February 2009

Managing Spend on
Information Security and
Audit for Better Results

IT Policy Compliance Group

Contents
Executive Summary 2
Managing business risks from the use of IT 2
Principal business risks and operational outcomes 2
Financial risks, losses and returns 2
Reducing risks, reducing costs and improving results 4
Managing spending on information security for better outcomes 5
Risk-based performance budgeting for information security and audit in IT 5
Recommendations 5
Benchmark Findings 7
Primary business risks from the use of IT 7
Operating outcomes in IT 7
Once a winner, always a winner 8
Information security, assurance and regulatory compliance in IT 9
Size of organization: no influence on outcomes 10
Firms in most industries operate in the norm 11
Financial exposure from risks in IT 11
Risk occurrence rates 12
Annualized financial losses 13
Low self-sustained loss thresholds 14
Financial returns 14
Overspending: the financial risk for regulatory compliance 15
Practices dictate outcomes and financial risks 15
Impact of CISO’s on results 16
Leveraging the organization 16
Actions that reduce risks, reduce costs and improve results 17
Continuous assessment and reporting 18
Controls for managing risk in IT 18
Automation reduces risks and costs 19
Information for managing risk in IT 20
Additional tools and methods for managing risk 20
Reports routinely produced to manage risk 21
Risk scoring, assessment and analysis 22
Managing business and financial risks from the use of IT 23
Managing spend on information security for better outcomes 24
Financial returns for managing risks from the use of IT 24
Financial returns for managing audit results in IT 25
Actions and practices delivering better results 25
About the research 27
About IT Policy Compliance Group 28

3
Managing Spend on Information Security and Audit for Better Results

Executive Summary

Managing business risks from the use of IT

Every activity has some risk associated with it, including the use of IT. However, the principal business
and financial risks from the use of IT differ by size of company. Appropriately managing the principal
business risks and reducing overspending depend on specific organizational practices, that if not
implemented will result in higher costs, larger financial exposure and more frequent loss.

Much like an insurance deductible, all organizations are willing to sustain some level of financial loss
from the loss or theft of customer data and business downtime from disruptions occurring in IT. However,
compared to the financial exposure and losses being experienced, the losses organizations are willing to
sustain are exceedingly low, and the returns for making improvements are extraordinarily high.

Almost all organizations have significant financial incentive to improve

results, including: The losses organizations are willing to sustain
are exceedingly low, and the returns for
 Significantly lowering financial exposure and loss
improving results are extraordinarily high.
 Substantially reducing audit expenses, by one-third to one-half
annually
The benchmarks conducted by the IT Policy Compliance Group show almost all organizations
have financial incentives easily exceeding 100 percent to make improvements to reduce financial
risk from data loss, downtime and regulatory audit. This report, covering ongoing and recent benchmarks,
include findings covering 1) the principal business and operational outcomes being experienced by
organizations; 2) financial risks, losses and returns; and 3) the practices making the most difference
to control risks, reduce costs, and improve results.

Principal business risks and operational outcomes

The primary business and financial risks from the use of IT are directly related to how well, or poorly,
organizations are managing the confidentiality, integrity and availability of information and IT assets.
These are directly related to the controls and procedures implemented to protect sensitive information,
maintain the integrity of information and audit controls, and the availability of IT services.

Specifically, the primary business and financial risks are due to losses, or lapses that are occurring
in three areas:
 Confidentiality, or protection, of sensitive information
 Integrity of information, assets and controls in IT Loss of confidentiality, integrity
and availability are larger business
 Availability of IT services and financial risks than are outsourced IT
projects, systems, information or delays to
These three – the loss of confidentiality, integrity and availability — are critical projects.
ranked as the top business risks by organizations, well ahead of other
possible risks, including those from outsourced IT projects, systems
and information, delays to critical IT projects, and shortages of IT skills. Although these are the
primary business risks, outcomes being experienced by organizations for these three principal
risks vary considerably.

Operational outcomes vary

Ongoing IT PCG benchmarks measure three key performance results occurring among organizations:
1) the loss or theft of customer data; 2) the incidence and extent of business downtime from failures
and disruptions occurring in IT; and 3) deficiencies in IT that must be corrected to pass audit.
Worst outcomes: Approximately two in 10 organizations — 19 percent — are experiencing
the worst outcomes, the highest data losses or thefts, the most downtime from IT failures, and
the largest problems with regulatory compliance. These firms are experiencing more than 15
losses or thefts or data each year, 80 or more hours of business downtime from failures occurring
in IT, and more than 15 deficiencies in IT that must be corrected to pass audit.
Normative outcomes: Nearly seven in 10 organizations — 68 percent — are operating at the
norm with data loss or theft rates that range from three to 15 each year, between seven and 79
hours of business downtime, and between three and 15 compliance deficiencies in IT that must
be corrected.
2
 Managing Spend on Information Security and Audit for Better Results

Best outcomes: Only about one in 10 organizations — 13 percent — are consistently operating
with the best results, including fewer than three losses or thefts of sensitive information, less than
six hours of business downtime, and fewer than three deficiencies to correct to pass audit.

The financial outcomes being experienced by organizations are directly related to the outcomes being managed within IT.
Organizations with the worst outcomes in IT are experiencing highest levels of financial exposure and loss than all others.
However, it is the majority of organizations that are overspending on audit.

Financial risks, losses and returns

Financial exposure from the loss of customer data and business disruptions is aligned with outcomes
experienced in IT. These include:
 Best-in-class firms experience the lowest and most infrequent financial losses
 Normative performing organizations experience higher financial losses
 Firms operating at the worse levels experience the highest and most frequent financial losses

The financial exposure from the loss or theft or customer data and business downtime depends
almost entirely on the practices implemented in IT to manage these risks (Figure 1).
Figure 1: Financial exposure from data theft or loss

Source: IT Policy Compliance Group, 2009

Practices implemented by organizations impact both the magnitude of financial loss and when losses
occur. For example, best-in-class firms delay the onset of data loss or theft to decades or longer, while
also reducing the magnitude of financial impact. This is in contrast to firms with the worst practices that
experience more frequent, and higher, financial consequences from the
loss of customer records. Unlike the loss or theft of data, the onset of Best in class firms delay the onset of data loss
business disruptions or inability to access information is a more or theft to decades or longer, while also
common occurrence. Fortunately, the loss or theft of customer data reducing the magnitude of financial impact.
does not occur every week, or for many organizations every year. But
for some organizations the loss of data occurs more frequently than
others.
When the onset of data loss or theft occurs and the frequency and extent of business disruptions
due to failures and disruptions occurring in IT are taken into account, the average annualized losses
incurred by organizations, while lower, remain substantial (Table 1).

3
Managing Spend on Information Security and Audit for Better Results

Table 1: Average annualized financial loss rates – data loss-theft and downtime
Annual revenue Worst Normative Best
or budget practices practices practices
$50 million $1.5 million $240,000 $20,500
$500 million $19 million $3.3 million $211,000
$5 billion $329 million $60 million $2.25 million
$50 billion $5 billion $1.2 billion $25 million
Source: IT Policy Compliance Group, 2009

Financial returns for managing data loss-theft and downtime risks

The return on losses organizations are willing to sustain before improving practices ranges from 100
percent to more than 1,000 percent annually, depending on size and current practice levels. Based on
these metrics, most organizations have solid financial reason to improve practices without a need for
cost-justifications and cost benefit analysis (Figure 2).

