Firms Don’t Budget to Protect IP

Monday, April 22, 2013 @ 11:04 AM gHale

Cyber thieves seeking to steal intellectual property (IP) and other trade secrets to further nation-state or competitive aims continue to target U.S. firms. Knowing that, organizations with valuable assets to protect are not budgeting to effectively protect those assets, a new survey said.

Firms fail to calculate information security costs against the revenue potential for new products and services, and that they need to prioritize their security spending decisions based on real expectations of the impact on revenue if cyber thieves steal important IP, said the Forrester Consulting “Technology Adoption Profile (TAP) study” conducted by Forrester Consulting on behalf of Verdasys.

Manufacturing Most Attacked Industry
Simulated Attacks Hike Security Awareness
Phishing Hole: Execs Names Pilfered
Malware Attacks Hit Constantly

While firms believe they are responding to the risks posed by cyber threat, most need better financial tools and processes to value information, measure and track protection costs and build the business case for more effective information security.

“While these firms may believe they have good budgeting practices in place, it is very likely that they do not,” the study’s author said. “Even though awareness is at an all-time high, senior leaders still demand a sound business case when making investments of any kind. The questions they ask are, ‘If we spend this money, is our intellectual property going to be any more secure?’ The IT department simply budgeting for security based on historic data is no longer sufficient,” the study said. “Organizations need to prioritize their security spending decisions based on real expectations of the impact on revenue if cyber thieves steal important IP.”

To create the survey, Forrester leveraged its Forrsights Security Survey from Q2 2012, including 1,053 security decision makers at North American organizations of 500 or more, supplementing this data with custom survey questions asked in Dec. 2012 of 50 security decision makers in North American organizations with 500 or more employees.

High profile breaches at technology, aerospace, oil, and manufacturing companies have increased risk awareness at the executive level, with 463 decision makers saying these public cyber attacks have resulted in increased attention on the security of intellectual property and corporate secrets at their firms. But while 76 percent of respondents said their firms rigorously evaluate information security budgets each year to ensure sufficient funding to address known and anticipated cyber threats, 52 percent said they only sometimes, rarely or never include the revenue potential for new products or services and a potential significant loss in revenue if a cyber attack is successful in calculating information security costs.

Companies can better estimate their information security costs by business area and product line using a ratio of security cost and product revenue as a planning tool to aid financial investment in information security.

This value-based approach to protecting critical data can better assist firms in providing financially-driven answers to the questions, “Are we spending the right amount of money?” and “Are we secure enough?”

Click here to register for a copy of the survey.

Leave a Reply

You must be logged in to post a comment.