Published on the 13/12/2016 | Written by Newsdesk
Organisations spend an average of 5.6 percent of the overall IT budget on IT security and risk management, but that’s no measure of security…
That’s according to market watcher Gartner, Inc, which also said IT security spending ranges from approximately 1 percent to 13 percent of the IT budget. But, considerable though it is, spend is potentially a misleading indicator of program success. Or, it is necessary to spend, but spending just ain’t sufficient to be secure.
“Clients want to know if what they are spending on information security is equivalent to others in their industry, geography and size of business in order to evaluate whether they are practicing due diligence in security and related programs,” said, Gartner research director Rob McMillan in a statement.
“But general comparisons to generic industry averages doesn’t tell you much about your state of security. You could be spending at the same level as your peer group, but you could be spending on the wrong things and be extremely vulnerable. Alternatively, you may be spending appropriately but have a different risk appetite from your peers,” he said.
We’re inclined to invoke Captain Obvious here and point out that measuring spending has never been the same thing as measuring outcomes, whether in the IT field, the IT security field or the arena of politics, where all too often, governments are inclined to talk up their budgets but hide the measuring equipment away.
In any event, Gartner said that it expects the majority of organisations to continue to misuse average IT security spending figures as a proxy for assessing security posture through 2020.
But, it pointed out, without the context of business requirements, risk tolerance and satisfaction levels, the metric of IT security spending as a percentage of the IT budget does not, by itself, provide valid comparative information that should be used to allocate IT or business resources. Moreover, Gartner continued, IT spending statistics alone do not measure IT effectiveness and are not a gauge of successful IT organisations. They simply provide an indicative view of average costs, without regard to complexity or demand.
If that sounds pretty dire and slightly silly, it gets worse (or better, for the hackers we are assured lurk under every bed). Gartner said that its experience is that many organisations simply do not know their security budget. This, it said, is partly because few cost accounting systems break out security as a separate line item, and many security-relevant processes are carried out by staff who are not devoted full-time to security, making it impossible to accurately account for security personnel.
In most instances, the chief information security officer (CISO) does not have insight into security spending throughout the enterprise.
To identify the real security budget, there are many places to look, such as networking equipment that has embedded security functions, desktop protection that may be included in the end-user support budget, enterprise applications, outsourced or managed security services, business continuity or privacy programs, and security training that may be funded by HR. And, possibly, behind the couch.
Here’s the real kicker: Gartner goes on to point out that secure organisations can sometimes spend less than average on security as a percentage of the IT budget than less secure ones. Even that makes sense: if the spending is appropriately targeted and the outcomes measured, it will surely be better than the shotgun approach of throwing money at the problem (although we imagine security vendors would find little fault with the latter cavalier approach).
Interestingly, the researcher said the lowest-spending 20 percent of organisations are composed of two distinctly different types:
- Unsecure organisations that underspend; and
- Secure organisations that have implemented best practices for IT operations and security that reduce the overall complexity of the IT infrastructure and work toward reducing the number of security vulnerabilities.
Gartner’s view is that enterprises should be spending between 4 and 7 percent of their IT budgets on IT security: lower in the range if they have mature systems, higher if they are wide open and at risk. This represents the budget under the control and responsibility of the CISO, and not the “real” or total budget.
To demonstrate due care in information security, organisations need to first assess their risks and understand both the CISO’s security budget and the “real” security budget found in the complicated range of accounts that may not capture all security spending. Further, said McMillan, “A CISO who has knowledge of all of the security functions taking place within the organisation — as well as those that are necessary but missing — and the way in which those functions are funded, is likely to use indirectly funded functions to greater advantage.”
Making it even harder to accurately track security spend, in other words.