Figure 2: Financial returns for managing risks

Source: IT Policy Compliance Group, 2009

Financial returns for integrity: avoiding overspending on audit

A majority of organizations are overspending on audit fees and
expenses to sustain audit results each year. The overspending by seven
Organizations with the best track-records are
in 10 organizations includes annual spending that is 66 percent higher spending between 35 percent and 52 percent
than firms with the worst outcomes and annual spending that is 100 less on audit fees and expenses annually.
percent higher than organizations with the best outcomes. Organizations
with the best track-records are spending between 35 percent and 52
percent less on audit fees and expenses annually.

Practices for managing risks, reducing costs and improving results

All industries, and organizations of all sizes, have an equal opportunity to reduce risks, reduce costs
and improve results. Firms in more highly regulated industries have no latent advantages over organizations
in less highly regulated industries when it comes to protecting customer data. Larger enterprises have no
inherent advantage over small businesses when it comes to maintaining 24x7 IT services. Although firms

4
 Managing Spend on Information Security and Audit for Better Results

in a few industries, such as publishing, media, entertainment, medical devices, and aerospace are experiencing
worse or better outcomes than firms in other industries, most firms and most industries are operating at the norm.

The primary factor influencing operational outcomes, financial risk and

overspending are the practices implemented by organizations to manage Organizations with the worst results and highest
risk and spending. Organizations with the worst results and highest losses from the use of IT are actually spending
losses from the use of IT are actually spending the same amounts on the same amounts on information security as
information security as the firms with the lowest risks and best outcomes. the firms with the lowest risks and best
The differences between the two include practices implemented for outcomes.
managing risk and lower spending on regulatory audit.

The integrity of the controls and procedures being employed to manage

risk within IT by these organizations, and the lack of such controls and procedures among others, is reflected by the major
cause of audit problems in IT: almost all of
which are directly related to information security and assurance practices, where:
 The top five reasons for audit problems are from information security and assurance practices
 Seven of the top 10 audit problems are related to information security and assurance practices
Although the theft or loss of customer data results in unwanted press attention, and severe outages may
temporarily garner operational change within an organization, it is the on-going, day-to-day management
of information security and operational assurance that ultimately needs to be improved. Establishing
performance-based budgeting for information security and audit in IT without a commitment to the practices
and actions needed to reduce risk, reduce cost and improve results will not succeed.

Managing spend on information security for better outcomes

Organizations with the worst outcomes and highest financial risks are spending the same amount on
information security as organizations with the best outcomes and least financial risk. Instead of increasing
spend on information security, the worst performers should be reallocating current spending to practices
that deliver better results.
Unlike the worst performers, a majority of organizations are not spending enough on the practices that matter.
In addition to an increase in spending, these organizations should consider eliminating practices that are not working,
implementing the practices proven to deliver results, and incrementally reduce financial risks and audit expenses. The
returns for incremental spending, ranging from more than 100 percent to more than 1,000 percent annually, are high
enough that cost justifications and cost benefit analysis are not warranted for a majority of organizations. However,
incremental spending should be focused where it will do the most good: on practices that will improve results.

Risk-based performance budgeting for information security and audit in IT

The organizations with the worst result and the largest number of data losses, the most downtime and the
worst audit results are spending almost the same amount on information security as the organizations with
the best results. In contrast, a majority of organizations are spending half
as much as the others. The results: the worst performers are spending Risk-based performance budgeting for
money on information security and audit and are not reaping the benefits. information security and audit in IT establishes
A majority of firms are not spending enough on the correct practices, and shared goals and objectives for delivering better
the best performers have aligned spending with practices that are results.
delivering results. Risk-based performance budgeting for information
security and audit in IT establishes shared goals and objectives for delivering better results.

Recommendations
The organizations with the best outcomes, the lowest financial losses and the lowest spending on regulatory
audit take very different actions and implement very different practices than all other firms. The recommendations,
based on results being achieved by the best-performers, include:
 Establish goals and objectives for managing operational outcomes and financial risk
 Manage spending for practices that reduce risk
 Establish goals and objectives for reducing spend on regulatory audit
 Organize for success by:
- Having the Chief Information Security Officer (CISO) manage information security and compliance
- Placing the IT operations officer or manager in charge of the availability of IT services
- Engaging senior leadership from IT, legal, business and plant security to manage risks
5
Managing Spend on Information Security and Audit for Better Results

 Take specific actions, including:

- Prioritizing and managing business risks
- Improving IT controls and procedures to manage business risks
- Automating the collection of IT audit data
- Increasing the frequency of monitoring, assessments and reporting to weekly and bi-monthly
 Automate more IT controls to manage risks, especially:
- Technical IT security controls
Take specific actions, including: prioritizing and
- Authorized user account controls managing business risks, improving IT controls
 Score business risks from the use of IT based on: and procedures, automating the collection of IT
audit data, and increasing the frequency of
- Loss of confidentiality, integrity and availability assessments and reporting to weekly
and bi-monthly.
- Severity of business and mission impact
Routinely use dashboards for reporting on business risks from the use of
IT that include:
- Operational quality level reports
- Financial and business impact summaries
- Policy compliance reports
- Legal and regulatory impact reports
- Real-time event reports
- IT audit test reports
- IT security test reports
Reducing financial risk and loss, and well as reducing spend on
regulatory audit, ultimately depends on whether appropriate actions and Reducing financial risk and loss, as well as
practices are implemented. reducing spend on regulatory audit ultimately
depends on whether appropriate actions and
For many organizations in the current environment, costs are already practices are implemented.
being reduced: the challenge is to accomplish more with less. Spending
on automating controls, continuous monitoring and assessment, and managing information relevant to the principal
business risks from the use of IT are necessary table-stakes to improve results. These actions need to be accompanied by
leveraging information to manage risk among other practices. The benefits of risk-based performance budgeting for
information security and audit in IT is that everyone, in and outside of IT, knows how to measure the value of the results.

6
 Managing Spend on Information Security and Audit for Better Results

Benchmark Findings
Primary business risks from the use of IT
The primary business risks associated with the use of IT are directly related to: 1) the availability of IT resources and assets for
business purposes; 2) the integrity of IT assets and information; and 3) the confidentiality of information. Measured most recently
across 481 organizations, the findings reveal the top business risks include:

1) Loss or theft of customer data

2) Business disruptions from IT failures and disruptions
3) Loss of integrity for critical IT assets and information
The theft or loss of customer data is rated as the highest business risk by more than 72 percent of organizations while
business disruptions and the loss of integrity are rated as posing the most business risk by 64 percent and 61 percent of
organization respectively. After the top three, theft or fraud related to IT assets and information and Internet security
threats pose similarly high business risks. These highest-ranked business risks are followed by shortages of critical IT
skills, delays to IT projects and outsourced IT capabilities and information (Figure 3).
Figure 3: Primary business risks from the use of IT

Source: IT Policy Compliance Group, 2009

The top five business risks are all related to the loss of confidentiality, integrity and availability (CIA). For example, the loss or
theft of customer data is directly related to a loss of capacity to protect sensitive information, IT failures and service disruptions
can directly impact business service levels, and the loss of integrity for critical IT assets and information is something that is
tested through internal audit, external audit, and IT security tests.
The other top-ranking business risks, theft or fraud of assets or information, and Internet security threats, can result in
compromises that impact the confidentiality of sensitive information, the integrity of an organizations controls and procedures,
and can directly impact the availability of IT services.
Although identified as individual responses from the benchmarks, the
The primary business risks from the use of
results are clear: the primary business risks from the use of IT are directly
IT are directly related to the loss of
related to the loss of confidentiality, integrity and availability of IT assets, confidentiality, integrity and availability of
information and procedures. IT assets, information and procedures.

