Organizations Falsely Equate IT Security Spending With Maturity

Organizations Falsely Equate IT Security Spending With Maturity

Foto: Fotolia

Organizations spend an average of 5.6 percent of the overall IT budget on IT security and risk management, according to the most recent IT Key Metrics Data from Gartner. However, IT security spending ranges from approximately 1 percent to 13 percent of the IT budget and is potentially a misleading indicator of program success, analysts said.

"Clients want to know if what they are spending on information security is equivalent to others in their industry, geography and size of business in order to evaluate whether they are practicing due diligence in security and related programs," said Rob McMillan, research director at Gartner.

"But general comparisons to generic industry averages don't tell you much about your state of security. You could be spending at the same level as your peer group, but you could be spending on the wrong things and be extremely vulnerable. Alternatively, you may be spending appropriately but have a different risk appetite from your peers," he said. According to Gartner, the majority of organizations will continue to misuse average IT security spending figures as a proxy for assessing security posture through 2020.

Without the context of business requirements, risk tolerance and satisfaction levels, the metric of IT security spending as a percentage of the IT budget does not, by itself, provide valid comparative information that should be used to allocate IT or business resources. Moreover, IT spending statistics alone do not measure IT effectiveness and are not a gauge of successful IT organizations. They simply provide an indicative view of average costs, without regard to complexity or demand.

Explicit security spending is generally split among hardware, software, services (outsourcing and consulting) and personnel. However, any statistics on explicit security spending are inherently "soft" because they understate the true magnitude of enterprise investments in IT security, since security features are being incorporated into hardware, software, activities or initiatives not specifically dedicated to security.

Gartner's experience is that many organizations simply do not know their security budget. This is partly because few cost accounting systems break out security as a separate line item, and many security-relevant processes are carried out by staff who are not devoted full-time to security, making it impossible to accurately account for security personnel. In most instances, the chief information security officer (CISO) does not have insight into security spending throughout the enterprise.

To identify the real security budget, there are many places to look, such as networking equipment that has embedded security functions, desktop protection that may be included in the end-user support budget, enterprise applications, outsourced or managed security services, business continuity or privacy programs, and security training that may be funded by HR.

According to Gartner research, secure organizations can sometimes spend less than average on security as a percentage of the IT budget. The lowest-spending 20 percent of organizations are composed of two distinctly different types of organizations:

  • Unsecure organizations that underspend
  • Secure organizations that have implemented best practices for IT operations and security that reduce the overall complexity of the IT infrastructure and work toward reducing the number of security vulnerabilities.

Gartner's view is that enterprises should be spending between 4 and 7 percent of their IT budgets on IT security: lower in the range if they have mature systems, higher if they are wide open and at risk. This represents the budget under the control and responsibility of the CISO, and not the "real" or total budget.

More from category

Chinese Semiconductor Industry Continues on an Upward Trend

Chinese Semiconductor Industry Continues on an Upward Trend

20 Jan 2017 comment

China’s impact on the global semiconductor industry continued on an upward trend in 2015, with chip consumption and production revenues increasing at a greater rate than worldwide revenues. According to PwC’s 2016 update to its annual report, China’s impact on the semiconductor industry, China’s share of the consumption market increased by 5.9% in 2015 to 58.5% of the worldwide total, marking a new record.

Internet of Things Spending Forecast to Grow 17.9% in 2016

Internet of Things Spending Forecast to Grow 17.9% in 2016

20 Jan 2017 comment

Worldwide spending on the Internet of Things (IoT) is forecast to reach $737 billion in 2016 as organizations invest in the hardware, software, services, and connectivity that enable the IoT. According to a new update to the IDC Worldwide Semiannual Internet of Things Spending Guide, global IoT spending will experience a compound annual growth rate (CAGR) of 15.6% over the 2015-2020 forecast period, reaching $1.29 trillion in 2020.

Worldwide Cloud Infrastructure Market Revenue Grows 8.1%

Worldwide Cloud Infrastructure Market Revenue Grows 8.1%

19 Jan 2017 comment

According to the IDC Worldwide Quarterly Cloud IT Infrastructure Tracker, vendor revenue from sales of infrastructure products (server, storage, and Ethernet switch) for cloud IT, including public and private cloud, grew by 8.1% year over year to $8.4 billion in the third quarter of 2016 (3Q16). Ethernet switch continues to be the growth leader, as the market awaits new hyperscale datacenter builds to spur additional growth.