Organisations are spending just 5% of their IT budget on security, according to a survey from Gartner. And before readers consider benchmarking their spend against others in their field, that’s not going to work, the company says.
You can spend an awful lot on the wrong things, so the sheer quantity of the budget has very little impact on how secure you should feel.
Given the huge changes about to hit Europe for the incoming GDPR legislation, you could imagine a number of companies increasing rather than minimising their focus on IT security – but it doesn’t seem to be happening. Organisations are spending anything from 1% to 13% of the overall IT budget on security, so Gartner is calling for them to recognise the “real” security budget.
An associated problem is the red herring of comparisons with other companies in the same field. “Clients want to know if what they are spending on information security is equivalent to others in their industry, geography and size of business in order to evaluate whether they are practising due diligence in security and related programs,” said Rob McMillan, research director at Gartner.
“But general comparisons to generic industry averages don’t tell you much about your state of security,” he added.
“You could be spending at the same level as your peer group, but you could be spending on the wrong things and be extremely vulnerable. Alternatively, you may be spending appropriately but have a different risk appetite from your peers.”
Gartner, for its part, believes companies will continue to “mis-spend” money by using comparisons up to and including the year 2020. It offers a number of areas for companies to analyse when considering their next round of IT budgets:
- Check for networking equipment that has embedded security
- When assessing the security budget, consider any costs tied into end user support contracts
- Include outsourced operations in any security audit as well as in-house enterprise applications
So how much should you be spending? Gartner reckons between 4% and 7% of the IT budget is about right. How much are you setting aside for IT security?
2 comments on “Warning not to spend IT security cash on the wrong things”
Gartner don’t seem to clear on their numbers:
“Organisations are spending just 5% of their IT budget on security, according to a survey from Gartner.”
“Organisations are spending anything from 1% to 13%”
“Gartner reckons between 4% and 7%”
This is good information. Unfortunately, it’s not all that surprising.
Perhaps a better way to analyze it would be to check spending on each of the 10 domains of security (that CISSP’s train for, e.g. Access Control, Cryptography, and Physical/Environmental).
I’m not sure it would be more accurate, but it would force budgeteers to understand at least a small piece of the security picture. My CEO simply can’t have enough time to learn it all, but his organization should be able to quantify things.
Breaking it down would also nudge them into understanding what the real risks are.
My big question is, “would it be worth it?”