Which security technologies deliver the biggest bang for the buck? Simple: antivirus and anti-malware software, followed by endpoint security solutions, Web application firewalls, and policy enforcement tools.
So finds a new survey of 488 United Kingdom-based IT and IT security practitioners. The study, sponsored by Vodafone and F-Secure and conducted by Ponemon Institute, asked IT professionals to rate the cost and effectiveness of various security options, as well as to assess their organization's current security posture.
Surprisingly, the study found that when it comes to mitigating the biggest security threat facing organizations -- identified by respondents as being the loss, theft or removal of sensitive information -- organizations are lacking both the required bang and buck.
"Time and again our research finds that security and data protection activities are both under-funded and under-staffed," said Larry Ponemon, chairman and founder of Ponemon Institute, in a statement.
One related challenge is that many organizations still require their security teams to justify their technology budget by using traditional return on investment (ROI) metrics. But for lost data, shouldn't the opposite have to be proven, since success is roughly equivalent to nothing bad happening, or not having to pay for a data breach cleanup?
Accordingly, Ponemon is advancing a different business case for justifying information security purchases: return on prevention. "Because expenditures must be justified to pass budget approval hurdles, we believe our 'return on prevention' model can help make it easier for IT and IT security practitioners to make the business case for acquiring enabling security technologies and related control activities," he said.
Return on prevention emphasizes "low-cost solutions that are effective in stopping threats or attacks," and which require few resources to deploy or implement, said Ponemon.
Applying these metrics, the study reports that beyond antivirus, anti-malware, endpoint security, web applications firewalls, and policy enforcement tools, mobile device security solutions also produced a relatively high rate of prevention return, versus information security technologies residing in enterprise systems or networks.
But the highest return on a prevention investment, according to the study, "is from governance and control activities, including the appointment of a CISO and training of end users, and professional certification of security staff."