Tug of War

"Since we're organized [in IT] around risk management, we have a level of focus on [security and compliance] issues other companies might not," Bursch says. "Companies might have a central information security department but might localize risk management review, so it won't get as much air time [with senior management] as it does here. We can provide the right input into the budgeting and planning process." UnumProvident's structure not only has affected budgeting but also promoted overall alignment both among IT units and between IT and business. This type of alignment is crucial for a carrier to be truly effective in targeting security and compliance.

"If you look at why a company is not doing what it is supposed to be doing vis ? vis security, it's because the right person isn't getting the chance to make the decision or someone doesn't 'own' the business process," explains Barbara Gomolski, a vice president of research at Gartner who focuses on IT management. A shortcoming in security or compliance "is not a challenge of funding; it's a challenge of being able to evaluate the risk in a way that's uniform and get that information to the people who need to make decisions. That's why you have to layer a risk management perspective on top of what you do from an IT perspective."

Must-Haves

Since the early 2000s–when the need for security and compliance really began to emerge–insurers have shown their willingness to spend IT dollars on risk mitigation initiatives despite financial challenges presented by the insurance market and overall economic environment in following years.

"Insurers do have a handle on risk management, including security and compliance. That's what they do," says Deborah Smallwood, managing director of insurance at TowerGroup. "Particularly with the risk of a security breach, aside from an image and public relations perspective, the potential business impacts are enormous in terms of securing customer data, including financial information and medical records."

"In the nondiscretionary category, where we put regulatory compliance, security, data privacy, and all those issues, it's not like we have a choice," says Richard Connell, CIO at Selective. "Since those issues have been a high priority for us for years, we have continued to commit to spending on those issues. That spending tends to remain at the same level, and it is not insignificant."

Actual dollar spending trends will be detailed below. First, it's worth taking a look at exactly what type of issues have been impacting the budgeting process.

When it comes to security, a changing technology environment has been a mixed bag for security officers. On one hand, it has created the need for more must-have measures. "As we continue to build more complex environments, deploy Web services, develop component-based architecture, and leverage the Internet to conduct business, it continues to make the industry more vulnerable for security breaches," Smallwood points out.

"As companies get into this world where products, services, and resources are more ? la carte, where you may outsource or leverage a third-party company to process some data, [information security] becomes a bigger consideration," notes Garvey.

On the other hand, while more security measures may be needed, new technologies tend to be easier to secure. "Legacy systems have a lot of idiosyncrasies, and as we transfer away from them, it does make our job easier because newer technology adapts more easily to newer security measures," adds Greg Bee, IS security manager at Country Insurance & Financial Services.

"With the experience level and the maturity level in the industry, companies have a good handle on Web services and what playing in that environment requires," Smallwood remarks. "The perpetual maintenance is the challenge of security that continues to [grow]."

Companies increasingly have been including training as a must-have investment, both to familiarize users with new security systems and compliance-mandated procedures as well as to create a paper trail in their compliance processes. Whether the costs for deploying training programs to IT staff hit the IT budget depends upon the company.

For example, in mid-2005 Selective began using training modules from Integrity Interactive that cover such practices as ethics and compliance. Integrity administers this Web-based program to all of Selective's 2,000 employees and tracks course completion, which is mandatory. "That kind of training vehicle is very effective at reaching a large dispersed employee base," Connell says.

Since Selective considers the training to be a corporate-level governance program, the $30,000 cost per course is charged against security's corporate legal budget, although the IT department provides support for the training sessions.

Treating security and compliance as a discipline or practice–not just a particular intrusion detection system, records management application, or training course–is something that also costs companies the resources of time and, therefore, money, but those costs are inseparable from the general costs of maintaining and managing staff.

"IT managers are struggling with how to deal with new [security] practices and how to deal with these [compliance] audits and auditors but still stay within their budgets," says Jerry Murphy, senior vice president and director of research operations at Robert Frances Group. In that respect, "compliance is an unfunded mandate," he comments.

Want-to-Haves

Most of the pinch insurers feel on their ability to spend on want-to-haves comes from must-have spending in areas other than security and compliance. According to TowerGroup, 68 percent of nondiscretionary IT spending goes to infrastructure and maintenance (although these activities do have their own security components). A chunk of the remaining budget goes to ongoing development, including carryover projects and system enhancements. In the end, Smallwood states, only about 10 percent of most carriers' IT budgets is available for truly discretionary, strategic spending.

Most carriers admit to putting off strategic initiatives in IT because of the demands of nondiscretionary activities, including security and compliance, Smallwood reports. "At the end of the day, it's not just about dollars, it's also about the people power of analysts and other IT professionals," she says. "There's only so much [resource] bandwidth in the company."

While not divulging actual numbers, Bursch indicates the overall resource costs attributed to security and compliance–particularly the latter–have been "significant" at UnumProvident over the last few years. "Absolutely that has taken resources away from strategic initiatives, but that's the cost of doing business," he says.

However, this doesn't mean IT security and compliance officers are given a blank check at the expense of the business. "A couple of years ago, [CISOs] could say, 'Here's a vulnerability; give me the money,'" Murphy claims. But as companies have become more familiar with security risks, that's no longer the case. "[CISOs'] budgets aren't any freer than other IT budgets," he says.

"The key part of getting the proper focus and funding is you can't just use pure scare tactics," Bursch asserts. "You have to outline the potential risks and costs and your recommendations for mitigating those risks to the level everybody–up through your CIO and audit department–feels comfortable with."

