You may be spending just as much on IT security as your competitors, but that does not mean that security maturity is similar to theirs.
According to the recent IT Key Metrics Data from Gartner, organisations spend an average of 5.6 percent of their overall IT budget on security and risk management. However, it was found that IT security spending ranges from approximately one percent to 13 percent of the IT budget, which is thus a potentially misleading indicator of a programme's success.
"Clients want to know if what they are spending on information security is equivalent to others in their industry, geography and size of business in order to evaluate whether they are practising due diligence in security and related programmes," said Rob McMillan, Research Director at Gartner, in a press release.
"But general comparisons to generic industry averages don't tell you much about your state of security. You could be spending at the same level as your peer group, but you could be spending on the wrong things and be extremely vulnerable. Alternatively, you may be spending appropriately but have a different risk appetite from your peers," he continued.
The research firm explained that secure organisations can sometimes spend less than average on security as percentage of their IT budget. The lowest-spending 20 percent of organisations are composed of either unsecure organisations that underspend; or secure organisations that have implemented best practices for IT operations and security that reduce the overall complexity of the IT infrastructure and work toward reduce the number of vulnerabilities.
Gartner said explicit security spending is split among hardware, software, services such as outsourcing and consulting, and personnel.
However, the company noted that any statistics on explicit security spending are inherently "soft", as they understate the true magnitude of IT security investments. This is because the security features are incorporated into different areas of organisations such as hardware, software, activities, or initiatives not specifically dedicated to security.
Drawing from experience, Gartner said many organisations do not know their security budgets. This can be partly attributed to the few cost accounting systems that break out security as separate line item, and security-related processes that are carried out by employees who are not devoted full-time to security, which makes it impossible to accurately account for security personnel.
Gartner added that in most instances, the Chief Information Security Officer (CISO) does not have insights into security spending throughout the organisation.
The research firm thus listed the areas that businesses must look at to identify the real security budget. This includes networking equipment that has embedded security functions, desktop protection that may be included in the end-user support budget, enterprise applications, outsourced or managed security services, business continuity or privacy programmes, and security training that may be funded by human resource (HR) department.
Sign up for Computerworld eNewsletters.