Operating outcomes in IT
The outcomes being experienced by organizations for these three major business risks are not alike. For example, some
organizations are experiencing much more loss and theft of customer data while others have few if any such losses or thefts to
report. Among those with the best track-records, roughly one-in-ten organizations — 13 percent — consistently have the
lowest rates of data loss or theft, the fewest number of regulatory deficiencies in IT to pass audit, and the least amount of
business downtime due to failures and disruptions in IT. In contrast, almost two-in-ten organizations — 19 percent —
consistently have the highest rates of data loss and theft, the most problems with regulatory compliance in IT, and the most
7
Managing Spend on Information Security and Audit for Better Results

business downtime due to failures and disruptions in IT. A majority of organizations — 68 percent — are operating somewhere
between these two extremes, with between four and 15 losses or thefts of sensitive information each year, four to 15
compliance deficiencies in IT that must be corrected to pass audit, and between seven and 59 hours of business downtime
due to failures and disruptions occurring in IT (Figure 4).
Figure 4: Operating outcomes from the use of IT

Source: IT Policy Compliance Group, 2009

Once a winner, always a winner

What is perhaps most striking from the benchmarks is the consistency with which organizations are experiencing the poorest,
normative and best outcomes across the three primary business risks from the use of IT. When an organization does well, it
consistently does well at maintaining the confidentiality, integrity and availability of its information assets: if it is not doing well in
one area, results suffer across the board (Figure 5).
Figure 5: Outcome profiles are shared for data loss, theft and regulatory compliance

Source: IT Policy Compliance Group, 2009

8
 Managing Spend on Information Security and Audit for Better Results

Almost all (97 percent) of the organizations with the least loss or theft of customer data are the exact same firms with the
fewest regulatory compliance deficiencies in IT to correct to pass audit. The other three percent were unlucky and had slightly
more compliance deficiencies.
A majority of the organizations (76 percent) with the highest losses of
customer information are the exact same firms with the largest number of
compliance deficiencies in IT to correct to pass audit. In between these two When an organization does well, it
extremes, a majority of organizations (93 percent) operating in the middle had consistently does well at maintaining the
between four and 15 losses or thefts of data and between four and 15 confidentiality, integrity and availability of its
regulatory compliance deficiencies that had to be corrected to pass audit in information assets; if it is not doing well,
the past year. The same pattern of outcomes can be seen in the relationship results suffer across the board.
between business downtime and regulatory audit results, where almost all (97
percent) of the best performing organizations had the least business
downtime and the fewest regulatory deficiencies to correct in IT to pass audit. By comparison, about eight in 10 (76 percent) of
the worst performers are experiencing more than 60 hours of business downtime and 16 or more regulatory compliance
deficiencies to correct in IT.
Most organizations, almost eight in 10 (76 percent) are posting results that include business downtime levels between seven
and 59 hours annually and between four and 15 regulatory deficiencies to correct in IT (Figure 6).
Figure 6: Outcome profiles are shared for business downtime and regulatory compliance

Source: IT Policy Compliance Group, 2009

Information security, assurance and regulatory compliance in IT

The reason for the similarity of outcomes across arises from the leading causes of deficiencies found from audits. The top five
deficiencies found in audit are directly related to the loss of confidentiality, integrity and availability: the foundation of
information security practices and the primary business risks from the use of IT.

Beyond the top five reasons for compliance deficiencies, seven of the top 10
reasons for compliance deficiencies flagged by audits involve the handling The top five deficiencies found in audit are
directly related to the loss of confidentiality,
and protection of information and related IT assurance and security functions
integrity and availability: the primary business
within organizations (Figure 7). risks from the use of IT.
The uncanny relationship between operating outcomes in IT and the fact that
a majority, or almost all of the same firms are experiencing similar outcomes, indicates that the integrity of information, assets,
and controls in IT has a profound influence on the ability to protect critical information and maintain authorized access to
information for the organization.

An obvious conclusion from the benchmarks is that the information security and audit practices within IT strongly influences
operational outcomes for data loss and theft, operational resilience, the integrity of controls for managing risk and conformance
with policies of the organization and its external audit and reporting mandates.

9
Managing Spend on Information Security and Audit for Better Results

Figure 7: Leading causes of regulatory compliance deficiencies

Source: IT Policy Compliance Group, 2009

Size of organization: no influence on outcomes

Contrary to popular belief, the benchmarks show the size of organizations does not influence outcomes. Although there
are some differences, the broad pattern of two in 10 organizations operating at worse levels, seven in 10 operating in the
norm, and one in 10 operating at the best levels is repeated by size of an organization (Figure 8).
Figure 8: Outcomes by size

Source: IT Policy Compliance Group, 2009

Instead of seven in 10, about eight in 10 smaller organizations operate at the norm for data loss, availability and the
integrity of regulatory audit. Among midsize organizations, two in 10 are operating at the worst levels, seven in 10 are
operating in the middle, and one in 10 are operating at the best levels for preserving confidentiality, integrity and
availability in IT.
Large organizations, those with more than $1 billion in annual revenue or budget, are similarly operating close to norms
with more than two in 10 with worst results, slightly more than six in 10 at the norm, and slightly more than one in 10 with
the best results.
10
 Managing Spend on Information Security and Audit for Better Results

Firms in most industries operate in the norm

The conventional wisdom holds that more highly regulated industries are more adept at, and therefore perform better when it
comes to regulatory audit. However, the benchmarks results show that for most firms in most industries, operating in the norm
is the norm. Although there are unique differences by firms within each industry, the general pattern of two in 10 are having
more difficulty, seven in 10 are operating at the norm and one in 10 are posting stellar results are found across many different
industries (Figure 9).
The industries operating in the norm include automotive, banking, chemical,
For most firms in most industries,
computer hardware and software, education, financial service, government operating in the norm is the norm.
agency, healthcare, legal services, insurance, manufacturing, mining, oil,
gas, pharmaceutical, real estate, retail, telecommunications, transportation
and wholesale trade among others.
The experience of any one organization within an industry could be anywhere along the spectrum. For example, some
organizations in the telecommunications industry post stellar track records for availability, while the experience of others is
dragging down average outcomes for the industry as a whole. Likewise, some healthcare service organizations are doing an
outstanding job of protecting customer data, while the majority of the firms in this industry operate at the norm.
In contrast, a majority of firms in aerospace, agriculture and consumer products goods industries have the best track records
when it comes protecting sensitive information, maintaining the integrity of information, and avoiding business downtime from
IT failures. While an argument can be made that the IT systems in the agriculture and animal product industries are not as
complex as those found within the air travel industry, the findings do not reflect these kinds of differences in IT: the findings
simply show the relative outcomes across the industries.
Unfortunately, a majority of the firms in architecture, construction, engineering, entertainment, food and beverage,
management consulting, medical devices, publishing, media, scientific research, and utility industries are experiencing rates
that are worst than the industry norm. This does not mean that all of the firms in these industries are alike: some are indeed
operating with the best results. However, the overall average shows organizations in these industries are having more difficulty
than other industries with protecting information, maintaining service levels from IT, and sustaining regulatory compliance.
Figure 9: Industry results: business risks from the use of IT

