Posts Tagged ‘it spending’

In follow-up to our previous post about the economic impact to IT budgets for 2009, and the secondary budget about the budget impacting the education sector, a new study by the Computing Technology Industry Association indicates that IT spending in the UK will increase next year for small and medium sized businesses.

As with the Global State of Information Security report highlighted here, which shows that 44% of those surveyed would be increasing information security spending, this new study indicates that 51% of small and medium-sized businesses plan to increase their tech spending by 10% or more in the next 12 months. This growth in spending is lower than in the previous year, but the proportion of those decreasing or keeping flat their budgets is still low.

“In the past, tech spending might have been one of the first line items slashed in a tough economy. Today, SMBs are savvier because they rely on technology for an increasing amount of their core business operations. It’s encouraging to see that the majority of SMBs plan to maintain, if not increase, current tech spending during this time of economic uncertainty.” – Todd Thibodeaux, president and chief executive officer, CompTIA

Overall, SMBs continue to remain optimistic about business growth, despite the current economic instability in the UK and around the world.

Another very interesting article on CSO Online is encouraging colleges and universities to step up and include more IT security education for students planning on going into IT. And in terms of “stepping up”, an article in the Vancouver Sun recently also talked about social media and how companies should take stock of what’s being used and how to embrace it, rather than ignore or ban it (which, while also not effective, poses a security risk).

Via VNUNet

CSO Online has released the results of its annual survey with The Global State of Information Security 2008 [PDF]. The survey indicates that security spending is on the rise – a trend is projected to continue, despite current economic uncertainty.

The survey includes answers from more than 7,000 senior executives and shows some surprising results – such as that 14% of security incidents in the past year involved devices. This shows a growing trend in the use of mobile devices, and the lag evident in mobile security planning.

With the IT group still strong as a source for information security funding, the survey found that the “IT Toolbox” is more comprehensive than before. More companies now have malicious-code detection tools, application-level firewalls, intrusion detection & prevention tools, encryption, automated password reset tools and wireless handheld device security.

Despite all those positive increases in the use of IT security tools, some numbers are still quite low. For example, only 50% of companies have laptop encryption tools, with even fewer (42%) having wireless handheld device security. There is no data available on additional laptop security measures such as Absolute’s laptop tracking & recovery solution. Encryption alone is only a base level of laptop security planning.

When it comes to security incidents, there still exists a wide knowledge gap. 45% of security incidents in the last year could not be connected back with known vulnerabilities. Of those that could be identified, the method of exploitation was most often at the network level. Employees and former employees, however, remain the largest threat to security incidents (although less this year than in past years). What this indicates is that technology solutions have been rolled out without being a part of a more comprehensive security policy.

“If the goal is to secure information, to make it truly safe, you’d better develop processes and procedures for putting your nails in the right place before whacking anything with a technology hammer. Technology must be part of a larger plan to secure information”

Interesting findings from the study:

• Business continuity and compliance is the lead reason for investing in security (57%)
• 28% of consumer products and retail executives say security spending is poorly aligned with business objectives
• 45% of respondents can’t identify vulnerabilities that led to security incidents
• 43% of respondents audit or monitor user compliance with security policies
• 22% of respondents keep an inventory of the outside companies that use data

The last result is quite telling – considering the number of data breaches that have been the result of third party mistakes, this is an obvious area of concern in security policies. Additionally, only 37% of survey respondents require third parties to comply with internal privacy policies. There appears to be greater confidence in third parties than reality may warrant – 75% believe their partners’ security is effective, while only 28% perform due diligence to understand their security precautions.

Continue reading the CSO Online analysis of this survey here. You can also check out Absolute Software’s whitepaper on endpoint security.

The IT Policy Compliance Group (IT PCG) has published its annual report on IT Governance, Risk and Compliance. The 2008 Report, which can only be downloaded by members, looks at research conducted with more than 2600 organizations.

According to the published brief, security and compliance spending can lead to higher profits, lower expenses and improved customer satisfaction. Although many companies dread spending on compliance and security, even with the risks associated with cost-cutting methodologies, the report indicates that companies that move up the IT governance, risk and compliance (IT GRC) maturity scale are seeing a high return on their efforts.

IT GRC encompasses practices to deliver greater business value from IT strategy, investment and alignment, as well as mitigating risk and conforming to compliance mandates. What the data shows us is that IT GRC mature companies enjoy higher revenues & profits while spending less on regulatory compliance. These best practices also lead to a reduced risk if a data loss were to occur – from .4% of revenue in mature organizations vs 9.6% for less mature companies.

Those companies considered most mature were not necessarily large business, but businesses that have effectively adapted security process frameworks to their businesses. Less-mature companies tend to over-focus on operational process frameworks.

You can continue reading about this report from Network world, where there’s a great overview.