The continuing rift between IT security professionals and 'the business' has been highlighted by a new study that shows many organisations still attach little value to cyber security - even though they know the threat is growing.
The Turnkey Consulting survey finds that one in six IT security pros believe their organisation sees security merely as âan unnecessary expense only undertaken to keep auditors happyâ. And only about one-third (37.5 per cent) of organisations view IT security as âan essential business practice that can deliver ROIâ - down from 43.9 per cent the year before.
This is despite the fact that over two-thirds of enterprises (71.8 per cent) recognise that the IT security risks they face from external sources have increased.
Richard Hunt, managing director of Turnkey Consulting, said: âIt is concerning to see that IT security is still not perceived to be an integral part of the business.â
But CISO representatives say they are ânot surprisedâ by the findings.
Tim Holman, president of the ISSA UK user group, told SCMagazineUK.com via email: âIt's not surprising to hear any IT professional think this way, where there is often a lack of top-down cyber security support in the organisations they represent. What's more alarming is that given the increased reality of external threats, business owners and boards are still reluctant to take cyber security seriously, and often see it as a grudge purchase.â
Holman insisted: âGood CISOs aren't cheap, but worth every penny in articulating cyber security risks at a board level. The techies at the coalface are rarely seen as influential, but that doesn't mean businesses should ignore them, as they perform a valuable and obvious front-line defence against cyber attacks.â
But he qualified this, saying that while âbusinesses need to start listening to the professionals they employ, professionals also need to start talking to the businesses, and in language they understandâ.
Amar Singh, chair of the Security Advisory Group of industry body ISACA UK and interim CISO, agreed that security professionals need to work harder to get their message across.
He told SCMagazineUK.com: âPart of the problem with IT and âthe business' has always been the inability of the IT professional to properly relate to and explain the business imperative. The more you call it âIT security' the less the business imperative - âIT security' remains an IT problem.â
Richard Hunt at Turnkey focused on how CISOs can change the perception of security
âIt is important that change management activities are undertaken to ensure employees throughout the organisation understand their individual responsibilities when it comes to IT security,â he told SCMagazineUK.com.
 âAn element of basic awareness training should be undertaken in any company which should be followed up with regular reminders. The form these reminders take will vary, as a newsletter will be well-read in one company where an intranet site is more effective in another.â
The survey, âA Risk Perspective on 2014', also found that 38.2 per cent of the organisations responding had experienced a fraud incident, up from 31.3 per cent the previous year. Likewise, 30 per cent had experienced a data loss that affected business operations, up from 17.1 per cent.
The researchers questioned 55 IT professionals, all SAP software users involved in security and controls activities.