Source: IT Policy Compliance Group, 2009

Financial exposure from risks in IT

For a majority of organizations, the seven in 10 operating in the middle, the financial risks from data loss or theft are six
percent of revenue (annual budgets for government and non-profits). These same organizations are exposed to financial
losses from IT failures and disruptions that range from 0.1 to 1.0 percent of revenue annually, depending upon the scope
and extent of these outages. Lastly, these organizations spend the most on regulatory compliance when compared with all
other organizations.

11
Managing Spend on Information Security and Audit for Better Results

For two in 10 organizations, those with the highest rates of data loss, business disruptions, and regulatory non-compliance
problems, the financial exposure is almost 10 percent of revenue (budget) from the loss or theft of data. The exposure
from disrupted business due to IT failures ranges from 1 to 10 percent depending on the extent of the disruptions.
Organizations with the lowest financial risk from the use of IT are the
Organizations with the lowest financial risk from
one in 10 operating at best-in-class-levels. The financial exposure the use of IT are the one in 10 operating at
among these organizations is less than 0.5 percent of revenue (budget) best-in-class levels.
from the loss or theft of customer data. Exposure from disrupted
business ranges from 0.02 to 0.2 percent of revenue. These
organizations are also spending the least on regulatory audit, with average spending 52 percent lower than the majority of
firms operating at the norm (Figure 10).
For example, an organization with $1 billion in annual revenue operating in the middle of the pack for managing
confidentiality, integrity and availability risks is exposed to $64 million from expenses and capital losses after the loss or
theft of customer data. This same organization is exposed to expenses that range from $1 to $10 million from business
disruptions due to IT failures and service disruptions. Spending the most to vet the integrity of its financial filings and other
regulatory reporting requirements, these organizations are spending an average of $7.6 million on audit fees and
expenses.
By comparison, best-in-class firms of the same size are exposed to less financial risk and are spending less on audit: less
than $500,000 from the loss or theft of data; between $200,000 and $2,000,000 from disrupted business operations; and
less than $4 million spent on regulatory compliance fees and expenses.
Figure 10: Financial exposure from managing outcomes in IT

Source: IT Policy Compliance Group, 2009

Risk occurrence rates
The frequency of IT failures and disruptions resulting in business disruptions for organizations is more than one each year,
except for organizations with best practices for managing the availability risks. For organizations with the worst practices,
the extent and scope of such outages is more frequent and longer. However, for a majority of organizations, the impact
from disrupted business operations due to IT failures is one-tenth of the worst outcomes being experience by firms with
the worst practices: a 90 percent decline. The steep decline in loss experiences from disrupted IT services is largely due
to the attention given to business continuity, resumption and disaster recovery during the past twenty years.
The likelihood of experiencing business disruptions from IT failures and disruptions is a function of the total outage and the
scope of the impact to the organization. The total outages being experienced annually by organizations is directly related
to the number of events and the outages for such events. The extent of the financial impact depends on whether it impacts
90 percent of productive capacity or a much lower 10 percent of productive capacity. Relative to all other organizations,
firms with the best practices for managing downtime from IT failures are experiencing significantly less total business
downtime annually from IT failures or disruptions that all others (Table 2).

12
 Managing Spend on Information Security and Audit for Better Results

Table 2: Total business downtime from IT failures and disruptions

Size (annual
revenue or budget) $50 million $500 million $5 billion $50 billion
Worst practices 93 hours 104 hours 132 hours 179 hours
Normative practices 8 hours 9 hours 12 hours 16 hours
Best practices 2 hours 2 hours 3 hours 4 hours
Source: IT Policy Compliance Group, 2009
The frequency of data loss or theft varies the size of an organization and the practices implemented to mitigate such loss
or theft. This may be dues to several factors, including an increase in reporting requirements mandated by new data
breach reporting laws and less experience with reducing these incidents compared with progress made on maintaining
business continuity during the past twenty years.
The likelihood of experiencing data loss of theft currently depends on an organizations practices and its size. For example,
larger organizations are more likely than smaller businesses to experience the theft or loss of data. Moreover, firms with
the best practices for managing confidentiality and integrity risks in IT are less likely to experience theft or loss of data.
Based on the benchmarks with more than 2,600 organizations, available public reports, and the numbers of firms by size,
the likelihood of underlying data loss and theft events having a negative financial impact for the organization ranges from
once every year to once in hundreds of years (Table 3).
Table 3: Likelihood of data losses or thefts

Size (annual
revenue or budget) $50 million $500 million $5 billion $50 billion
Worst practices 1 in 9 years 1 in 5 years 1 in 2 years 1 in 1 year
Normative practices 1 in 23 years 1 in 14 years 1 in 6 years 1 in 3 years
Best practices 1 in 245 years 1 in 95 years 1 in 38 years 1 in 21 years
Source: IT Policy Compliance Group, 2009

Annualized financial losses

The occurrence rates of IT disruptions and data loss or theft, as well as the actual impact of IT service disruptions, masks
likely financial risk in any one year for an organization. By annualizing the loss rate, it is possible to determine what should
be expected, based on the practices implemented to manage financial risk from confidentiality, integrity and availability
risks from the use of IT (Table 4).
Table 4: Annualized financial losses, by practices and annual revenue
Size (annual revenue $500
or budget) $50 million million $5 billion $50 billion
Worst practices
Downtime $1 million $10 million $100 million $1 billion
Data loss or theft $0.5 million $9 million $229 million $4 billion
Annualized loss rates $1.5 million $19 million $329 million $5 billion
Normative practices
Downtime $100,000 $1 million $10 million $100 million
Data loss or theft $140,000 $2.3 million $58 million $1.1 billion
Annualized loss rates $240,000 $3.3 million $60 million $1.2 billion
Best practices
Downtime $20,000 $200,000 $2 million $20 million
Data loss or theft $500 $11,000 $250,000 $5 million
Annualized loss rates $20,500 $211,000 $2.25 million $25 million
Source: IT Policy Compliance Group, 2009

Several observations emerge when losses are annualized. The first is that financial impact from data loss or theft
overwhelms the impact from downtime for the one in 10 organizations not operating with the best practices. The second is
that for most small organizations, those with less than $50 million in revenue or annual budget, the larger financial risk is
13
Managing Spend on Information Security and Audit for Better Results

business downtime, not data loss or theft. Lastly, for most organizations over $50 million in revenue or annual budget, the
larger financial exposure is from the loss or theft of information.