Also, security and compliance officers have their own lists of want-to-haves they'd like to see in the 2007 budget, but that will require a bit of persuasion on their part. Murphy reports CISOs, in particular, have been frustrated on this issue lately given the focus on other deadline-driven compliance issues.

To solve their frustration, "it's incumbent upon security officers to speak the language of business and articulate the impact of what a vulnerability is. They need to turn 'We have an Internet Explorer zero-day vulnerability' into 'This will cost us millions of dollars,'" says Murphy.

Also, it especially helps secure budget approval if a security measure is something for which customers, not just IT, clamor. "We have RFPs coming in where we're a finalist bid for a major customer, and a part of the customer's review of us is our security profile and disaster recovery plan. That's a scenario where mitigating a particular risk may not be our highest priority from a business risk perspective, but because our customers are driving those issues, it becomes a priority," Bursch explains.

Budget Trends

"Even though the economy is better, I hear from IT managers their budgets certainly are not wide open," Murphy notes.

According to TowerGroup, IT spending in the insurance industry has been and will remain relatively stable at about three percent of net written premium. "We will continue to see individual companies have more significant increases, but overall, technology spending increases will be focused on controlled projects with limited durations," Smallwood says.

Spending on security will continue to increase in real dollar terms but remain relatively stable as a percentage of the overall IT budget at about five percent, which Gartner's Gomolski reports has increased from about three percent in 2000.

For IT departments at publicly traded companies that got hit with Sarbanes-Oxley-driven budget demands in recent years, the impact was significant. "A lot of CIOs assumed [Sarbanes-Oxley] compliance would not affect the IT budget per se, because they thought it was a finance and regulatory issue and, therefore, underestimated the impact it would have on their world," Gomolski points out. "In hindsight, as we go back and look at what compliance did, we found it impacted them on the order of 10 percent of the IT budget in 2005."

Fortunately, she does not expect that level of budget impact to continue now that most publicly traded companies should see a drop-off in spending with the initial years of Sarbanes-Oxley behind them. "[Compliance] should level off like security in the five percent to seven percent range," she says.

At Chubb, Garvey indicates spending on security has been consistently trending upward since the information security department was formed in 2001, even though the overall IT spending at the insurer has been flat. "If you broke out the amount of IT security spending per employee, it's increased 40 percent since 2002," he says, although he notes part of that per-employee increase has been due to a concurrent reduction in the insurer's work force during the past few years. A portion of the spending increase also has been the result of compliance demands affecting the information security area. "Since 2003, the majority of the increase has been due to compliance," he adds.

It's difficult to track all the information security spending that goes on within Chubb, Garvey continues. "Spending money on things you could classify as security happens across the organization. That's a good thing. It means business units with IT staff are spending money on security because they see the value," he contends.

Garvey expects the upward spending trend will persist in 2007 and anticipates the possibility of some new projects on the near horizon. "We see increased spending on things such as identity management," he reports, both for compliance as well as business benefit. "We've chosen to focus our [identity management] efforts on provisioning and to automate the workflow around granting and revoking system access as employees are hired, move between jobs, or leave the company."

At UnumProvident, Bursch states spending on overall IT risk management has seen a "pretty significant" increase from late 2003 to year-end 2005, but the rate of increase diminished in 2006 and likely will do so again in the 2007 budget. "I think we'll see a little leveling off because we've been able to put the [risk management] program in place and zero in on things that are most important, which helps balance out what otherwise could be a tremendous growth in spending because of what we might fear" rather than what actually poses a serious business risk, he says.

At Country Insurance, a mutual insurer, most of the increased spending in IT risk management since 2000 has been attributed to security. "We started off [in 2000] at about 3.5 percent [of the IT budget]," Bee says. "For the first five years, the trend was [our spending] went up a good .5 percent each year." However, this increase also has leveled off, and Bee expects the security component of the IT budget to be about five percent to six percent in 2007.

Like Chubb, Country Insurance has identity and access management on its radar. "We have an administration system in place, but there are some improvements that need to be made," Bee says. "We need to grant and revoke access as quickly as possible. For a business person to wait two to four days for the access he or she needs is becoming problematic. We're trying to reduce it to a reasonable expectation. We need automation, and the first place is to [improve] the workflow around that [system]."

A Freer Future?

Particularly now that the first years of Sarbanes-Oxley compliance are behind them, will insurers' IT departments find more funds for other spending? "I don't think it's going to free up dollars, because [Sarbanes-Oxley] also often had additional funding, but it will free up focus and priority. It will free up talent and allow companies to shift their focus to other strategic initiatives," Smallwood claims.

Nevertheless, some insurers have seen an impact on the IT budget. "The first year [of Sarbanes-Oxley] was considerably higher [in cost] than the second. This is the third year, and it's lower still. That has freed up funds for discretionary areas," Connell says.

When it comes to information security at Selective, spending will continue to trend upward but still remain "well under five percent" of the overall IT budget, according to Connell.

However, even if an insurer does free up funds from certain areas of nondiscretionary spending, it may well find other must-haves take their place.

"There's always something. It may not be to the degree and size of Sarbanes-Oxley, but you never know what the future holds" for new compliance spending demands, Connell observes.

And the same holds true for information security. "With security, there always is tomorrow–always new situations to react to," Bursch says. "You never can fund 100 percent [of what you might like to have] or go across the board and say you're going to eliminate all risks. Identifying those [new threat] areas and determining the impact and your risk tolerance are how we have to continue to identify our spending priorities and plan for those priorities."