Share with your friends










Submit

Analytics Magazine

Security spending potentially a misleading indicator of success

Organizations spend an average of 5.6 percent of the overall IT budget on IT security and risk management, according to the most recent IT Key Metrics Data from Gartner, Inc. However, IT security spending ranges from approximately 1 percent to 13 percent of the IT budget and is potentially a misleading indicator of program success, analysts said.

“Clients want to know if what they are spending on information security is equivalent to others in their industry, geography and size of business in order to evaluate whether they are practicing due diligence in security and related programs,” say Rob McMillan, research director at Gartner. “But general comparisons to generic industry averages don’t tell you much about your state of security. You could be spending at the same level as your peer group, but you could be spending on the wrong things and be extremely vulnerable. Alternatively, you may be spending appropriately but have a different risk appetite from your peers.”

According to Gartner, the majority of organizations will continue to misuse average IT security spending figures as a proxy for assessing security posture through 2020.

Without the context of business requirements, risk tolerance and satisfaction levels, the metric of IT security spending as a percentage of the IT budget does not, by itself, provide valid comparative information that should be used to allocate IT or business resources. Moreover, IT spending statistics alone do not measure IT effectiveness and are not a gauge of successful IT organizations. They simply provide an indicative view of average costs, without regard to complexity or demand.

Explicit security spending is generally split among hardware, software, services (outsourcing and consulting) and personnel. However, any statistics on explicit security spending are inherently “soft” because they understate the true magnitude of enterprise investments in IT security, since security features are being incorporated into hardware, software, activities or initiatives not specifically dedicated to security.

Gartner’s experience is that many organizations simply do not know their security budget. This is partly because few cost accounting systems break out security as a separate line item, and many security-relevant processes are carried out by staff who are not devoted full-time to security, making it impossible to accurately account for security personnel. In most instances, the chief information security officer (CISO) does not have insight into security spending throughout the enterprise.

To identify the real security budget, there are many places to look, such as networking equipment that has embedded security functions, desktop protection that may be included in the end-user support budget, enterprise applications, outsourced or managed security services, business continuity or privacy programs, and security training that may be funded by HR.

According to Gartner research, secure organizations can sometimes spend less than average on security as a percentage of the IT budget. The lowest-spending 20 percent of organizations are composed of two distinctly different types of organizations: 1) Unsecure organizations that underspend; and 2) secure organizations that have implemented best practices for IT operations and security.

Gartner’s view is that enterprises should be spending between 4 percent and 7 percent of their IT budgets on IT security – lower in the range if they have mature systems, higher if they are wide open and at risk. This represents the budget under the control and responsibility of the CISO, and not the “real” or total budget.

Related Posts

  • 46
    A new survey shows that 78 percent of U.S. respondents say a company’s ability to keep their data private is “extremely important” and only 20 percent “completely trust” organizations they interact with to maintain the privacy of their data. The poll underscores the public’s view of the obligation that organizations…
    Tags: percent, organizations, security
  • 46
    According to a recent research report, 88 percent of business, security and IT professionals can't access the data needed to do their jobs effectively. Sponsored by Devo Technology, the report surveyed 400 business, IT and security decision-makers in order to examine what it means to be data-driven in the digital…
    Tags: percent, security
  • 44
    Security analytics solutions are delivering deeper visibility into organizations’ security data than ever before, but deployment and day-to-day usage remain challenging, according to a new Ponemon Institute survey sponsored by SAS.
    Tags: security, percent, organizations
  • 41
    Event organizers announced that the inaugural INFORMS Conference on Security (ICONS) will be held in Monterey, Calif., in February 2020. The objective of the conference is to bring policymakers in the national defense and security space – including state and local organizations as well as first responders – together with…
    Tags: security, organizations
  • 41
    With the proliferation of more and more sensitive data, expanding connectivity, and the adoption of automated processes, new research from Accenture reveals that C-suite and IT decision-makers need to embrace a different approach to cybersecurity to effectively protect against future cyber risks. While most companies have a chief information security…
    Tags: percent, security

Headlines

Using machine learning and optimization to improve refugee integration

Andrew C. Trapp, a professor at the Foisie Business School at Worcester Polytechnic Institute (WPI), received a $320,000 National Science Foundation (NSF) grant to develop a computational tool to help humanitarian aid organizations significantly improve refugees’ chances of successfully resettling and integrating into a new country. Built upon ongoing work with an international team of computer scientists and economists, the tool integrates machine learning and optimization algorithms, along with complex computation of data, to match refugees to communities where they will find appropriate resources, including employment opportunities. Read more →

Gartner releases Healthcare Supply Chain Top 25 rankings

Gartner, Inc. has released its 10th annual Healthcare Supply Chain Top 25 ranking. The rankings recognize organizations across the healthcare value chain that demonstrate leadership in improving human life at sustainable costs. “Healthcare supply chains today face a multitude of challenges: increasing cost pressures and patient expectations, as well as the need to keep up with rapid technology advancement, to name just a few,” says Stephen Meyer, senior director at Gartner. Read more →

Meet CIMON, the first AI-powered astronaut assistant

CIMON, the world’s first artificial intelligence-enabled astronaut assistant, made its debut aboard the International Space Station. The ISS’s newest crew member, developed and built in Germany, was called into action on Nov. 15 with the command, “Wake up, CIMON!,” by German ESA astronaut Alexander Gerst, who has been living and working on the ISS since June 8. Read more →

UPCOMING ANALYTICS EVENTS

INFORMS-SPONSORED EVENTS

INFORMS Computing Society Conference
Jan. 6-8, 2019; Knoxville, Tenn.

INFORMS Conference on Business Analytics & Operations Research
April 14-16, 2019; Austin, Texas

INFORMS International Conference
June 9-12, 2019; Cancun, Mexico

INFORMS Marketing Science Conference
June 20-22; Rome, Italy

INFORMS Applied Probability Conference
July 2-4, 2019; Brisbane, Australia

INFORMS Healthcare Conference
July 27-29, 2019; Boston, Mass.

2019 INFORMS Annual Meeting
Oct. 20-23, 2019; Seattle, Wash.

Winter Simulation Conference
Dec. 8-11, 2019: National Harbor, Md.

OTHER EVENTS

Advancing the Analytics-Driven Organization
Jan. 28–31, 2019, 1 p.m.– 5 p.m. (live online)

CAP® EXAM SCHEDULE

CAP® Exam computer-based testing sites are available in 700 locations worldwide. Take the exam close to home and on your schedule:


 
For more information, go to 
https://www.certifiedanalytics.org.