Preparing for the new norm: 2013 Guarding against a data breach survey

Despite the costs, though, budgets largely are remaining flat, with occasional spikes here and there, says Stephen Fridakis, CISO of UN FAO, the Rome-based food and agriculture organization of the United Nations. While a host of external factors may prompt some increases in shares of IT funding to be allocated to cyber security – with motives often going well beyond the threat of a breach – most budgets remain fixed.

“By far the most significant factor affecting our investment strategy is regulations," he says. "Similarly, the second greatest influence is client requirements. Visa, for instance, requires certain cyber security hardware, software, policies and routine audits to engage in business relationships. Additional factors are results of current audits [or] response to media attention or a direct compromise.”

Of the 427 U.S. respondents to the survey, 70 percent say IT security departments and their leaders have the power, executive and business support, budget, and resources to continually improve overall corporate IT security strategies – compared to only 63 percent last year. For U.K. and Australia respondents, though, the number is much lower at only 55 percent.

These numbers reflect the reality, says Ian Appleby, information security manager with Australia-based Endeavour Energy. “Budgets still remain flat, and all security projects are justified on a business-risk basis," he says. "Having a budget for new tools is good, but not fully effective without the budget for staffing to operate and manage the security environment."

And while some information security funds are seeing modest boosts, Fridakis adds that “there is concern that these budgets may not be able to sustain, in the long run, the increased capabilities that we establish today.”

Future plans

Just how much current and prospective “increased capabilities” are impacted by questions of budgetary need is up for debate, but some experts – even now – have seen security worries plaguing the adoption of new technologies that could support the business.

“I hear security concerns used as justification to delay system modernization efforts or other changes that might possibly create new exposures,” says Becky Bace, chief strategist at the Center for Forensics, Information Technology and Security (CFITS) at the University of South Alabama in Mobile. But, what information security leaders must be diligent about explaining to their bosses is that “there's virtue associated with beefing up security testing and other mechanisms in order to fix problems before systems are deployed," she says.

Because the C-level executives and boards of directors often see IT security as a cost center, misunderstand technology in general and fail to see how harmful data breaches can be to bottom lines and the brand, it's hugely important that CSOs inform and educate them on threats and risks to their businesses.

 “They must be able to place security into a business-relevant context and balance the needs to protect the organization versus the needs to run the business operations,” says Phil Ferraro, CISO of DRS Integrated Defenses Systems and Services.

The goal is help business leaders “understand that cyber security is not an IT function,” but rather “a key business enabler,” he adds.

Yet, even though the potential adoption or deployments of new business-enabling technologies and services might have some influence on continually shaping an organization's information security plans, their impact should be as nominal as chatter about the next big attack or the soon-to-be released regulatory requirement. Instead, “appropriate risk management” that accounts for what the critical assets are, how they flow, and in what ways they contribute to the underpinnings of the business must be the main factors in updating security strategies, says Fridakis.