Godfrey Kutumela, Head Security Division

How much is enough? This is a difficult question, and one that should trigger us to go back basics. IT Security needs to be treated as a risk management issue because it concerns reducing the risks to an acceptable level through continuous mitigation efforts. The truth is that nobody will ever be 100 percent secure in this lifetime—and one only knows that one did not spend enough on security when a breach occurs.


Generally, many CIOs are simply not spending enough on security. It’s often hard to make the business case because calculating ROI is impossible. The business case needs to make it clear that understanding and then managing cyber risk is the goal, in order to reduce the risk to an acceptable level.

Sony and the Panama Papers have taught us not only that the risks may be greater than we imagined, and that the consequences of a breach can be disastrous. My own view is that organisations should be spending more on security, even if it means going beyond the industry’s standard of 10 percent of the overall IT budget. Security has been a growing issue for more than a decade, and it should be its own budget item, not a subset of governance or compliance project. Risk is a board issue, and cyber risk is by no means the least serious of the risks a company faces—especially in today’s connected, digital economy.