A recent report by Gartner warns that although businesses are spending on average just over 5% of their overall IT budgets on IT security, comparing your security spending to other firms in the same sector is no substitute for accurately assessing your own security posture and spending requirements.
Yes It Sounds Low, But…
According to Gartner’s report, the current IT security spend ranges from 1% to 13% of a firm’s IT budget, and the just over 5% average spend figure does seem low, especially considering the large number of reported hacks and security breaches.
The report however suggests that if companies use industry average figures, or even the amount of a company spend in the same sector to help them decide upon their own IT security budget, they may be putting themselves risk, and/or misusing that information.
Base It on Your Own Company’s Needs.
According to the Gartner Report, simply applying generic industry averages could mean that although your company is spending at the same level as peers, you may be spending it on the wrong things. Your company’s IT security needs may be more complex, and your risk appetite may be greater than those of companiesthat you may regard as being your peer.
The Gartner report therefore argues that simple spending statistics do not necessarily provide a measure IT effectiveness and are not a gauge of successful IT organisations.
Another complicating factor for arriving at accurate IT security budgets highlighted by the report is the fact that many organisations are unaware of their security budget, and due to inadequacies in company cost accounting systems the chief information security officer has restricted insight into security spending throughout the enterprise. For example, many security-relevant processes are in fact carried out by staff who are not devoted full-time to security, thus making it impossible to accurately account for security personnel.
What Does This Mean For Your Business?
In order to arrive at the right kind and level of IT Security budget for your specific organisation, it is risky to rely heavily upon industry average statistics. A better plan may be to clearly establish your own business IT security requirements and risk tolerances. To help identify a real budget it may be worth looking at areas such as networking equipment with embedded security functions, any desktop protection that may be included in your end-user support budget, your enterprise applications, any outsourced or managed security services, your business continuity or privacy programmes, and any security training that may be funded by your HR function.
Being able to accurately divide up your spending among hardware, software, services (including outsourcing and consulting), and personnel, may mean that you are more able to arrive at the optimum budget.
It may even be the case that by exercising due diligence in this way you end up spending less than the average amount while still staying secure.
Among the lowest-spending 20% of businesses are organisations that have implemented best practices for IT operations and security, and are actively working to reduce vulnerabilities.