Menu
Inside the “real” security budget - Why spending doesn't guarantee maturity

Inside the “real” security budget - Why spending doesn't guarantee maturity

IT security spending a misleading indicator of program success.

Businesses spend an average of 5.6 per cent of the overall IT budget on IT security and risk management, yet many organisations falsely equate spending with maturity.

According to Gartner findings, IT security spending ranges from approximately one per cent to 13 per cent of the IT budget and is potentially a misleading indicator of program success.

"Clients want to know if what they are spending on information security is equivalent to others in their industry, geography and size of business in order to evaluate whether they are practicing due diligence in security and related programs," Gartner research director, Rob McMillan, said.

However, McMillan said that “general comparisons” to generic industry averages do not reveal much insight regarding a business's state of security.

“You could be spending at the same level as your peer group, but you could be spending on the wrong things and be extremely vulnerable,” he explained.

“Alternatively, you may be spending appropriately but have a different risk appetite from your peers.”

As a result, McMillan believes the majority of organisations will continue to misuse average IT security spending figures as a proxy for assessing security posture through 2020.

Without the context of business requirements, risk tolerance and satisfaction levels, the metric of IT security spending as a percentage of the IT budget does not, by itself, provide valid comparative information that should be used to allocate IT or business resources.

Moreover, McMillan said IT spending statistics alone do not measure IT effectiveness and are not a gauge of successful IT organisations.

“They simply provide an indicative view of average costs, without regard to complexity or demand,” he warned.

Identifying the "real" security budget

For McMillan, explicit security spending is generally split among hardware, software, services (outsourcing and consulting) and personnel.

However, any statistics on explicit security spending are inherently "soft" because they understate the true magnitude of enterprise investments in IT security, since security features are being incorporated into hardware, software, activities or initiatives not specifically dedicated to security.

“Many organisations simply do not know their security budget,” McMillan observed.

“This is partly because few cost accounting systems break out security as a separate line item, and many security-relevant processes are carried out by staff who are not devoted full-time to security, making it impossible to accurately account for security personnel.

“In most instances, the chief information security officer (CISO) does not have insight into security spending throughout the enterprise.”

From a channel perspective, and to help customers identify the real security budget, there are many places to look, according to McMillan.

“Such as networking equipment that has embedded security functions,” he explained.

“Desktop protection that may be included in the end-user support budget, enterprise applications, outsourced or managed security services, business continuity or privacy programs, and security training that may be funded by HR.”

According to research, secure organisations can sometimes spend less than average on security as a percentage of the IT budget.

As explained by McMillan, the lowest-spending 20 per cent of organisations are composed of two distinctly different types of organisations.

“Un-secure organisations that underspend,” McMillan explained.

“And secure organisations that have implemented best practices for IT operations and security that reduce the overall complexity of the IT infrastructure and work toward reducing the number of security vulnerabilities.”

Consequently, McMillan’s view is that enterprises should be spending between four and seven per cent of IT budgets on IT security - lower in the range if they have mature systems, higher if they are wide open and at risk.

“This represents the budget under the control and responsibility of the CISO, and not the "real" or total budget,” he added.

To help demonstrate due care in information security, partners can advise organisations to first assess risks and understand both the CISO's security budget and the "real" security budget found in the complicated range of accounts that may not capture all security spending.

“A CISO who has knowledge of all of the security functions taking place within the organisation as well as those that are necessary but missing and the way in which those functions are funded, is likely to use indirectly funded functions to greater advantage,” McMillan added.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags CISOGartnerChief Information Security Officer (CISO)

Featured

Slideshows

The making of an MSSP: a blueprint for growth in NZ

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

The making of an MSSP: a blueprint for growth in NZ
Reseller News Platinum Club celebrates leading partners in 2018

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Reseller News Platinum Club celebrates leading partners in 2018
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP has honoured its leading partners in New Zealand during 2018, following 12 months of growth through the local channel. Unveiled during the fourth running of the ceremony in Auckland, the awards recognise and celebrate excellence, growth, consistency and engagement of standout Kiwi partners.

Meet the top performing HP partners in NZ
Show Comments