Low self-sustained loss thresholds

The benchmarks identify the loss thresholds by size and practice levels of organization. These loss thresholds are the
financial losses organizations are willing to sustain before spending additional money on information security and
operational assurance to mitigate further financial loss from downtime, data loss or the loss of integrity for information,
assets and procedures.
Compared with financial exposure and annualized loss rates, the loss thresholds are exceedingly low (Table 5).
Table 5: Self-sustained loss thresholds
Size (annual
revenue or budget) $50 million $500 million $5 billion $50 billion
Worst practices $161,000 $337,000 $645,000 $928,000
Normative practices $120,000 $293,000 $578,000 $855,000
Best practices $93,000 $248,000 $506,000 $777,000

Source: IT Policy Compliance Group, 2009

Financial returns
When financial exposure and loss levels are divided by the self-sustained loss thresholds that organizations are willing to
endure before spending money to improve results, the value at risk, above and beyond the self-insurance loss thresholds
reveals two interesting findings:
1) most organizations are underfunding financial risks from the use of IT
2) only the smallest of organizations have financial reason to conduct a cost benefit analysis
All organizations above $500 million in revenue or budget have huge financial incentives to fund the necessary
improvements to reduce risks from the loss of data, downtime, and integrity that is measured by audit (Figure 11).
Figure 11: Financial returns for information security and operational assurance

Source: IT Policy Compliance Group, 2009

The returns for spending additional money, above and beyond the self-sustained loss thresholds are easily above 100
percent for a majority of organizations, far above the typical 20 percent hurdles considered necessary for new business
initiatives. For many organizations, the returns exceed 1,000 percent: sufficiently high to eliminate a need for cost
justifications and cost benefit analysis.
14
 Managing Spend on Information Security and Audit for Better Results

Overspending: the financial risk for regulatory audit

Although there are many different kinds of audits, most audits of IT test the integrity of the information, systems, procedures
and controls that are implemented to manage risk.
Despite this primary focus, audits vary from one to another. For example, PCI audits are skewed more toward testing the
integrity and confidentiality of information, systems and procedures that does Gramm-Leach Bliley audit reporting. Sarbanes
Oxley (SOX) audits focus on the integrity of financial reporting and the systems, procedures and controls related to financial
reporting, including general IT controls covered by section 404 of SOX. Differences in focus can also be found across other
audits, including HIPAA audits for healthcare information, FDA audits in the pharmaceutical industry, and OCC audits in the
Banking industry.
Across more than 2,600 organizations, the money being spent on
Seven in 10 organizations are overspending on
regulatory audit fees and internal expenses to pass audit demonstrates a
audit fees and expenses, by as much as 35 to
parabolic curve directly related to the three primary business risks related 52 percent annually.
to the use of IT, the confidentiality of information, the integrity of information,
and the availability of information (Figure 12).
Unlike the financial risk associated with data loss and business disruptions, the financial risk from regulatory audit is
overspending, year-in and year-out. A majority of organizations, seven in 10, are overspending on audit fees and internal
expenses, by as much as 35 to 52 percent annually when compared with best-in-class firms.
For example an organization with $1 billion in revenue or budget, spends on average about $7.6 million each year to sustain
regulatory audit results, compared with a best-in-class organization that is spending on average about $4 million. The
difference, $2.6 million, adds up in five years to more than $10 million: money that could be better spent for more productive
purposes.
Normative performing organizations are overspending on audit, in the range of 35 percent to 52 percent each year, compared
to best-in-class organizations. The worst performing organizations are overspending by as much as 20 percent annually.
Figure 12: Overspending: the financial risk from regulatory audit

Source: IT Policy Compliance Group, 2009

Practices dictate outcomes and financial risk

Although size and industry do not materially impact outcomes for managing business and financial risks from the use of IT,
the practices implemented by organizations for managing confidentiality, integrity and availability are responsible for the
differences in outcomes and financial risks. Throughout all of the findings, the one factor that is aligned with better
operational and financial outcomes is the differences in practices being implemented by organizations.
Impact of CISO’s on results
About eight in 10 of the organizations with a chief information security officer (CISO) in place, responsible for managing
day-to-day operations and overseeing management responsibility for ensuring the confidentiality and integrity of IT assets, are

15
Managing Spend on Information Security and Audit for Better Results

among the firms with the best outcomes, with the least financial risk and loss. By contrast, firms without a CISO are among six
in 10 of the organizations experiencing the worst outcomes, with the highest financial risk and loss (Figure 13).
The IT operations group in most organizations is goaled and rewarded for keeping the lights on, so to speak. When systems,
information and applications are not available for business purposes, it is the IT operations department that is tasked with
ensuring rapid recovery and resumption of business procedures.
Unfortunately, there is an inherent conflict of interest by having the same department, or person, be responsible for
“availability” while also being responsible for confidentiality and integrity. For example, all of the systems, applications and
networks responsible for serving up credit card transaction data, or patient data, could remain available even if the
confidentiality and integrity of systems and information have been compromised.
The conflict of interest, between keeping information, systems and applications available, and the integrity and confidentiality
of the underlying information and controls is best served by having the CISO manage confidentiality and integrity, and the IT
operations officer manage availability.
Figure 13: Impact of CISO’s on results

Source: IT Policy Compliance Group, 2009

After rationalizing the conflict of interest that exists between confidentiality, integrity, and availability, the organizations with the
best track-records for managing risk in IT leverage the organization to manage risk, relevant to the business operating
environment.
Leveraging the organization
Among the organizations with the least business risk and lowest financial risks from the use of IT, both IT operations and the IT
security and assurance function are deeply involved in managing business risks. After these two groups, the best-in-class
organizations also involve:
 The Chief information officer (CIO)
 Legal counsel
 Business unit managers
 Plant and physical security staff
Although there are some small differences in the involvement of internal audit and a chief risk officer, if the role exists, the
primary differences, directly related to outcomes, is the cross-disciplinary involvement between IT, business units, legal
counsel and plant security (Figure 14).
By comparison, organizations with the worst outcomes and the highest financial risks are managing risks from IT operations
with the involvement of the CIO, legal counsel, IT audit and internal audit. In fact, these organizations limit the involvement of
information security and assurance when compared with other firms. Among these organizations, the incidence of a CISO is
low or non-existent.

16
 Managing Spend on Information Security and Audit for Better Results

Figure 14: Leveraging the organization

Source: IT Policy Compliance Group, 2009

Actions that reduce risk, reduce cost and improve results

The organizations with the least loss or theft of data, the lowest rates of
business downtime from IT disruptions and the least problem with regulatory
audit consistently take the same actions to manage business risks from the
use of IT. These actions include: 1) prioritizing and managing business risks
from the use of IT; 2) improving IT controls and procedures; 3) increasing the
frequency of risk and controls assessment; and 4) automating the collection
of IT audit data (Figure 15).
Figure 15: Actions taken to manage risk from the use of IT
Take action: prioritize and manage the business
risks; improve IT controls and procedures;
increase the frequency of risk and control
assessments, and automate the collection of IT
audit data.

