US execs go security spending crazy

A poll of corporate executives published on Monday found that companies are increasing spending on security to satisfy legislation - not necessarily because their CEOs have seen the light.

The study of 7,500 senior information technology executives found that 62 per cent of companies will increase security spending in 2003, compared with 50 per cent in 2002. The top reason for the increase in funding security programs was to satisfy legislation such as the Sarbanes-Oxley Act, which holds executives accountable for their company's disclosures.

Joe Duffy, lead partner of accounting firm PricewaterhouseCoopers' Security & Privacy Solutions practice, said: "Sarbanes has had an impact; there is no doubt about it." Duffy believes that executives want greater assurances from their IT departments that their systems are secure and can be audited.

Almost two-thirds of those polled said they adopted security measures to limit liability, and almost half said it was to comply with regulations. Only 37 per cent of participants said adopting security measures was prompted by a fear of a security incident that affects revenue, or because experts have long recommended such precautions.

Legislation that's passed in the last two years - Sarbanes-Oxley, the Health Insurance Portability and Accountability Act (HIPAA) and California's Security Breach Information Act - is forcing companies to meet minimum levels of security for their systems and the information in their databases. Although companies have repeatedly said self-regulation - not legislation - would lead to better security, the survey seems to argue that recent regulations have garnered better results than years of leaving the companies to their own devices.

The survey polled corporate officers in 47 different countries and across all industries. PricewaterhouseCoopers teamed with CIO magazine to produce the report.

Almost two-thirds of the participants in the survey indicated that their company had suffered a security breach in the past year, most commonly a virus or Trojan horse, unauthorised entry into a computer system or a denial-of-service attack. The attacks resulted in email and applications being inaccessible more than half the time or causing network downtime. More than a quarter of the incidents resulted in employee or customer records being compromised or lost.

Such incidents are helping companies quickly realise that beefing up security is worth it, Duffy said.

"There is the regulatory stick, but there is also a carrot of having a fault-tolerant, always-on network offering services," Duffy said. "I would argue good security is good business."

Robert Lemos writes for CNET News.com