More and more organisations are increasing their spend on IT security solutions, which suggests the threat of a cyberattack is hitting home. Two-thirds of members polled by the Institute of Information Security Professionals (IISP) said their security budgets have increased, while, according to our Risk:Value 2016 research report, global organisations have this year allocated, on average, 13% of their IT budget to information security (compared to just 10% in 2014).
Few executives would question the need to spend money on information security, but the real challenge is demonstrating how the money is spent and the value that is provided. Adding new technology alone is not the answer to managing risk. Nor is just defining a strategy and developing a business model going to assure an organisation’s information security.
Risk management needs to be a continuous process, which should remain at the top of any board agenda. Frequently in day-to-day operations, incidents can undermine the best-laid plans and best-of-breed technologies. This can happen on a small or large scale. Some examples include:
- Business change such as relocation, opening new offices, downsizing, outsourcing
- New markets and acquisitions
- Mobile working and bring your own device (BYOD)
- Differing departmental security requirements, such as HR or sales and marketing
- Disgruntled staff and fraudulent activity
- Key personnel leaving
- Poor internal communications
- Careless or unauthorised use of social media
- Hacking activity
- Or a member of staff losing or misplacing a USB memory stick
Security systems are like high-performance racing cars that need to be constantly maintained, updated and tuned for optimum efficiency. The skills to make this happen are thin on the ground and expensive to recruit and retain.
Working with a Managed Security Services Provider can help businesses establish a scalable and robust framework for continuous risk management – making the most of 13% investment in information security and helping them to articulate the case for future investment.