Revenue, Profit and Spend on IT Security


In his 2003 Harvard Business Review article IT Doesn’t Matter, Nicholas Carr recommended that organizations:

1) Spend less on IT
2) Follow, don’t lead, and
3) Focus on vulnerabilities, not opportunities when it comes to IT.

IT Does Matter
Recent research – How the IT Masters Deliver More Value and Less Risk – proves that Carr was correct in recommending organizations should focus on vulnerabilities. However, the research proves there are some areas where firms should clearly lead.

It is also clear that spending less on IT, especially on information security and audit, is actually detrimental to business results including revenue, profit and customer retention. In fact, the research clearly shows about 2-in-10 organizations that spend the least on IT, information security and audit deliver the worst business results including the lowest revenue, profit and customer retention when compared with peers. Unfortunately, these same organizations are exposed to the highest business risks from higher-than-average data loss or theft rates, more business downtime and greater difficulty with audits.

In sharp contrast are the 1-in-10 organizations spending the most, that also post the best business results, including the highest revenue, profit and customer retention rates compared to peers. These same organizations are least exposed to business-jarring risks from data loss or theft, downtime or audits.

In between are a majority of organizations (7 in 10) that are under- or over- spending compared with peers. These same organizations are posting business results that are slightly on the negative or positive side of their peers, and experiencing risks from data loss or theft, downtime and audit that are similar to peers.

What it means for you

If you spend too little: it’s time to increase spend upwards

If you spend at average: it’s time to increase and reallocate spend

If you’re not reaping the benefits of high spend: it’s time to reallocate spend

Assess for Yourself, Today
The Assessments@ITPolicyCompliance deliver a confidential and quick two-minute way to assess the posture of your organization against your industry and peers.

Benchmarked against more than 4,000 other organizations, these quick two-minute assessments cover organizational structure and strategy, the use of frameworks and standards, management of policy, management of procedural controls, management of information controls, management of technical controls, vulnerability and threat management, risk management and reporting, and financial implications.

Who should be interested: CIOs, CFOs, CEOs, CISO, CAOs, CROs, and principal managers of IT and audit

Time to value: minutes

Visit: to find out more

HBR Article
IT Doesn’t Matter


How the Masters of IT Deliver More Value and Less Risk

What Color Is Your Information Risk – Today?

Why Automating Vulnerability Management Pays

Automation, Practice and Policy in Information Security for Better Outcomes



NASDAQ Cyber Attack: Is More at Risk?

Cloud Computing: Information anywhere anytime

IT Value

Who’s Got Your Information — Today?


Tags: , , , ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: