulations still play a role, show them the soapbox…and the money.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in Features

Game theory: Cyber preparedness

Game theory: Cyber preparedness

Business leaders are beginning to fathom the importance of cyber war game simulation exercises, reports James Hale.

Forward progress: How the Denver Broncos really play defense

Forward progress: How the Denver Broncos really play ...

Off the field, demand for bandwidth and protection from network threats set the ball in motion for the Denver Broncos. Greg Masters reports.

Smart defense: A talk with industry veteran Gene Fredriksen

Smart defense: A talk with industry veteran Gene ...

Today's CISO must stay ahead of attackers, says Gene Fredriksen, CISO at PSCU. Teri Robinson talks one on one with the industry veteran.