Motivations, trends and measurement of IT security spending
A new comparative survey by The Ponemon Institute explores the motivations behind IT security spending among UK and US organizations, and how industry regulations, data breach mitigation and the fear of reputational damage rank in the decision making process.
The research revealed that compliance (54 percent) and a sense of responsibility to protect information (45 percent) were the top two reasons for IT security funding in the UK, while organizations in the US cited the need to respond to recent breaches or other security exploits (63 percent) as the biggest driver.
This could be due to the fact that many US organizations report multiple data breaches, with 30 percent of respondents experiencing more than three incidents in a year, compared to just 19 percent citing the same in the UK. Similarly, with 62 percent of UK organizations naming complexity of regulatory requirements as the biggest barrier to security, it is unsurprising that such great emphasis is placed on compliance.
In terms of the most important considerations when selecting security and data protection solutions, low purchase cost, ease of deployment and low running costs were the top requirements for all respondents. Conversely, positive peer reviews and interoperability were the least sought after.
“These findings seem to suggest that the UK organisations take a generally more proactive approach to data security than their US counterparts,” said Dmitry Shesterin, VP of product management at Faronics. “This could be down to numerous factors, including the fact that the UK has an incredibly stringent regulatory environment, so it becomes inevitable that organisations across the country would see compliance as a top priority for spending.”
“Echoing this, 53 percent of UK respondents named compliance violations as the most serious threat to their business, while this was the feeling of just seven percent in the US. The number of US organisations admitting that security funding is driven by the need to respond to previous data breaches is also notable, and suggests that firms need to take heed from other high-profile security incidents and urgently up the ante on proactive security, rather than waiting for the inevitable to happen,” he added.
Despite these varying motivations for IT security investment, organisations in both countries spend an almost equal proportion of money on security. UK organisations dedicate an average of 13 percent of total IT budget, with the US slightly higher at 15 percent. In terms of spend justification, a reduced number of data breach incidents (63 percent) was the greatest benefit of installing security solutions in the UK, while most US respondents stated better employee productivity due to machine availability (46 percent) when asked the same question.
The survey asked about risk management strategies, and what respondents considered to be the most valuable assets that they hold. In both countries, security risk is identified mostly through informal observations by supervisors and managers (74 percent UK, 67 percent US), and – perhaps unsurprisingly – intellectual property poses the highest level of risk to organisations if lost or stolen, closely followed by customer data.