Increasingly these days, CIOs and their investments are measured on their Return on Investment. Budgets everywhere are tight, so only those investments that can claim a good return will be approved. There is, however, a category of investments where the ROI is impossible to calculate, namely investments in information security.

Underfunded IT

Information security is a domain that is chronically underfunded in many organizations. In a recent survey conducted by Vanson Bourne Research on behalf of EMC, two out of every three respondents said their companies have suffered at least one of the following crises in information security: unplanned downtime (37%), security breaches (23%) or data loss (29%) in the last twelve months. Over 3,000 respondents were polled for this research, and both business and IT managers participated. Quite alarmingly, nearly half of the global respondents (45%) report that their senior executives are not confident that their organization has adequate data protection, security and IT availability. Fortunately, the numbers are slightly better for the Benelux respondents, where 64% are convinced senior executives have a high level of confidence in the IT security maturity of their organization.

So what’s stopping companies from tightening up on information security? Budget. Over half of respondents claim that lack of budgets is the main inhibitor to technological progress in the area of information security. Other factors that limit an improvement are resource and workload constraints, planning and anticipation, and knowledge and skills.

Average cost of incidents

Now here’s a strange paradox: organizations don’t want to invest in information security, yet the cost of the information security incidents we cited earlier are enormous: the average cost of these incidents varies between USD ,497,000 (unplanned downtime) and USD 860,000 (security breaches). The average cost to companies suffering data loss was USD 585,000. Surely, these numbers should convince senior management that investments in information security are worth their while. What’s more, the respondents in the Vanson Bourne Research study clearly cited other advantages then just cost associated with improved security controls, like lower barriers to information sharing, more time for innovation and analysis and lower compliance reporting costs.

I know we all hate to pay insurance, because it’s an investment that only has a return when something serious happens. But in the case of information security, the odds that something will go wrong are so high that it’s very unwise not to invest in a better protection against unplanned downtime, data loss or security breaches.

En photo, Arnaud Bacros, Country Manager EMC Benelux

Visiter le Blog d’Arnaud Bacros