Most organizations are spinning the black-jack wheel, not realizing the odds are stacked against them in the 21st century cyberwar game of cat-and-mouse steal your secrets, got your financial data, steal your customers, plunder your intellectual property and more.

Why most organizations?

Because 50% are clearly under-spending on information security, while another 4-in-10 should be spending more.

The evidence across more than 6,000 organizations is clear: spend more on information security and;

• Post larger revenue and profit than your peers
• Retain more customers and keep them coming back better than your peers
• Minimize your exposure to data theft and associated financial losses
• Minimize the number of vulnerabilities
• Reduce the number of un-patched vulnerabilities
• Minimize the impact – and cost – of complying with regulations and legal mandates
• Significantly reduce business downtime from IT related failures

Sounds far-fetched?

The evidence supports the trite claim that you have to spend some money to avoid spending even more due to downside risks involved.

Measured across more than 6,000 organizations, research conducted by the IT Policy Compliance Group reveals a close relationship between better outcomes being achieved by organizations and higher-levels of spend on the information security function, and it shows the relationship between the level of spending on information securty and outcomes being experienced has been – and remains – almost constant since 2006 despite a nose-dive in spending that occurred among some worst performers in 2010 and 2011.

Disbelief?

Just trickery and Stats you say! And besides,  IT budgets vary considerably, which means the percentage of the IT budget is an inaccurate measure of spending!

Well yes, IT budgets do vary considerably, from one industry to another, from one company to another, and from small businesses to the largest of global conglomerates. But, what is found from the research is the organizations experiencing the best outcomes actually spend more on IT budgets when compared with their peer competitors: those about their size in the same industry.

This means that the best performers spend more in aggregate on IT, and spend a larger chunk of a larger IT budget on information security. It also means the worst performers typically have smaller IT budgets (when compared with peer competitors) and spend a smaller chunk of these smaller budgets on information security. It all adds up to one obvious conclusion: spend more on information security!

As for Stats and trickery, the error in the sample is but +/- 1 percent. The average level of spend on information security among the worst performers is about 4%; among the average performers is near 7.5%; and among the best performers is almost 11%:  enough of a separation between them to overrule the small sample error.

But beyond the numbers, the picture tells the thousand words:

Those with the worst outcomes are spending the least on information security,

those with the best outcomes spend the most,

everyone else falls in-between.

Is your company worth a modest increase in spending on information security?

Is your reputation worth a modest increase?

Only you can answer these questions.

Do You Feel Lucky? Well, do You?

A random selection of recent headlines include:

October 31:  Nitro attacks target Chemical and Defense Industry firms

ZDNetAsia

ITPro

MSNBC

Symantec

October 31:  Shields-up for old Linux trojan – Tsunami

Computerworld

October 31: 600,000 Facebook accounts being compromised each day

Redmondpie

October 31: Hackers take over Electronic Financial Crimes Comission website

Menafn

October 30: Hackers infiltrate US satellites

Daily Mail

October 28:  Dolphin Browser for Android: Security and Privacy Breach

CNET

ArsTechnica