Story image

Enterprises falsely equate IT security spending with maturity

12 Dec 2016

While security spending can account for up to 13% of an IT budget, this could potentially be a misleading indicator of programme success, according to Gartner.

According to new research from the analyst firm, organisations spend an average of 5.6% of the overall IT budget on IT security and risk management.

"Clients want to know if what they are spending on information security is equivalent to others in their industry, geography and size of business in order to evaluate whether they are practising due diligence in security and related programs," explains Rob McMillan, research director at Gartner. 

"But general comparisons to generic industry averages don't tell you much about your state of security. You could be spending at the same level as your peer group, but you could be spending on the wrong things and be extremely vulnerable,” he says.

“Alternatively, you may be spending appropriately but have a different risk appetite from your peers.”

McMillan says the majority of organisations will continue to misuse average IT security spending figures as a proxy for assessing security posture through 2020.

“Without the context of business requirements, risk tolerance and satisfaction levels, the metric of IT security spending as a percentage of the IT budget does not, by itself, provide valid comparative information that should be used to allocate IT or business resources,” he explains.

“Moreover, IT spending statistics alone do not measure IT effectiveness and are not a gauge of successful IT organisations,” McMillan states.

“They simply provide an indicative view of average costs, without regard to complexity or demand.”

Identifying the "real" security budget

Explicit security spending is generally split among hardware, software, services (outsourcing and consulting) and personnel. However, Gartner says any statistics on explicit security spending are inherently "soft" because they understate the true magnitude of enterprise investments in IT security, since security features are being incorporated into hardware, software, activities or initiatives not specifically dedicated to security.

McMillan says Gartner's experience is that many organisations simply do not know their security budget.

“This is partly because few cost accounting systems break out security as a separate line item, and many security-relevant processes are carried out by staff who are not devoted full-time to security, making it impossible to accurately account for security personnel,” he says.

“In most instances, the chief information security officer (CISO) does not have insight into security spending throughout the enterprise.”

To identify the real security budget, McMillan says there are many places to look, such as networking equipment that has embedded security functions, desktop protection that may be included in the end-user support budget, enterprise applications, outsourced or managed security services, business continuity or privacy programs, and security training that may be funded by HR.

According to Gartner research, secure organisations can sometimes spend less than average on security as a percentage of the IT budget. The lowest-spending 20% of organisations are composed of two distinctly different types of organisations:

  1. Unsecure organisations that underspend; and
  2. Secure organisations that have implemented best practices for IT operations and security that reduce the overall complexity of the IT infrastructure and work toward reducing the number of security vulnerabilities.

Gartner's view is that enterprises should be spending between 4 and 7 percent of their IT budgets on IT security: lower in the range if they have mature systems, higher if they are wide open and at risk. McMillan says this represents the budget under the control and responsibility of the CISO, and not the "real" or total budget. 

To demonstrate due care in information security, organisations need to first assess their risks and understand both the CISO's security budget and the "real" security budget found in the complicated range of accounts that may not capture all security spending.

"A CISO who has knowledge of all of the security functions taking place within the organization as well as those that are necessary but missing and the way in which those functions are funded, is likely to use indirectly funded functions to greater advantage," says McMillan.

Attacks targeting Cisco Webex extension explode in popularity - WatchGuard
WatchGuard's Internet Security Report for Q4 2018 also finds growing use of a new sextortion phishing malware customised to individual victims.
SAS partners with NVIDIA on deep learning and computer vision
“By partnering with NVIDIA, we combine our strengths to augment human intelligence and realise the true potential of AI.” 
Why businesses must embrace automation to ensure success
“For many younger workers, the traditional view of a steady job at one company, perhaps for life, simply doesn’t reflect reality."
TYAN unveils new inference-optimised GPU platforms with NVIDIA T4 accelerators
“TYAN servers with NVIDIA T4 GPUs are designed to excel at all accelerated workloads, including machine learning, deep learning, and virtual desktops.”
Worldwide spending on security to reach $103.1bil in 2019 - IDC
Managed security services will be the largest technology category in 2019.
Microsoft appoints new commercial and partner business director
Bowden already has almost a decade of Microsoft relationship management experience under her belt, having joined the business in 2010.
How Cognata and NVIDIA enable autonomous vehicle simulation
“Cognata and NVIDIA are creating a robust solution that will efficiently and safely accelerate autonomous vehicles’ market entry."
Kinetica launches a new active analytics platform
"With the platform now powered by NVIDIA DGX-2, customers can build smart analytical applications that combine historical data analytics and ML-powered analytics."