Blue chip firms must be proactive

'Security Adoption and Deployment Strategies', the latest survey conducted by independent consultant The Meta Group, suggests that blue chip organisations are showing a "disappointing lack of proactive, business-driven investment" in security, and are seemingly prepared to wait for a security breach before any action is taken.

The survey of over 500 in-house IT and security professionals found that, although nearly 40% of those firms surveyed had reported some form of security breach in the past two years, nearly 20% didn't actually know if they had. Over 70% cited the potential damage to company image as a main driver for investing in manned security and systems, 70% fear legal liabilities while a further 60% were concerned with lost revenues.

Worryingly, 30% of the blue chip concerns questioned indicated that substantial parts of their infrastructure (eg PCs and networks) still fall outside the scope of security programmes. According to Tom Scholtz, vice president of global networking strategies at The Meta Group, the potential for unmanaged risk due to ignorance and reactionary policies can be huge.

"Companies must be aware that if they fail to implement successful security management procedures, then the organisation could be exposed to an untenable risk," stressed Scholtz. "Many of them have mistakenly addressed security and privacy concerns primarily through the use of technology. In truth, information security management must be regarded as a business issue driven by senior management and reflected throughout the organisation."

On a more positive note, the report identifies a shift by some organisations towards a more proactive approach to security through the establishment of dedicated security teams and attention to security policy. Some 60% of large organisations (10,000-plus users) were found to have set up security teams, although European companies have been slower to do so than their American counterparts.

The study also found that 43% of organisations review security policy on an annual basis. In truth, it is often closer to every two-to-three years for most companies.

The Meta Group survey states: "Given the increasing rate of technological and business change, leading organisations are instituting security policy management as an ongoing process – and establishing themselves as the front runners for strategic risk management."

The Meta Group expects security budgets as a percentage of IT budgets to rise from the current one-to-two per cent level to five-to-seven per cent during the next five years.