Professional Documents
Culture Documents
Managing Spend on
Information Security and
Audit for Better Results
3
Managing Spend on Information Security and Audit for Better Results
Executive Summary
Much like an insurance deductible, all organizations are willing to sustain some level of financial loss
from the loss or theft of customer data and business downtime from disruptions occurring in IT. However,
compared to the financial exposure and losses being experienced, the losses organizations are willing to
sustain are exceedingly low, and the returns for making improvements are extraordinarily high.
Specifically, the primary business and financial risks are due to losses, or lapses that are occurring
in three areas:
Confidentiality, or protection, of sensitive information
Integrity of information, assets and controls in IT Loss of confidentiality, integrity
and availability are larger business
Availability of IT services and financial risks than are outsourced IT
projects, systems, information or delays to
These three – the loss of confidentiality, integrity and availability — are critical projects.
ranked as the top business risks by organizations, well ahead of other
possible risks, including those from outsourced IT projects, systems
and information, delays to critical IT projects, and shortages of IT skills. Although these are the
primary business risks, outcomes being experienced by organizations for these three principal
risks vary considerably.
Best outcomes: Only about one in 10 organizations — 13 percent — are consistently operating
with the best results, including fewer than three losses or thefts of sensitive information, less than
six hours of business downtime, and fewer than three deficiencies to correct to pass audit.
The financial outcomes being experienced by organizations are directly related to the outcomes being managed within IT.
Organizations with the worst outcomes in IT are experiencing highest levels of financial exposure and loss than all others.
However, it is the majority of organizations that are overspending on audit.
The financial exposure from the loss or theft or customer data and business downtime depends
almost entirely on the practices implemented in IT to manage these risks (Figure 1).
Figure 1: Financial exposure from data theft or loss
Practices implemented by organizations impact both the magnitude of financial loss and when losses
occur. For example, best-in-class firms delay the onset of data loss or theft to decades or longer, while
also reducing the magnitude of financial impact. This is in contrast to firms with the worst practices that
experience more frequent, and higher, financial consequences from the
loss of customer records. Unlike the loss or theft of data, the onset of Best in class firms delay the onset of data loss
business disruptions or inability to access information is a more or theft to decades or longer, while also
common occurrence. Fortunately, the loss or theft of customer data reducing the magnitude of financial impact.
does not occur every week, or for many organizations every year. But
for some organizations the loss of data occurs more frequently than
others.
When the onset of data loss or theft occurs and the frequency and extent of business disruptions
due to failures and disruptions occurring in IT are taken into account, the average annualized losses
incurred by organizations, while lower, remain substantial (Table 1).
3
Managing Spend on Information Security and Audit for Better Results
Table 1: Average annualized financial loss rates – data loss-theft and downtime
Annual revenue Worst Normative Best
or budget practices practices practices
$50 million $1.5 million $240,000 $20,500
$500 million $19 million $3.3 million $211,000
$5 billion $329 million $60 million $2.25 million
$50 billion $5 billion $1.2 billion $25 million
Source: IT Policy Compliance Group, 2009
4
Managing Spend on Information Security and Audit for Better Results
in a few industries, such as publishing, media, entertainment, medical devices, and aerospace are experiencing
worse or better outcomes than firms in other industries, most firms and most industries are operating at the norm.
Recommendations
The organizations with the best outcomes, the lowest financial losses and the lowest spending on regulatory
audit take very different actions and implement very different practices than all other firms. The recommendations,
based on results being achieved by the best-performers, include:
Establish goals and objectives for managing operational outcomes and financial risk
Manage spending for practices that reduce risk
Establish goals and objectives for reducing spend on regulatory audit
Organize for success by:
- Having the Chief Information Security Officer (CISO) manage information security and compliance
- Placing the IT operations officer or manager in charge of the availability of IT services
- Engaging senior leadership from IT, legal, business and plant security to manage risks
5
Managing Spend on Information Security and Audit for Better Results
6
Managing Spend on Information Security and Audit for Better Results
Benchmark Findings
Primary business risks from the use of IT
The primary business risks associated with the use of IT are directly related to: 1) the availability of IT resources and assets for
business purposes; 2) the integrity of IT assets and information; and 3) the confidentiality of information. Measured most recently
across 481 organizations, the findings reveal the top business risks include:
The top five business risks are all related to the loss of confidentiality, integrity and availability (CIA). For example, the loss or
theft of customer data is directly related to a loss of capacity to protect sensitive information, IT failures and service disruptions
can directly impact business service levels, and the loss of integrity for critical IT assets and information is something that is
tested through internal audit, external audit, and IT security tests.
