Share with your friends










Submit

Analytics Magazine

Security spending potentially a misleading indicator of success

Organizations spend an average of 5.6 percent of the overall IT budget on IT security and risk management, according to the most recent IT Key Metrics Data from Gartner, Inc. However, IT security spending ranges from approximately 1 percent to 13 percent of the IT budget and is potentially a misleading indicator of program success, analysts said.

“Clients want to know if what they are spending on information security is equivalent to others in their industry, geography and size of business in order to evaluate whether they are practicing due diligence in security and related programs,” say Rob McMillan, research director at Gartner. “But general comparisons to generic industry averages don’t tell you much about your state of security. You could be spending at the same level as your peer group, but you could be spending on the wrong things and be extremely vulnerable. Alternatively, you may be spending appropriately but have a different risk appetite from your peers.”

According to Gartner, the majority of organizations will continue to misuse average IT security spending figures as a proxy for assessing security posture through 2020.

Without the context of business requirements, risk tolerance and satisfaction levels, the metric of IT security spending as a percentage of the IT budget does not, by itself, provide valid comparative information that should be used to allocate IT or business resources. Moreover, IT spending statistics alone do not measure IT effectiveness and are not a gauge of successful IT organizations. They simply provide an indicative view of average costs, without regard to complexity or demand.

Explicit security spending is generally split among hardware, software, services (outsourcing and consulting) and personnel. However, any statistics on explicit security spending are inherently “soft” because they understate the true magnitude of enterprise investments in IT security, since security features are being incorporated into hardware, software, activities or initiatives not specifically dedicated to security.

Gartner’s experience is that many organizations simply do not know their security budget. This is partly because few cost accounting systems break out security as a separate line item, and many security-relevant processes are carried out by staff who are not devoted full-time to security, making it impossible to accurately account for security personnel. In most instances, the chief information security officer (CISO) does not have insight into security spending throughout the enterprise.

To identify the real security budget, there are many places to look, such as networking equipment that has embedded security functions, desktop protection that may be included in the end-user support budget, enterprise applications, outsourced or managed security services, business continuity or privacy programs, and security training that may be funded by HR.

According to Gartner research, secure organizations can sometimes spend less than average on security as a percentage of the IT budget. The lowest-spending 20 percent of organizations are composed of two distinctly different types of organizations: 1) Unsecure organizations that underspend; and 2) secure organizations that have implemented best practices for IT operations and security.

Gartner’s view is that enterprises should be spending between 4 percent and 7 percent of their IT budgets on IT security – lower in the range if they have mature systems, higher if they are wide open and at risk. This represents the budget under the control and responsibility of the CISO, and not the “real” or total budget.

Related Posts

  • 44
    Security analytics solutions are delivering deeper visibility into organizations’ security data than ever before, but deployment and day-to-day usage remain challenging, according to a new Ponemon Institute survey sponsored by SAS.
    Tags: security, percent, organizations
  • 40
    The CIA wants the public to know much more about what it’s doing, and analytics plays a key role in the agency’s new approach. This development is not just a few pronouncements to build public support, but a major change in how the CIA and other intelligence agencies will function.…
    Tags: security
  • 36
    Four analytic technologies recently patented by analytic software firm FICO are being incorporated into solutions for cyber security, the Internet of Things (IoT), model governance and optimization.
    Tags: security
  • 32
    A recent report by Scrutinise Research and Analysis finds that immediate action is required to avert potentially disastrous security breaches of connected devices by cyber terrorists and criminals in the current “Wild West” of the Internet of Things (IoT). The report, “Securing the Internet of Things,” recommends a four-pronged approach…
    Tags: security
  • 31
    The convergence of marketing technology (Martech) and advertising technology (Adtech), event-triggered and real-time marketing techniques, personalization and the use of contextual clues are the four key forces that point to a data-centric future for marketers, according to a recent report from Gartner.
    Tags: gartner

Analytics Blog

Electoral College put to the math test


With the campaign two months behind us and the inauguration of Donald Trump two days away, isn’t it time to put the 2016 U.S. presidential election to bed and focus on issues that have yet to be decided? Of course not.


Save

Headlines

Gartner: AI technologies to be pervasive in new software products

Market hype and growing interest in artificial intelligence (AI) are pushing established software vendors to introduce AI into their product strategy, creating considerable confusion in the process, according to Gartner, Inc. Analysts predict that by 2020, AI technologies will be virtually pervasive in almost every new software product and service. Read more →

Drone delivery: Professor develops solution to minimize delays in operations

When delivery companies like FedEx, Amazon and UPS launch drones to deliver packages in the near future, one Kennesaw State University computer science professor may be at the crux of solving one of its most complicated problems. Donghyun (David) Kim, assistant professor of computer science and an expert in computer algorithm optimization, is designing a fast-running algorithm to tackle simultaneous coordination problems among multiple delivery trucks and the drones launched from them. Read more →

Tech spending growth limited to about 5 percent through 2018

Forrester predicts U.S. business and government tech spending will continue to grow by 4.8 percent through 2017 and increase to 5.2 percent in 2018. While these forecasts are higher than Forrester’s projections following the 2016 presidential election, they are lower than the expected numbers from a year ago. Read more →

UPCOMING ANALYTICS EVENTS

INFORMS-SPONSORED EVENTS

Essential Practice Skills for High-Impact Analytics Projects
Sept. 26-27, Executive Conference Center, Arlington, Va.

Foundations of Modern Predictive Analytics
Oct. 2-3, VT Executive Briefing Center, Arlington, Va.

2017 INFORMS Annual Meeting
October 22-25, 2017, Houston

2017 Winter Simulation Conference (WSC 2017)
Dec. 3-6, 2017, Las Vegas

CAP® EXAM SCHEDULE

CAP® Exam computer-based testing sites are available in 700 locations worldwide. Take the exam close to home and on your schedule:


 
For more information, go to 
https://www.certifiedanalytics.org.