Wednesday, September 19, 2007

Gartner thinks that too much is spent on IT security

Computer Weekly has an article in which they discuss a Garner Group keynote speech:

"In a keynote speech, he [ed: John Pescatore, Vice-president at Gartner] said that retailers typically spend 1.5% of revenue trying to prevent crime, then still lose a further 1.5% through shoplifting and staff theft, costing 3% in total.

But Gartner's research suggests that the average organisation spends 5% of its IT budget on security, even with disaster recovery and business continuity work excluded, and IT managers are tired of requests for more. Security has dropped from first (in 2005) to sixth (in 2007) in the firm's annual survey of chief information officers' technical concerns."





I find this an odd argument.
Should the real driver for IT security investments not be the amount that is spent on security, but the amount of losses that are prevented with the money that the controls cost?
If a bank is is robbed and $100,000 is stolen it is a very big robbery. If a bank's IT security controls are penetrated, the direct damage alone will far exceed that amount.
Costs-of-opportunity are also costs.

No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.