Businesses Misusing Average IT Security Spending Figures
Gartner have released a recent report which warns businesses that although they are spending on average over 5% of their overall IT budget on security. Comparing your spend on security to other firms in the same sector is not a substitute for accurately assessing your own companies security posture and spending requirements.
Yes It Sounds Low, But…
According to the report by Gartner, the IT security spend currently ranges from 1% to 13% of an IT company’s budget. Just over the average 5% spend figure does seem low. Especially considering the large number of reported hack and security breaches.
Gartner’s report however suggests that if IT companies use the industry average figures or even the amount of a companies spend in the same sector to help them decide upon their own security budget, the company may be putting themselves at risk. And even worse could be misusing this information.
Base It on Your Own Company’s Needs.
According to Gartner’s report, by simply applying the generic IT industry averages could mean that even though your company is pending at the same level as your you might be spending on the completely wrong things. Your companies IT security need might be different or more complex than other companies in the industry which means your risk appetite may be much greater than your peers in the industry.
The Gartner report therefore argues that simple spending statistics do not necessarily provide a measure IT effectiveness and are not a gauge of successful IT organisations.
Another complicating factor for arriving at accurate IT security budgets highlighted by the report is the fact that many organisations are unaware of their security budget, and due to inadequacies in company cost accounting systems the chief information security officer has restricted insight into security spending throughout the enterprise. For example, many security-relevant processes are in fact carried out by staff who are not devoted full-time to security, thus making it impossible to accurately account for security personnel.
What Does This Mean For Your Business?
In order to arrive at the right kind and level of IT Security budget for your specific organisation, it is risky to rely heavily upon industry average statistics. A better plan may be to clearly establish your own business IT security requirements and risk tolerances. To help identify a real budget it may be worth looking at areas such as networking equipment with embedded security functions, any desktop protection that may be included in your end-user support budget, your enterprise applications, any outsourced or managed security services, your business continuity or privacy programmes, and any security training that may be funded by your HR function.
Being able to accurately divide up your spending among hardware, software, services (including outsourcing and consulting), and personnel, may mean that you are more able to arrive at the optimum budget.
It may even be the case that by exercising due diligence in this way you end up spending less than the average amount while still staying secure.
Among the lowest-spending 20% of businesses are organisations that have implemented best practices for IT operations and security, and are actively working to reduce vulnerabilities.