Source: IT Policy Compliance Group, 2009

17
Managing Spend on Information Security and Audit for Better Results

By comparison, firms operating in the norm depend primarily on employee training as much as those with best track-records.
However, these organizations are not implementing the other actions taken by the best-in-class firms. For example, while 65
percent of the organizations with the best track records consistently prioritize and manage business risks, only 40 percent of
the seven in 10 organizations in the norm take this action.

Continuous assessment and reporting

Firms with the best track records, lowest financial risk, and lowest spending on regulatory audit routinely assess the
effectiveness of controls and business risks once every week and once every two weeks, respectively (Figure 16).
Figure 16: Frequency of assessment and reporting for risks and controls

Source: IT Policy Compliance Group, 2009

In contrast the vast majority of the population, the seven in 10 organizations operating in the norm, are measuring the
effectiveness of controls and reporting on the risk profile of the organization once every four to five months. Worse yet, the
organizations with the highest losses have the least frequent assessment schedules: once every five to seven months.

Controls for managing risk in IT

Controls are procedures implemented by an organization to manage risk: For example, to avoid an inherent financial
conflict of interest, a common control implemented by most organizations is separation of duties, where the person in
charge of payables is not the same person in charge of vendor receipts.
In the IT department, controls for managing business and financial risk range from those implemented by management,
controls implemented in operations, and controls that are actually implemented within the technology responsible for
managing information. Examples of the types of controls employed in IT to manage risk include:
Management controls
Objectives, policies, control objectives, standards, frameworks, and risk assessments among others
Operational controls
Physical and environmental, employee training and awareness, personnel clearances, incident response, contingency
and resumption, change management, information retention and disposal, backup, archive, media storage, upgrades,
updates, media labeling, information indexing, retention, disposal and separation of duties among others.
Technical IT security controls
Audit logs, accountability, memory tests, checksums, assets scans, scans, checksums, timestamps, integrity checks,
configuration checks, identification, authorization, access controls, and cryptography among others.
Although separation of duties remains an important control, the controls that are most effective for managing risk from the
use of IT are technical IT security controls and authorized user accounts. These two are followed by management,
operational and technical controls for policies, standards, regulatory frameworks, offsite storage, backup, archive,
acceptable use guidelines, employee training, business contingency plans, business recovery procedures, and IT change
management procedures (Figure 17).

18
 Managing Spend on Information Security and Audit for Better Results

Figure 17: Controls employed in managing risk from the use of IT

Source: IT Policy Compliance Group, 2009

Nearly 80 percent of the organizations with the best outcomes rely heavily on the use of technical IT security controls,
including those for authorized user accounts. By comparison, less than 60 percent of organizations operating in the
normative range value these controls, and less than 40 percent of the organizations experiencing the worst outcomes.

Automation reduces risks and costs

Consistent with more widespread use of technical controls and continuous assessment, best-in-class organizations
employ more automated controls. By comparison, seven in 10 organizations operating in the norm employ an even mix of
automated and manually implemented controls to manage business risk from the use of IT. Lastly, organizations with the
highest business and financial risks are relying primarily on manual controls to manage business risks from the use of IT
(Figure 18).
Figure 18: Manual versus automated controls

Source: IT Policy Compliance Group, 2009

19
Managing Spend on Information Security and Audit for Better Results

Information employed in managing risk in IT

The information deemed most important, and employed substantially differently by organizations with the best
track-records includes: the criticality of IT assets and information; the likelihood of threats to IT assets and information; the
history of attacks, threats, vulnerabilities and changes to IT assets and information; the capacity and motivation of attacks
and threats; a prioritization of business risks; and an analysis of residual business risks.
By comparison, the only source of information employed by a majority of the firms operating in the norm involves a review
of IT policies and procedures: all other sources of information for managing business risk from the use of IT are employed
at rates far below those used by best-in-class firms.
Lastly, the firms with the worst track-records are not at parity with any information sources being employed to manage risk
with the exception of an analysis of the effectiveness of controls to manage risk, which is too infrequent to be effective.
Despite rating the effectiveness of controls assessments equally, the
difference in the frequency of assessments is a significant reason for the While automation is critical to the success
differences in the outcomes being experienced by organizations. The enjoyed by the best performers, it is what these
disparity between the frequency of control and risk assessments among organizations do with additional information to
the best performers and the other sources of information valued by manage risk that makes the difference in better
these organizations for managing business risks indicates: outcomes, lower financial losses and less
money being spent on audit.
 Very frequent assessments of controls is considered table-stakes by
the best performers
 Additional information is critical to effectively managing risk among the best performers
 Understanding the human motivations involved is critical to managing the business risks
While automation is critical to the success being enjoyed by best-performers, it is what these organizations are doing with
additional information to manage risk that makes the difference in better outcomes, lower financial losses, and less money
spent on audit (Figure 19).
Figure 19: Information used for managing risk from the use of IT

Source: IT Policy Compliance Group, 2009

Additional tools and methods for managing risk

Among the firms with the lowest financial and operating risks, additional resources employed by organizations to manage
business risks from the use of IT are dominated by the use of vendor notification, updates and patches, as well as the use
of homegrown risk assessment procedures and methods.
In comparison, the use of such tools and methods as Oval, CVE, SCAP, Octave, Star and NIST frameworks are more
widely employed by organizations that are having greater problems, larger risks and worse operational results from the
use of IT (Figure 20).

20
 Managing Spend on Information Security and Audit for Better Results

Figure 20: Additional tools and methods for managing risk

Source: IT Policy Compliance Group, 2009

The primary divergence between the best in class and all other organizations occurs with the use of Oval (open
vulnerability assessment language), CVE (common vulnerabilities and exposures) and SCAP (employed for managing
vulnerabilities for IT systems, networks and applications) and Octave (security certification and authorization package) that
are employed for managing vulnerabilities. The same divergence in outcomes exists among firms employing Octave
(operationally critical threat, asset and vulnerability evaluation, as well as the Star and NIST 800-53 frameworks for
managing risk from the use of IT.
The higher utilization of such tools as Oval, CVE and SCAP among firms
with the worst results is consistent with the finding that the best-in-class Organizations that want to improve results
organizations are relying instead on vendors for managing threats and should consider adopting what’s working:
vulnerabilities in IT. The lower utilization of Octave, Star and similar risk vendor notifications and home-grown risk
management frameworks is consistent with the finding that the management methods.
organization with the lowest risk and loss are employing home-grown
approaches to managing risk from the use of IT.
Organizations that want to improve results should consider adopting what’s working among the organization with the best
track-records: vendor notifications and home-grown risk management methods.

Reports routinely produced to manage risk

While more technical controls along with frequent assessment and reporting are the hallmark of best-practices
implemented among organizations, reporting on findings is an equally important diagnostic tool: one that is employed to
identify trends, changes, weaknesses, and areas of strength to better manage business risk from the use of IT.
The reports routinely produced, weekly and bi-monthly by a majority of the organizations with the best track-records
include:
 Operational quality and policy compliance reports
 Real-time event and IT security test reports
 Financial and business impact summaries
 Electronic dashboard summaries
Compared with the best performers, all other organizations either do not producing these kinds of reports, or are
producing only some of these reports. Moreover the utility of the information being provided has little value when these
reports are produced once every five to seven months, instead of weekly and bi-weekly.
In addition to these reports, best-in-class organizations also more routinely produce reports on legal and regulatory
compliance (Figure 21).

