Concerns over security and risk stop project or business ideas progressing in nearly half of all organisations

Information security and risk management plays a critical role in UK organisations, however the majority are currently failing to view it as an enabler of business value and innovation.  This is according to a survey among UK IT decision makers commissioned by NTT Com Security (formerly Integralis), the global information security and risk management organisation.

The fact that just a quarter of UK organisations see security and risk management as an enabler to innovation and growth was revealed by Neal Lillywhite, SVP Northern Europe at NTT Com Security, at the company’s annual Information Security World (ISW 2013) conference in London yesterday.

“It’s interesting that those companies who see information security and risk as an enabler of business innovation and value, and who proactively base their spending on assessed risk, are much more likely to have the topic on the Board’s agenda.  They are also much more confident when it comes to information security and risk matters,” he explained.

Security and risk/compliance is now regularly included on the agenda for Board meetings, with over half (56%) saying it is discussed ‘routinely’ (16%) or ‘frequently’ (40%), and less than a third (29%) discussing it at Board level only ‘occasionally’.

The survey also reveals that over half of all organisations view security and risk as critical to their discussions and planning of new products and services – with 6 in 10 financial organisations admitting this is the case.  However, concerns over information security and risk have stopped either a project or business idea progressing in nearly half (49%) of all organisations surveyed, with the financial sector showing most concern – 56% have put projects or ideas on hold due to their fears.

The topic of risk was central to NTT Com Security’s ISW event, where Nick Leeson, responsible for the collapse of Barings Bank in 1995, presented to a packed room of over 300 security and risk professionals.  Talking frankly about what happened at Barings, Leeson believes that the lack of safeguards and lack of visibility and control of risks are still in place in many large organisations. “Not enough focus goes into risk management and compliance and this is a real challenge.  Only lip service was paid to the fact that risk management needed to improve then – and in many cases this is still the same today.”

Keynote speaker, Baroness Pauline Neville-Jones, the Government’s special representative to business on cyber security, also warned delegates that cyber security represents both a challenge and an opportunity to businesses. “Better awareness and understanding of the risks and effective cyber security will be seen as a positive differentiator for UK businesses and will enable them to survive and thrive in today’s competitive global environment.”

Control of information risk and assessed risk: Proactive vs. reactive
According to the NTT Com Security research, confidence among businesses remains high, with over half (52%) of all respondents agreeing that the organisation is ‘completely in control of information risk’, rising to nearly three-quarters (72%) for financial services organisations.

However, while organisations are basing their spending on a mixture of assessed risk and protecting against threats, it seems that most are still taking a reactive rather than a proactive approach to risk management.  Only 1 in 5 organisations base their spending on assessed risk – even less for businesses in financial services – and around 1 in 4 base it on protecting against the next threat.

“While the majority see a benefit to having a proactive approach when assessing the risk of information assets, the fact that still only a fifth base their spending on assessed risk shows there is plenty of room for improvement and that there is still a lot of work to be done,” Lillywhite continued.

The survey was conducted in late September-early October by independent market research company, Vanson Bourne, among 100 IT decision makers in large UK organisations within financial services, manufacturing, retail, distribution and transport and other commercial sectors.