CXO

IT security spending: It's time to rethink our priorities

It's wrong that security technology spending is still given a free ride, while wiser investments in infrastructure get turned down.

Security is critical and certainly businesses still have a lot of catching up to do with respect to evolving culture, process and technology to handle security risks.

But all of IT is prone to becoming obsolete if technologies and processes are not continually evolved to match changing business needs. And so, each year I put together thought-out and backed-up strategies to modernize our tech environment in order to become more efficient - and a less costly part of the organization to run.

Areas such as disaster recovery or infrastructure refresh are projects I can put a business case together for that should withstand scrutiny. But it doesn't: it is crossed out with extreme speed and prejudice as an example of unnecessary costs in an ever-frugal world. As such we are forced to maintain and operate an ageing and disparate group of technologies which in have a significant impact on our effectiveness - and on how the organization views us.

And yet, when it comes to IT security projects and spending all we need to do is whisper 'vulnerability' and a waterfall of funds is available to us. We need neither justification nor any sound business case to spend money on these technologies. Ironically, lack of investment in other areas has a direct correlation with the need to spend more on security (an issue which is often raised yet quickly dismissed).

It almost seems counter-intuitive that IT security is now the 'have' while the IT Infrastructure is the 'have not'. I can point to the real productivity and cost impacts of the lack of spend in these areas yet no one wants to listen - and yet the prospect of the possibility of cyber-attack is much more compelling for our organizations in deciding where to spend money.

What our executive is saying is that they do not want to be held accountable in the event of a cyber-attack by virtue of not spending money on IT security. As soon as an issue or a potential problem is brought up they have no alternative but to say yes. This has nothing to do with improving the environment, modernizing technology for the sake of the company and bottom line, being innovative in the face of increased competition and maximizing productivity.

I fully support spending on IT security to protect company information however what I do not support is the business dismissing other needs that often have greater corporate impact - and then when systems and technology doesn't do its job turn around and blame IT.

More from the Naked CIO

Editor's Picks

Free Newsletters, In your Inbox