21
Managing Spend on Information Security and Audit for Better Results

Figure 21: Reports routinely produced to manage risk

Source: IT Policy Compliance Group, 2009

Risk scoring, assessment and analysis

The most common dashboard among best-in-class firms includes a simple CIA scoring system ranging from one to three,
one to five, or one to 10. In some cases, simple color-coded schemes are employed among the best performing
organizations to flag divergence from desired risk profiles (Figure 22).
Figure 22: Risk Scoring, assessment and analysis

Source: IT Policy Compliance Group, 2009

Augmented by drill-downs across the range of critical business systems, controls and procedures, these risk scoring and
analysis systems are providing mangers with trends in operations and whether changes warrant further investigation and
action by the organization.

22
 Managing Spend on Information Security and Audit for Better Results

In combination, the loss of confidentiality, integrity, and availability, the use simpler approaches to gauging the severity of
impact to the organization, and analysis of the impact to mission and data criticality is resulting in far better outcomes
among the 60 percent or more of the best performers relying on these approaches for risk scoring and analysis.
By comparison, sophisticated financial loss calculations and even simpler business risk by threat calculations are not
widely employed. Moreover, the key difference between outcomes is clearly centered on scoring the loss of confidentiality,
integrity and availability and the business impact of such degradations on the organization.

Managing business and financial risks from the use of IT

Managing business risks from the use of IT is very different than the traditional approach employed for managing financial
risk. For example, the most common approach employed for managing financial risk depends upon the assumption of a
normal distribution of negative and positive financial returns. The majority of returns, negative and positive, should fit
within one-sigma. Attempting to manage better outcomes, most organizations try to shift the normal distribution to the right
toward more positive returns while minimizing the left (negative returns) for revenue and profit yield curves (Figure 23).
Figure 23: Approaches to managing financial and business risk

Source: IT Policy Compliance Group, 2009

The incentive for managing positive returns from the use of IT is traditionally associated with optimizing the availability of
IT services, new application deployments, new technologies supporting more effective business procedures, and reducing
expenses that drive lower cost of sales, lower cost of goods sold, and lower general and administrative costs.
The mirror side of this, managing financial risks from the use of IT is
directly related to managing the loss of confidentiality, integrity and Managing financial risk from data loss and
availability to information resources, assets and procedures. Unlike lapses in the integrity of controls in IT is different
managing risks for positive and negative outcomes, managing risk from than traditional financial risk management.
the loss of confidentiality, integrity and availability is driven by reducing
negative outcomes at acceptable costs.
Of the three, only the availability of IT services stretches from the positive to negative side of the yield curve, often
expressed as the percentage of uptime (positive, 99.9 percent for example) and downtime (negative, 0.1 percent for
example). However, managing financial risk from data loss and lapses in the integrity of controls in IT is different than
traditional financial risk management.
Rather than positive and negative outcomes associated with managing traditional financial returns, managing risk from the
loss of confidentiality, integrity and availability is optimized when unacceptable negative outcomes are achieved at
acceptable costs. The dominant approach to managing business risk from the use of IT is by ensuring risk controls are
appropriately managed to reduce events that will otherwise lead to negative financial outcomes.

23
Managing Spend on Information Security and Audit for Better Results

Managing spend on information security for better outcomes

Spend on information security varies by industry and size of organization. Spend increases with size of organization from
lows of four percent of the total IT budget to highs exceeding 10 percent of the total IT budget. However, IT budgets differ
by industry and by size of organizations within each industry.
In addition, the relative spending on information security reveals an interesting finding. Organizations experiencing the
worst outcomes with the most financial risk are spending 1.8 times more on information security than the seven in 10
organizations with normative outcomes. Furthermore, organizations with the best outcomes and the least financial risks
from the use of IT are spending twice as much on information security that the seven in 10 organizations with normative
outcomes (Figure 24).
Figure 24: Relative spending on information security

Source: IT Policy Compliance Group, 2009

Whatever the absolute amount being spent on information security is by a particular firm in a specific industry, the findings
reveal:
 Most firms, seven in 10, are under-spending on information security
 Organization with vastly different outcomes, worst and best, are spending nearly the same
For example, for every dollar being spent on information security by seven in 10 large organizations in banking or
healthcare, there are two in 10 spending between 1.5 and 1.8 times more that are experiencing the highest rates of data
loss or theft, the most downtime from disruptions in IT and the worst problems with regulatory audit.
Conversely, those with the best track-records are spending between
Organizations with the worst outcomes need to
1.5 and 2 times more on information security. As a result, the research
reallocate current spending for information
clearly shows that to improve results: security on practices hat deliver better results,
 Organizations with the worst outcomes need to reallocate current while a majority of firms need to increase
spending toward practices that deliver better results spending on practices that deliver better results.
 A majority of organizations need to increase spending on practices
that deliver better results.

Financial returns for managing risks from the use of IT

The financial returns for improving practices for managing risks from the loss or theft of customer data, and the loss of
productive time due to failures or disruptions in IT are depicted by Figure 11. The returns for seven in 10 organizations
operating at the norm are more than 100 percent and for most are above 1,000 percent. Financial returns, above and
beyond self-sustained loss thresholds, are far above the typical 20 percent screens for evaluating alternatives for cash and
investments (Table 6).

24
 Managing Spend on Information Security and Audit for Better Results

Table 6: Returns for improving data loss/theft and downtime results above self-sustained losses

Size (annual
revenue or budget) $50 million $500 million $5 billion $50 billion
Worst practices 960% 5,700% 51,000%% 540,000%
Normative practices 200% 1,130% 11,800% 136,500%
Best practices 22% 85% 450% 3,200%
Source: IT Policy Compliance Group, 2009

Financial returns for improving audit results in IT

The financial returns for improving the integrity of information, information assets, controls and audit results are from
reduced spending on audit fees and internal expenses, year in and year out. As shown, these returns increase to between
35 percent and 52 percent annually, when organizations implement practices that improve confidentiality, integrity and
availability within IT (Figure 25).
Figure 25: Annual savings from improvements to integrity and regulatory compliance

Source: IT Policy Compliance Group, 2009

Actions and practices delivering better results

The financial returns for improvements to manage business and financial risks from the use of IT are far above
self-sustained loss thresholds, and far above most financial screens. In fact, the returns are high enough that for most
organizations, there is no need to conduct cost-justifications or cost benefit analysis.
Improvements from incremental spending to improve practices will yield large returns from annual savings on audit fees
and expenses, and from the avoidance of predictable financial loss. Rather than thinking about the amount being spent,
organizations should be focusing on the amounts being saved, and how much yield can be purchased.
The actions and practices tied to reallocation of current spending, and increases where needed, include::
 Establishing goals and objectives for managing operational outcomes and financial risk from the use of IT
 Managing spending for the practices that actually reduce risk
 Establishing goals and objectives for reducing spend on regulatory audit
 Organizing for success by:
- Having the Chief Information Security Officer (CISO) manage information security and compliance
- Placing the IT operations officer or manager in charge of the availability of IT services
- Engaging senior leadership from IT, legal, business and plant security to manage risks