The other top-ranking business risks, theft or fraud of assets or information, and Internet security threats, can result in
compromises that impact the confidentiality of sensitive information, the integrity of an organizations controls and procedures,
and can directly impact the availability of IT services.
Although identified as individual responses from the benchmarks, the
The primary business risks from the use of
results are clear: the primary business risks from the use of IT are directly
IT are directly related to the loss of
related to the loss of confidentiality, integrity and availability of IT assets, confidentiality, integrity and availability of
information and procedures. IT assets, information and procedures.
Operating outcomes in IT
The outcomes being experienced by organizations for these three major business risks are not alike. For example, some
organizations are experiencing much more loss and theft of customer data while others have few if any such losses or thefts to
report. Among those with the best track-records, roughly one-in-ten organizations — 13 percent — consistently have the
lowest rates of data loss or theft, the fewest number of regulatory deficiencies in IT to pass audit, and the least amount of
business downtime due to failures and disruptions in IT. In contrast, almost two-in-ten organizations — 19 percent —
consistently have the highest rates of data loss and theft, the most problems with regulatory compliance in IT, and the most
7
Managing Spend on Information Security and Audit for Better Results
business downtime due to failures and disruptions in IT. A majority of organizations — 68 percent — are operating somewhere
between these two extremes, with between four and 15 losses or thefts of sensitive information each year, four to 15
compliance deficiencies in IT that must be corrected to pass audit, and between seven and 59 hours of business downtime
due to failures and disruptions occurring in IT (Figure 4).
Figure 4: Operating outcomes from the use of IT
8
Managing Spend on Information Security and Audit for Better Results
Almost all (97 percent) of the organizations with the least loss or theft of customer data are the exact same firms with the
fewest regulatory compliance deficiencies in IT to correct to pass audit. The other three percent were unlucky and had slightly
more compliance deficiencies.
A majority of the organizations (76 percent) with the highest losses of
customer information are the exact same firms with the largest number of
compliance deficiencies in IT to correct to pass audit. In between these two When an organization does well, it
extremes, a majority of organizations (93 percent) operating in the middle had consistently does well at maintaining the
between four and 15 losses or thefts of data and between four and 15 confidentiality, integrity and availability of its
regulatory compliance deficiencies that had to be corrected to pass audit in information assets; if it is not doing well,
the past year. The same pattern of outcomes can be seen in the relationship results suffer across the board.
between business downtime and regulatory audit results, where almost all (97
percent) of the best performing organizations had the least business
downtime and the fewest regulatory deficiencies to correct in IT to pass audit. By comparison, about eight in 10 (76 percent) of
the worst performers are experiencing more than 60 hours of business downtime and 16 or more regulatory compliance
deficiencies to correct in IT.
Most organizations, almost eight in 10 (76 percent) are posting results that include business downtime levels between seven
and 59 hours annually and between four and 15 regulatory deficiencies to correct in IT (Figure 6).
Figure 6: Outcome profiles are shared for business downtime and regulatory compliance
Beyond the top five reasons for compliance deficiencies, seven of the top 10
reasons for compliance deficiencies flagged by audits involve the handling The top five deficiencies found in audit are
directly related to the loss of confidentiality,
and protection of information and related IT assurance and security functions
integrity and availability: the primary business
within organizations (Figure 7). risks from the use of IT.
The uncanny relationship between operating outcomes in IT and the fact that
a majority, or almost all of the same firms are experiencing similar outcomes, indicates that the integrity of information, assets,
and controls in IT has a profound influence on the ability to protect critical information and maintain authorized access to
information for the organization.
