Are Budgets to Blame for Security Gaps?
CDW, an information technology solutions provider to business, government, and education, has released its IT Threat Prevention Straw Poll that surveyed 200 IT security managers and "decision makers" at mid-size and large U.S. enterprises. The poll focused on IT security threats and the measures businesses are taking to prevent them.
The top concern (cited by 37 percent of respondents): data loss --"primarily from user misbehavior, negligence or accidents," according to CDW.
"It's critical for businesses to secure themselves with the effective, readily available shields against ordinary threats, to free up time and resources for more proactive action against data loss and the rising threats of botnets and malicious, targeted attacks," said Doug Eckrote, senior vice president, strategic solutions and services at CDW, in a statement.
The majority of organizations surveyed have dedicated IT security support in place (for example, 68 percent have a dedicated IT security administrator or team), but more than four out of five respondents say there's room for improvement.
What would it take to spark a budget increase to make that improvement happen? Everything from news stories and case studies to a breach of their own systems. However, what caught my eye was this result: 18 percent confess that "only a significant breach of their systems would compel an escalation of security investment at their business." Of course, by then security "prevention" measures are of no use.
Sadly -- and perhaps shockingly -- more than one in six organizations "say explicitly that nothing could compel their business to invest more for a higher level of security and threat prevention." Nothing? Though there's obviously room for improvement, it's just as obvious that few want to spend the money for it -- no matter what.
On the plus side, more than a third (39 percent) agree that "an assessment of their systems pointing out real vulnerabilities would lead to additional investment." Given the tough economy and tougher budget constraints, that may be magical thinking. As CDW notes in its commentary, "the challenge ... is how to obtain such an assessment, given their ongoing work load, and whether the assessment will have weight with their executive management. Their answer, though, indicates optimism that management will respond to a specific assessment."
Ironically, one-quarter of those surveyed see "evolved forms of current threats" as their top future challenge. CDW points out that "there are tested and proven solutions to help businesses control 'evolved forms of current threats,' so businesses that see these as their next big threat most likely reflect management issues such as limited funding for IT security, competing priorities for new project funding in general, gaps in executive understanding or commitment (including IT staffing), or a lack of security training and experience on the part of the IT staff."
- James E. Powell
Editorial Director, ESJ
Posted by Jim Powell on 06/03/2010