25
Managing Spend on Information Security and Audit for Better Results

 Taking specific actions, including:

- Prioritizing and managing the business risks
- Improving IT controls and procedures to manage the business risks
- Automating the collection of IT audit data
- Increasing the frequency of monitoring, assessments and reporting to weekly and bi-monthly
 Automating more IT controls to manage risks, especially:
- Technical IT security controls
- Authorized user account controls
 Scoring business risks from the use of IT based on:
- Loss of confidentiality, integrity and availability
- Severity of business and mission impact
Routinely using dashboards for reporting on business risks from the use of IT that include:
- Operational quality level reports
- Financial and business impact summaries
- Policy compliance reports
- Legal and regulatory impact reports
- Real-time event reports
- IT audit test reports
- IT security test reports

26
 Managing Spend on Information Security and Audit for Better Results

About the Research

Topics researched by the IT Policy Compliance Group (IT PCG) benchmarks are part of an ongoing calendar established
in consultation with advisory members, general members, and supporters of the Group, as well as from findings compiled
from ongoing research. In addition to specific tracking questions common to each benchmark, the research is designed to
uncover the relationship between business results, the actions organizations have taken in response to business
pressures, and the capabilities these organizations have to respond to business pressures.
This report includes research findings that date back more than two years, as well as findings from recent benchmarks
conducted in the past six months. The findings related to outcomes being experienced in IT, spending on regulatory
compliance, and industry performance profiles are compilations of benchmarks across 2,648 organizations. The financial
loss and return findings are from benchmarks conducted with 1,260 organizations. The most recent findings focusing on
the primary business and financial risks along with actions organizations are taking to manage these risks are from
benchmarks conducted with 481 organizations between September and October 2008. Findings from benchmarks on the
organizational structure for IT security, conducted with 253 organizations completed in December 2008, are also included.
A majority of the organizations (90 percent) participating in the benchmarks are located in North America and the
remaining ten percent of the participants come from countries located in Africa, Asia Pacific, Europe, the Middle East and
South America. The financial risks and audit costs of this research are applicable to public and private organizations
operating in North America. In addition, the operating outcomes and results apply equally well to organizations that
happen to be located in other industrialized geographies from around the world. Although the magnitude of financial
outcomes differs by geography and currency, the practices needed to manage lower financial risk, loss and cost for audits
are independent of geography or currency. As a result, the key recommendations focusing on the practices are applicable
to most organizations and areas of the world where IT services are embedded as part of common business procedures.
Industries represented
Almost every industry has participated in the benchmark, including accounting services, advertising, aerospace,
agriculture, apparel, architecture, automotive, banking, chemicals, computer equipment and peripherals, computer
software and services, construction, consumer durable goods, consumer electronics, consumer packaged goods,
distribution, education, engineering services, financial services, general business and repair services, government (local,
state and federal level public administration), government (defense and intelligence), health, medical and dental services,
insurance, law enforcement, legal services, management services, scientific and consulting services, manufacturing,
medical devices, metals and metal products, mining, oil and gas, paper, timber and lumber, pharmaceuticals, public
relations, publishing, media and entertainment, real estate, rental and leasing services, retail trade, telecommunications
equipment, telecommunication services, transportation and warehousing, travel, accommodation and hospitality services,
utilities, waste management and wholesale trade. The largest industries represented by the benchmark findings are
healthcare, financial services and manufacturing, each of which account for eight percent of participating organizations.
Education and government (public administration at local, state and federal levels) each represent six percent of the
sample. All other industries account for less than five percent of benchmark participants.
Revenue of participating organizations
Thirty-three percent of the organizations participating in the benchmark have annual revenues or budgets that are less
than $50 million. Another 31 percent have annual revenues or budgets that are between $50 million and $999 million. The
remaining 36 percent have annual revenues or budgets that are $1 billion or more.
Functional areas of responsibility
Forty four percent of the participants work in IT, 28 percent of participants work in finance and internal controls, and 23
percent work in legal and compliance functions within their organizations. The remaining eight percent of qualifying
participants work in a wide range of job functions, including senior managers in customer service, sales, marketing,
manufacturing and development functions.
Job titles of participants
Twenty three percent of the participants in the benchmarks are senior managers, 16 percent are vice presidents, 37
percent are managers or directors, and 24 percent are staff.

27
Managing Spend on Information Security and Audit for Better Results

About IT Policy Compliance Group

The IT Policy Compliance Group is dedicated to promoting the development of actionable findings that will help
organizations meet their IT policy and regulatory compliance objectives. The Group Web site at
www.itpolicycompliance.com features content by some of the leading experts in the world of IT and regulatory compliance,
interactive self assessment tools, published research reports, resource links and educational seminars being conducted
around the World.
The Group’s research is designed to help IT, legal, financial, and internal control professionals to:
 Benchmark results and efforts against peers and best-in-class performers
 Identify key drivers, challenges, and responses to improve results
 Determine the applicability and use of specific capabilities to improve results
 Identify best practices based on results of the benchmarks

The Group relies upon its advisory members, associate members, supporting members and significant benchmark findings
to drive its research and editorial calendar.

IT Policy Compliance Group Supporters

Symantec Corporation The Institute of Internal Information Systems Audit and

Auditors
20330 Stevens Creek Boulevard 247 Maitland Avenue
Cupertino, CA 95014 Altamonte Springs, FL 32701
+1 (408) 517 8000 +1 (407) 937 1100
www.symantec.com www.theiia.org
info@symantec.com iia@theiia.org
Control Association
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008
+1 (847) 253 1545
www.isaca.org
info@isaca.org

Computer Security Institute Protiviti IT Governance Institute

600 Harrison Street 1290 Avenue of the
San Francisco, CA 94107 Americas, 5th Floor
+1 (415) 947 6320 New York, New York 10104
www.gocsi.com +1 (212) 603 8300
csi@cmp.com www.protiviti.com
info@protiviti.com
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008
+1 (847) 660 5600
www.itgi.org
info@itgi.org

28
Managing Spend on Information Security and Audit for Better Results

29
Founded in 2005, the IT Policy Compliance Group conducts
benchmarks that are focused on delivering fact-based guidance
on the steps that can be taken to improve results. Benchmark
results are reported through www.itpolicycompliance.com for the
benefit of members.

IT Policy Compliance Group

Contact:
Managing Director, Jim Hurley
Telephone: +1 (216) 373 7010
jhurley@itpolicycompliance.com
www.itpolicycompliance.com
February 2009

The information contained in this publication has been obtained from sources that the IT Policy Compliance Group believes to be reliable, but is not
guaranteed. Research publications reflect current conditions that are subject to change without notice.

Copyright © 2009 IT Policy Compliance Group. Names and logos may be trademarks of their respective owners.
All rights reserved. 2/09 2875196