Read Bennett Gold LLP's privacy policies and practices regarding this web site.
LINK TO: Bennett Gold LLP's Privacy Policies and Practices. E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by Bennett Gold LLP, Chartered Accountants


SPECIAL NOTE TO ALL VISITORS:
Effective December 31, 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering articles from the period 1999 to 2012.


THE ART OF BUDGETING FOR IT SECURITY BREACHES

Source: E-Commerce Times

Posted on November 15, 2005

      Total security for a corporate network may be a goal of many IT executives, but no matter how much a company invests in security systems, breaches - originating either outside or inside a corporate network - are a fact of life in the information age.

      Given that security incidents are inevitable, how can IT executives budget for them, earmarking funds to cover staff overtime, replace hardware and software, and pay security specialists to investigate an attack? After all, it is difficult to quantify losses due to a breach, especially when no company wants to admit that they occur. Moreover, in an era of IT belt-tightening, requests for money "just in case" may not be greeted warmly by boards of directors.

      On the other hand, by planning for the extra resources needed to respond to a breach, CIOs can minimize damage, enabling their IT staff to quickly repair and restore systems to full operation. Can they accomplish this in today's IT climate?

      Analysts say it can be done - but it probably is not happening too often. Security remains a well-intentioned afterthought at many corporations.

      "Expenditures being made today are expected to provide immediate return on investment," Yankee Group chief research officer Brad Hecht told the E-Commerce Times. "That's kept security spending in general from climbing up the priority ladder."

Physical, Yes; Virtual, No

      In the wake of the September 11th terrorist attacks, there was a widespread belief among technology executives that greater importance would be placed on corporate information security. Supporting that contention, scores of companies did make immediate attempts to improve their business continuity and disaster recovery capabilities. However, many industry watchers say that push did not translate directly into increased spending on IT security.

      In other words, Hecht said, CEOs and board members saw the physical fallout from September 11th and scrambled to prepare their companies for such a scenario, but many were not as diligent about securing their enterprises against threats that exist in cyberspace.

Still a Struggle

      Why might IT execs have trouble convincing a CEO to spend money on information security?

      Siebel Systems CIO Mark Sunday told the E-Commerce Times that although corporate boards are more aware of security issues than ever before, they still do not fully understand them - and most boards are reluctant to fund what they cannot grasp.

      "As aware as CEOs and boards have become of security issues, spending in that area hasn't gone up in proportion and certainly not to the levels people expected," Sunday said. "That makes it difficult to build in extra budget to plan for the worst."

      Sunday noted that Siebel, which has been focusing on security issues for several years, made additional investments in business continuity post-September 11th, building a backup system that enables all Siebel data to be up and running from a secondary location within six minutes. That type of investment is typical of large corporations in the United States, he said.

Hope for the Best

      In addition, figuring out a financial target for a budget line item dealing with IT security breaches could require exploring dozens of possible scenarios. That in itself could be a costly process.

      Bill Van Emburg, COO of systems and security integrator Quadrix Solutions, which counts JDS Uniphase and AT&T among its customers, told the E-Commerce Times that although prevention can help minimize the losses associated with security problems, every enterprise must calculate differently when figuring out how to budget for breaches.

      "There is no dollar figure that you can allocate to this exercise," he said. The amount a CIO should consider earmarking could depend on whether an enterprise has purchased security insurance and how likely an attack or failure is. That likelihood, in turn, may depend on whether or not the company is a high-profile target and how much preventative security work has been done.

      According to Van Emburg, most companies would do best to invest any just-in-case funds in upgrading existing security systems, such as firewalls or intrusion detection systems. "Too many companies set up systems and then forget about them," he noted. "Security isn't a passive thing."

      While it is true that companies should keep their security systems up-to-date, breaches will occur no matter how sophisticated those systems are - and an unprepared firm will lose more time and money in the long run than an enterprise that is ready to respond. Boards of directors would do well to remember that when allocating IT funds.




CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.


ALERT
ARCHIVES
Final Entries
2012
2011
2010
2009
2008
2007
2006
2005
2004
2003
2002
2001
2000
1999


LINK TO: Bennett Gold Chartered Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Against
Privacy Breaches.

Get WebTrust
Working For
Your Site.