Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

The Dollars And Cents Of Security

Security budgets are too low — that's for certain. While companies spent roughly $300 billion worldwide on Y2K remediation, only a fraction of that amount is being spent on security. Analysts at IDC estimate that worldwide spending on corporate digital security this year is less than $25 billion, including costs associated with people, products, and services.

When considering the comparison, it's also worth noting that the Y2K issue focused on a fairly specific set of threats within a finite period of time. Nevertheless, companies established cross-functional task forces, reallocated budgets, and as a result, most survived Y2K with reputations and systems largely intact. By contrast, in spite of the increased awareness of security issues after Sept. 11, 2001, business and financial managers still don't fully appreciate the business value of a sound digital-security strategy. Unlike Y2K, security threats are neither predictable nor finite. Their impact can range from terribly inconvenient to horribly catastrophic. When a security breach occurs, a company's liability, privacy, reputation, and ability to survive are compromised. And companies tend to assign responsibility for security to the IT department, even though risk is distributed throughout the business units. (See related article on an integrated enterprise approach on p. 38).

Why is so little invested in the protection of hard-won customers, valued employees, and critical assets?

For one thing, security-budget decisions are complex. To justify a long-term and appropriate level of investment in security, members of the security community — consultants, influencers, integrators, and vendors — have to do two things: communicate better with corporate executives, and establish a credible economic basis for security investments. Top management understood the dangers of Y2K disruptions to their business; they have to feel the same way about ongoing security risks.

Unless business managers change their thinking about security, the budget will continue to be inadequate. To begin the conversation about how security helps reduce risk and actually supports financial goals, technical and business management must first speak the same language. The technical team has to become fluent in the language of business, able to converse about assessing corporate risk as it pertains to digital security.

  • 1