Report: IT Leaders Need To Improve Reporting on Security Investments

• By Dian Schaffhauser
• 08/25/14

With the advent of malicious software that can be purchased online and an underground infrastructure that can be used to set off targeted attacks, cyber security threats are becoming more "democratized," and therefore more likely to gain visibility beyond the walls of the data center. That can lead to more enlightened thinking among executive management about investing in security measures, said Research Director Lawrence Pingree during a Gartner security and risk management summit being held in Australia this week. At the same time, however, IT leaders may not be doing the best job at communicating how the new risks tie into the organization or justifying security investments.

The result will be higher security spending worldwide. Gartner expects outlay on information security to reach $71.1 billion in 2014, up 7.9 percent over 2013. The segment seeing the fastest growth is data loss prevention. New categories of security prevention are forming to address mobile, cloud, social and information (often interacting together).

Mobile security of consumer devices won't really be a high priority for users until 2017 onward, when it will begin to sink in that they need to protect their phones and tablets in the same way they protect their more traditional computers. Gartner reported that it does not expect to see new demand for this type of capability to emerge before 2016.

The analyst firm also anticipated that by 2015, about a tenth of overall IT security enterprise product capabilities will be delivered from the cloud. And by 2018, Gartner predicted that more than half of organizations would use security services firms as an addendum to their own security efforts for data protection, security risk management and security infrastructure management. A "significant portion" of organizations are shifting resources away from the operations of security tools and to mitigation and incident response.

Communicating the changes and the need for information security investments often flummoxes IT leaders, who frequently make the mistake of delivering reports that are overly complex, include "too much information and fear," and lack alignment with larger organization initiatives. Gartner vice president and distinguished analyst Paul Proctor recommended that security teams find ways to talk about the benefits of security changes as much as they focus on the risks to the organization.

Proctor recently wrote a report providing "practical tips" for linking risk and security to corporate performance. Among his recommendations:

• Formalize risk and security programs in ways that will make their activities "repeatable and measurable";
• Measure program maturity by comparing aspects of security to a maturity scale in order to identify gaps and areas for improvement. This approach has the benefit of not requiring a lot of techno-speak, which can boggle decision-makers;
• Use risk-based approaches that allow the organization to make "conscious decisions" about what's most important to protect and what could be at stake if they choose not to mitigate the risks;
• Use lead indicators of risk conditions, such as key performance indicators, that don't focus entirely on IT systems but on other aspects of the organization too, in order to move away from the idea that IT security is purely an IT concern;
• Tie risk work to corporate goals. The C-suite doesn't buy into "fear, uncertainty and doubt" when making investment decisions, Proctor advised. Better to show the business value of security investments; and
• Spell out what works and what doesn't work. Business people want to know what the risks area, what the organization's risk posture is, and what's being done about it. "Communicate that well and you've won half the battle," he noted.