Questions about the recent PwC “Global State of Information Security” have arisen regarding its findings that budgets for information security are on the decline. But, if some industry experts' assumptions about this particular result are the least bit true, many organizations will need to take a hard look at organizational structures into which IT security has been folded.
With almost 10,000 executives and IT security directors responding, the study showed that security budgets this year globally dropped by four percent. This 2014 decline happened after the same research showed funds rising for the last three years, and revealed that security incidents had spiked about 48 percent to 42.8 million this year. To most pros, this latter stat likely is no surprise, but it's still a bit staggering when one considers that it breaks out to about 120,000 attacks daily.
Disheartening? Yes. Even PwC execs noted surprise at the budget drop, especially considering that research firm Gartner has forecast security spend to jump by about eight percent to some $71 billion this year, according to a recent report by SC Magazine UK's Senior Reporter Doug Drinkwater.
So what gives? PwC had no clear answers for the drop, but reported that security spends did remain consistent at less than four percent of total IT spending, implying that most security budgets, along with IT security leaders and their staffs, still fall under the management of the IT department and CIO, according to Drinkwater's report.
"IT security spend is now becoming a pervasive part of everyday corporate operations..."
And there's the main crux of the problem. Some experts quoted in our news item (at scmagazineuk.com) said that another reason for the seeming decline in IT security spend is that it is now becoming a pervasive part of everyday corporate operations and therefore is being assumed by business units whose projects and functions require protective measures not being earmarked specifically as IT security. But, another reason also could be that more of the overall IT budget is facing a downturn as organizations look to save money with adoption of cloud and software-as-a-service (SaaS) offerings.
Combine these trends with PwC's findings that boards of directors take little part in a list of high-level security activities and one can conjecture on a few areas. The first is that if indeed IT security is now getting more entangled with expenditures related to the course of doing business then we're moving in a solid direction. The second is that we're still on the wrong path if boards aren't paying the least bit of attention in information security and risk planning until a data breach happens on the scale and frequency we're experiencing now.
But, even more importantly, without that board-level commitment and subsequent understanding and support, hierarchical structures will remain antiquated with security falling under IT. That's bad for myriad reasons, but in this specific case unveils the hazard of IT security spend declining right along with IT when it should be at least maintained if not bumped given today's data exposure perils. As Phil Cracknell, CIO and director for the security and privacy service at consultancy Company85 told our reporter, “It can only spell danger for businesses as attacks increase and threats grow more prolific.”
Fortunately, some companies are on top of this issue. For example, SC Magazine US's CSO of the Year Forrest Smith, senior manager of information security and CISO for Nissan Americas, saw his organization move out of the information systems department into corporate services in the last year or so. This move expanded IT security's scope to include the management of engineering and manufacturing, allowing his group to “focus on threats across the organizations and across different types of devices,” he explained to SC earlier this year.
It also makes IT security much more autonomous, allowing for Smith and his crew to “shine the light on issues that don't always make it up to leadership,” explains Brian Delauter, Smith's boss, who is the director of the corporate services division. “The net goal is to strengthen IT security for the enterprise. It's always about the company. We're going to be better tomorrow than we are today.”
Better tomorrow than we are today. That must be any company's mantra in regard to its information security posture, and pretty much financial plans and organizational structures related to it.