An obvious conclusion from the benchmarks is that the information security and audit practices within IT strongly influences
operational outcomes for data loss and theft, operational resilience, the integrity of controls for managing risk and conformance
with policies of the organization and its external audit and reporting mandates.
9
Managing Spend on Information Security and Audit for Better Results
Instead of seven in 10, about eight in 10 smaller organizations operate at the norm for data loss, availability and the
integrity of regulatory audit. Among midsize organizations, two in 10 are operating at the worst levels, seven in 10 are
operating in the middle, and one in 10 are operating at the best levels for preserving confidentiality, integrity and
availability in IT.
Large organizations, those with more than $1 billion in annual revenue or budget, are similarly operating close to norms
with more than two in 10 with worst results, slightly more than six in 10 at the norm, and slightly more than one in 10 with
the best results.
10
Managing Spend on Information Security and Audit for Better Results
11
Managing Spend on Information Security and Audit for Better Results
For two in 10 organizations, those with the highest rates of data loss, business disruptions, and regulatory non-compliance
problems, the financial exposure is almost 10 percent of revenue (budget) from the loss or theft of data. The exposure
from disrupted business due to IT failures ranges from 1 to 10 percent depending on the extent of the disruptions.
Organizations with the lowest financial risk from the use of IT are the
Organizations with the lowest financial risk from
one in 10 operating at best-in-class-levels. The financial exposure the use of IT are the one in 10 operating at
among these organizations is less than 0.5 percent of revenue (budget) best-in-class levels.
from the loss or theft of customer data. Exposure from disrupted
business ranges from 0.02 to 0.2 percent of revenue. These
organizations are also spending the least on regulatory audit, with average spending 52 percent lower than the majority of
firms operating at the norm (Figure 10).
For example, an organization with $1 billion in annual revenue operating in the middle of the pack for managing
confidentiality, integrity and availability risks is exposed to $64 million from expenses and capital losses after the loss or
theft of customer data. This same organization is exposed to expenses that range from $1 to $10 million from business
disruptions due to IT failures and service disruptions. Spending the most to vet the integrity of its financial filings and other
regulatory reporting requirements, these organizations are spending an average of $7.6 million on audit fees and
expenses.
By comparison, best-in-class firms of the same size are exposed to less financial risk and are spending less on audit: less
than $500,000 from the loss or theft of data; between $200,000 and $2,000,000 from disrupted business operations; and
less than $4 million spent on regulatory compliance fees and expenses.
Figure 10: Financial exposure from managing outcomes in IT
12
Managing Spend on Information Security and Audit for Better Results
Size (annual
revenue or budget) $50 million $500 million $5 billion $50 billion
Worst practices 93 hours 104 hours 132 hours 179 hours
Normative practices 8 hours 9 hours 12 hours 16 hours
Best practices 2 hours 2 hours 3 hours 4 hours
Source: IT Policy Compliance Group, 2009
The frequency of data loss or theft varies the size of an organization and the practices implemented to mitigate such loss
or theft. This may be dues to several factors, including an increase in reporting requirements mandated by new data
breach reporting laws and less experience with reducing these incidents compared with progress made on maintaining
business continuity during the past twenty years.
The likelihood of experiencing data loss of theft currently depends on an organizations practices and its size. For example,
larger organizations are more likely than smaller businesses to experience the theft or loss of data. Moreover, firms with
the best practices for managing confidentiality and integrity risks in IT are less likely to experience theft or loss of data.
Based on the benchmarks with more than 2,600 organizations, available public reports, and the numbers of firms by size,
the likelihood of underlying data loss and theft events having a negative financial impact for the organization ranges from
once every year to once in hundreds of years (Table 3).
