Skip to main content

Many Organizations Falsely Equate IT Security Spending With Maturity

Organizations spend an average of 5.6 percent of the overall IT budget on IT security and risk management, according to the most recent IT Key Metrics Data from Gartner, Inc. However, IT security spending ranges from approximately 1 percent to 13 percent of the IT budget and is potentially a misleading indicator of program success, analysts said.

"Clients want to know if what they are spending on information security is equivalent to others in their industry, geography and size of business in order to evaluate whether they are practicing due diligence in security and related programs," said Rob McMillan, research director at Gartner.

"But general comparisons to generic industry averages don't tell you much about your state of security. You could be spending at the same level as your peer group, but you could be spending on the wrong things and be extremely vulnerable. Alternatively, you may be spending appropriately but have a different risk appetite from your peers," he said.

According to Gartner, the majority of organizations will continue to misuse average IT security spending figures as a proxy for assessing security posture through 2020.

Without the context of business requirements, risk tolerance and satisfaction levels, the metric of IT security spending as a percentage of the IT budget does not, by itself, provide valid comparative information that should be used to allocate IT or business resources. Moreover, IT spending statistics alone do not measure IT effectiveness and are not a gauge of successful IT organizations. They simply provide an indicative view of average costs, without regard to complexity or demand.

Identifying the "real" security budget
Explicit security spending is generally split among hardware, software, services (outsourcing and consulting) and personnel. However, any statistics on explicit security spending are inherently "soft" because they understate the true magnitude of enterprise investments in IT security, since security features are being incorporated into hardware, software, activities or initiatives not specifically dedicated to security.

Gartner's experience is that many organizations simply do not know their security budget. This is partly because few cost accounting systems break out security as a separate line item, and many security-relevant processes are carried out by staff who are not devoted full-time to security, making it impossible to accurately account for security personnel. In most instances, the chief information security officer (CISO) does not have insight into security spending throughout the enterprise.

To identify the real security budget, there are many places to look, such as networking equipment that has embedded security functions, desktop protection that may be included in the end-user support budget, enterprise applications, outsourced or managed security services, business continuity or privacy programs, and security training that may be funded by HR.

According to Gartner research, secure organizations can sometimes spend less than average on security as a percentage of the IT budget. The lowest-spending 20 percent of organizations are composed of two distinctly different types of organizations:
1.       Unsecure organizations that underspend; and

2.       Secure organizations that have implemented best practices for IT operations and security that reduce the overall complexity of the IT infrastructure and work toward reducing the number of security vulnerabilities.


Gartner's view is that enterprises should be spending between 4 and 7 percent of their IT budgets on IT security: lower in the range if they have mature systems, higher if they are wide open and at risk. This represents the budget under the control and responsibility of the CISO, and not the "real" or total budget.

To demonstrate due care in information security, organizations need to first assess their risks and understand both the CISO's security budget and the "real" security budget found in the complicated range of accounts that may not capture all security spending.

"A CISO who has knowledge of all of the security functions taking place within the organization — as well as those that are necessary but missing — and the way in which those functions are funded, is likely to use indirectly funded functions to greater advantage," Mr. McMillan said.

Comments

Popular posts from this blog

Cloud Computing powering India’s priority of ‘Digital-first country’

By: Sunil Mahale, India MD and VP, Nutanix
Digital transformation has been recognized as being vital to the growth of our nation. This transformation has enjoyed the unanimous approval and contribution from all stake holders including enterprises, MSMEs, government bodies and citizens. But this level of adoption in a country with a population of over a billion people would need a robust technology base that is capable to collecting and distributing vital data seamlessly.
Digital India envisions creating high speed digital highways, that will impact commerce and create a digital footprint for every individual. Technologies based on mobility, analytics, Internet of things and most importantly, cloud technologies are the building blocks for the digital India missionThere is a growing need to manage huge volumes of data, and making them readily available to public through digital cloud services. Cloud has a pivotal role in enabling this change.
While Data centers have become crucial to th…

RevStart launches its RevItUp Incubation Programme

Underlining its vision of creating a nurturing ecosystem for start-ups to grow in, RevStart, a co-working and incubation centre, has announced the launch of its RevItUp Incubation Programme. The 12-week long programme will be held at RevStart Incubation Centre in Noida from July 1, 2018 onwards. As part of the programme, RevStart will select five high potential start-ups from the ed-tech sector, AI, Consumer Internet, Sustainability, as well as for-profit social impact companies to assist them with developing their business, along with connecting them to global mentors across industries and sectors. In addition, start-ups selected for the programme will receive INR 5 lakh to Rs. 25 lakhs worth of cash and benefits, while RevStart will get an equity stake in the ventures.
The RevItUp Incubation Programme has been created to enhance the founding team’s industry, product, and company building knowledge and capabilities through a world-class curriculum. The programme will focus on tailor…

Insurtech startup Kruzr raises $1.3 Million from Saama Capital and Better Capital

InsurTech startup Kruzr has raised 1.3 Million USD (Rs. 9.5 Cr) for its seed round led by Saama Capital with participation from Better Capital. Kruzr is a preventive motor insurance technology which helps insurance companies personalize policy premiums & improve their risk model by delivering an engaging preventative driving assistant to their customers. Kruzr is founded by Pallav Singh, Ayan, and Jasmeet Singh Sethi.

Kruzr blends the power of voice technology and artificial intelligence in its personal driving assistant that helps drivers minimize mobile distractions, drowsy driving, speeding and external risks like weather and accident-prone zones. In pilots with insurers, Kruzr managed to cut down distracted driving by 80%. Kruzr is working with motor insurance companies in Europe, UK and India to bring its technology to their customers to prevent accidents & improve claims.

“Road accidents cause over 1.3 million deaths globally every year, and motor insurance companies los…