IDC: NZ Organisations Must Make Security a Business Priority and Follow Through
Auckland, New Zealand, 22 September, 2014.
New Zealand organisations are at risk of taking their eye off the ball when it comes to IT security. As organisations
evolve to information lead, information-centric business model the strategic importance of a strong security governance
model is critical.
IDC New Zealand's latest Security Study, based on recent IDC end-user surveys, revealed that security is New Zealand
organisations' leading strategic initiative to deploy by the end of 2015. However, when it comes to the specific
technology investments, such as the 3rd Platform investment (cloud, mobile, social and big data), security is not even
in the top 3 list of priorities.
The strongest intentions for security investment were detected in Retail/Wholesale, Financial, and Public sectors. From
a business demographics point of view, the most intensive security adaptors are organisations with less than 100 seats
and more than 1000.
"The mindset of kiwi CIOs is that security is perceived as a supportive, risk-managing initiative, rather than a primary
solution for business goals. This is vastly different from both Australia and AP that place security as the top
investment area across all new technology initiatives" says Donnie Krassiyenko, Market Analyst at IDC New Zealand.
It has been well communicated that there is a challenge for the CIO to become more strategic within the organisation.
With only 60% of CIO's reporting to the CEO this is an opportunity to argue the need for a seat at the table.
"New Zealand organisations should ensure that someone at the leadership table carries the responsibility for information
and security. This will force the attention and profile required to ensure that security is well considered in all
technology investment decisions" adds Adam Dodds, Research Manager at IDC New Zealand. "Businesses and the CIO office
are signalling a strong intent to work better together. This will be achieved through an alignment of a common language.
Being able to articulate risks as they relate to revenue, IP, health and safety, brand, legal exposure and brand risk
will provide a sense of perspective against physical and technical investments in security".
Therefore IDC advises that organisations should look to categorise the security risks relative to their impact to the
business and the level of the risk represented, which differs across vertical industries as illustrated in the chart
below. "Risk categorisation will help the security office to operate within predictable budgets and, thus, to meet
expectations of the executive office", concludes Krassiyenko.
As a result IDC recommends to follow these simple steps for CIOs and IT managers to take control of their organisations'
IT security:
• Set up good configuration with 100% visibility to understand the attack surface. Risks must be prioritised to be
adequately addressed relative to the organisation industry risk profile.
• Establish and anchor a security budget that includes contingency funds as part of the IT strategy. Selling it to
executives as an ongoing asset risk management initiative will be critical.
• Choose a security vendor based not only on its track record, but also on its security capabilities and risk management
expertise.