Table 3: Likelihood of data losses or thefts
Size (annual
revenue or budget) $50 million $500 million $5 billion $50 billion
Worst practices 1 in 9 years 1 in 5 years 1 in 2 years 1 in 1 year
Normative practices 1 in 23 years 1 in 14 years 1 in 6 years 1 in 3 years
Best practices 1 in 245 years 1 in 95 years 1 in 38 years 1 in 21 years
Source: IT Policy Compliance Group, 2009
Several observations emerge when losses are annualized. The first is that financial impact from data loss or theft
overwhelms the impact from downtime for the one in 10 organizations not operating with the best practices. The second is
that for most small organizations, those with less than $50 million in revenue or annual budget, the larger financial risk is
13
Managing Spend on Information Security and Audit for Better Results
business downtime, not data loss or theft. Lastly, for most organizations over $50 million in revenue or annual budget, the
larger financial exposure is from the loss or theft of information.
Financial returns
When financial exposure and loss levels are divided by the self-sustained loss thresholds that organizations are willing to
endure before spending money to improve results, the value at risk, above and beyond the self-insurance loss thresholds
reveals two interesting findings:
1) most organizations are underfunding financial risks from the use of IT
2) only the smallest of organizations have financial reason to conduct a cost benefit analysis
All organizations above $500 million in revenue or budget have huge financial incentives to fund the necessary
improvements to reduce risks from the loss of data, downtime, and integrity that is measured by audit (Figure 11).
Figure 11: Financial returns for information security and operational assurance
The returns for spending additional money, above and beyond the self-sustained loss thresholds are easily above 100
percent for a majority of organizations, far above the typical 20 percent hurdles considered necessary for new business
initiatives. For many organizations, the returns exceed 1,000 percent: sufficiently high to eliminate a need for cost
justifications and cost benefit analysis.
14
Managing Spend on Information Security and Audit for Better Results
15
Managing Spend on Information Security and Audit for Better Results
among the firms with the best outcomes, with the least financial risk and loss. By contrast, firms without a CISO are among six
in 10 of the organizations experiencing the worst outcomes, with the highest financial risk and loss (Figure 13).
The IT operations group in most organizations is goaled and rewarded for keeping the lights on, so to speak. When systems,
information and applications are not available for business purposes, it is the IT operations department that is tasked with
ensuring rapid recovery and resumption of business procedures.
Unfortunately, there is an inherent conflict of interest by having the same department, or person, be responsible for
“availability” while also being responsible for confidentiality and integrity. For example, all of the systems, applications and
networks responsible for serving up credit card transaction data, or patient data, could remain available even if the
confidentiality and integrity of systems and information have been compromised.
The conflict of interest, between keeping information, systems and applications available, and the integrity and confidentiality
of the underlying information and controls is best served by having the CISO manage confidentiality and integrity, and the IT
operations officer manage availability.
Figure 13: Impact of CISO’s on results
After rationalizing the conflict of interest that exists between confidentiality, integrity, and availability, the organizations with the
best track-records for managing risk in IT leverage the organization to manage risk, relevant to the business operating
environment.
Leveraging the organization
Among the organizations with the least business risk and lowest financial risks from the use of IT, both IT operations and the IT
security and assurance function are deeply involved in managing business risks. After these two groups, the best-in-class
organizations also involve:
The Chief information officer (CIO)
Legal counsel
Business unit managers
Plant and physical security staff
Although there are some small differences in the involvement of internal audit and a chief risk officer, if the role exists, the
primary differences, directly related to outcomes, is the cross-disciplinary involvement between IT, business units, legal
counsel and plant security (Figure 14).
By comparison, organizations with the worst outcomes and the highest financial risks are managing risks from IT operations
with the involvement of the CIO, legal counsel, IT audit and internal audit. In fact, these organizations limit the involvement of
information security and assurance when compared with other firms. Among these organizations, the incidence of a CISO is
low or non-existent.
16
Managing Spend on Information Security and Audit for Better Results
17
Managing Spend on Information Security and Audit for Better Results
By comparison, firms operating in the norm depend primarily on employee training as much as those with best track-records.
However, these organizations are not implementing the other actions taken by the best-in-class firms. For example, while 65
percent of the organizations with the best track records consistently prioritize and manage business risks, only 40 percent of
the seven in 10 organizations in the norm take this action.
