Organisations spend an average of 5.6 per cent of their overall IT budget on IT security and risk management, according to analyst Gartner.
IT security spending ranges from approximately 1 per cent to 13 per cent of the IT budget. Gartner warns that simply looking at the size of security spending - even in comparison to other firms in the same sector - is potentially misleading.
"Clients want to know if what they are spending on information security is equivalent to others in their industry, geography and size of business in order to evaluate whether they are practicing due diligence in security and related programmes," explained Rob McMillan, research director at Gartner.
"But general comparisons to generic industry averages don't tell you much about your state of security. You could be spending at the same level as your peer group, but you could be spending on the wrong things and be extremely vulnerable.”
“Alternatively, you may be spending appropriately but have a different risk appetite from your peers,” he added.
According to Gartner, the majority of organisations will continue to misuse average IT security spending figures as a measure of security program maturity, at least in the short to medium term. Business requirements and risk tolerance need to be brought into the equation when evaluating whether or not and organisation has set its security budget at the right level, Gartner advises.
Security features are being incorporated into hardware, software, activities or initiatives not specifically dedicated to security. And staff who have a security role often have other duties.
Gartner's experience is that many organisations simply do not know their security budget. “This is partly because few cost accounting systems break out security as a separate line item, and many security-relevant processes are carried out by staff who are not devoted full-time to security, making it impossible to accurately account for security personnel,” according to Gartner. “In most instances, the chief information security officer (CISO) does not have insight into security spending throughout the enterprise.”
Deciding what to spend that budget on is a different and even trickier proposition. Security spending is generally split among hardware, software, services (outsourcing and consulting) and personnel.
According to Gartner, secure organisations can sometimes spend less than average on security as a percentage of the IT budget. The lowest-spending organisations fall into two divergent camps: Unsecure organisations that underspend, and secure organisations that have implemented best practices for IT operations and security that reduce the overall IT complexity.
Gartner reckons that enterprises should be spending between 4 and 7 per cent of their IT budgets on IT security: lower in the range if they have mature systems, higher if they are wide open and at risk. This represents the budget under the control and responsibility of the CISO, and not the "real" or total budget.
Gartner clients can read more in the report, Identifying the Real Information Security Budget. ®