18
Managing Spend on Information Security and Audit for Better Results
Nearly 80 percent of the organizations with the best outcomes rely heavily on the use of technical IT security controls,
including those for authorized user accounts. By comparison, less than 60 percent of organizations operating in the
normative range value these controls, and less than 40 percent of the organizations experiencing the worst outcomes.
19
Managing Spend on Information Security and Audit for Better Results
20
Managing Spend on Information Security and Audit for Better Results
21
Managing Spend on Information Security and Audit for Better Results
Augmented by drill-downs across the range of critical business systems, controls and procedures, these risk scoring and
analysis systems are providing mangers with trends in operations and whether changes warrant further investigation and
action by the organization.
22
Managing Spend on Information Security and Audit for Better Results
In combination, the loss of confidentiality, integrity, and availability, the use simpler approaches to gauging the severity of
impact to the organization, and analysis of the impact to mission and data criticality is resulting in far better outcomes
among the 60 percent or more of the best performers relying on these approaches for risk scoring and analysis.
By comparison, sophisticated financial loss calculations and even simpler business risk by threat calculations are not
widely employed. Moreover, the key difference between outcomes is clearly centered on scoring the loss of confidentiality,
integrity and availability and the business impact of such degradations on the organization.
The incentive for managing positive returns from the use of IT is traditionally associated with optimizing the availability of
IT services, new application deployments, new technologies supporting more effective business procedures, and reducing
expenses that drive lower cost of sales, lower cost of goods sold, and lower general and administrative costs.
The mirror side of this, managing financial risks from the use of IT is
directly related to managing the loss of confidentiality, integrity and Managing financial risk from data loss and
availability to information resources, assets and procedures. Unlike lapses in the integrity of controls in IT is different
managing risks for positive and negative outcomes, managing risk from than traditional financial risk management.
the loss of confidentiality, integrity and availability is driven by reducing
negative outcomes at acceptable costs.
Of the three, only the availability of IT services stretches from the positive to negative side of the yield curve, often
expressed as the percentage of uptime (positive, 99.9 percent for example) and downtime (negative, 0.1 percent for
example). However, managing financial risk from data loss and lapses in the integrity of controls in IT is different than
traditional financial risk management.
Rather than positive and negative outcomes associated with managing traditional financial returns, managing risk from the
loss of confidentiality, integrity and availability is optimized when unacceptable negative outcomes are achieved at
acceptable costs. The dominant approach to managing business risk from the use of IT is by ensuring risk controls are
appropriately managed to reduce events that will otherwise lead to negative financial outcomes.
23
Managing Spend on Information Security and Audit for Better Results
24
Managing Spend on Information Security and Audit for Better Results
Table 6: Returns for improving data loss/theft and downtime results above self-sustained losses
Size (annual
revenue or budget) $50 million $500 million $5 billion $50 billion
Worst practices 960% 5,700% 51,000%% 540,000%
Normative practices 200% 1,130% 11,800% 136,500%
Best practices 22% 85% 450% 3,200%
Source: IT Policy Compliance Group, 2009
25
Managing Spend on Information Security and Audit for Better Results
26
Managing Spend on Information Security and Audit for Better Results
27
Managing Spend on Information Security and Audit for Better Results
The Group relies upon its advisory members, associate members, supporting members and significant benchmark findings
to drive its research and editorial calendar.
28
Managing Spend on Information Security and Audit for Better Results
29
Founded in 2005, the IT Policy Compliance Group conducts
benchmarks that are focused on delivering fact-based guidance
on the steps that can be taken to improve results. Benchmark
results are reported through www.itpolicycompliance.com for the
benefit of members.
Contact:
Managing Director, Jim Hurley
Telephone: +1 (216) 373 7010
jhurley@itpolicycompliance.com
www.itpolicycompliance.com
February 2009
The information contained in this publication has been obtained from sources that the IT Policy Compliance Group believes to be reliable, but is not
guaranteed. Research publications reflect current conditions that are subject to change without notice.
Copyright © 2009 IT Policy Compliance Group. Names and logos may be trademarks of their respective owners.
All rights reserved. 2/09 2875196