Security Market Segment LS
Friday, 09 December 2016 12:49

IT security spending no measure of programme success: Gartner Featured

By
IT security spending no measure of programme success: Gartner Image courtesy of Stuart Miles at FreeDigitalPhotos.net

Global IT security spending ranges from approximately 1% to 13% of the IT budget, with the average spend  standing at 5.6%, but research analyst firm Gartner says the figures are potentially a misleading indicator of programme success.

According to Gartner, the majority of organisations will continue to misuse average IT security spending figures as a “proxy for assessing security posture through to 2020".

"Clients want to know if what they are spending on information security is equivalent to others in their industry, geography and size of business in order to evaluate whether they are practicing due diligence in security and related programmes," says Rob McMillan, research director at Gartner.

"But general comparisons to generic industry averages don't tell you much about your state of security. You could be spending at the same level as your peer group, but you could be spending on the wrong things and be extremely vulnerable. Alternatively, you may be spending appropriately but have a different risk appetite from your peers."

{loadposition}McMillan says that without the context of business requirements, risk tolerance and satisfaction levels, the metric of IT security spending as a percentage of the IT budget does not, by itself, provide valid comparative information that “should be used to allocate IT or business resources.”

“Moreover, IT spending statistics alone do not measure IT effectiveness and are not a gauge of successful IT organisations. They simply provide an indicative view of average costs, without regard to complexity or demand,” McMillan stresses.

Gartner reports that explicit security spending is generally split among hardware, software, services (outsourcing and consulting) and personnel.

But, the analyst firm says that any statistics on explicit security spending are inherently "soft" because they understate the true magnitude of enterprise investments in IT security, since security features are being incorporated into hardware, software, activities or initiatives not specifically dedicated to security.

McMillan says Gartner’s experience is that many organisations simply do not know their security budget.

“This is partly because few cost accounting systems break out security as a separate line item, and many security-relevant processes are carried out by staff who are not devoted full-time to security, making it impossible to accurately account for security personnel. In most instances, the chief information security officer (CISO) does not have insight into security spending throughout the enterprise.”

According to McMillan, to identify the real security budget, there are many places to look, such as networking equipment that has embedded security functions, desktop protection that may be included in the end-user support budget, enterprise applications, outsourced or managed security services, business continuity or privacy programs, and security training that may be funded by HR.

Gartner says secure organisations can sometimes spend less than average on security as a percentage of the IT budget, with its research showing the lowest-spending 20% of organisations are composed of two distinctly different types of organisations:

1.    Unsecure organisations that underspend, and

2.    Secure organisations that have implemented best practices for IT operations and security that reduce the overall complexity of the IT infrastructure and work toward reducing the number of security vulnerabilities.

“Gartner's view is that enterprises should be spending between 4% and 7% of their IT budgets on IT security: lower in the range if they have mature systems, higher if they are wide open and at risk. This represents the budget under the control and responsibility of the CISO, and not the ‘real’ or total budget,” McMillan notes.

To demonstrate due care in information security, Gartner says organisations need to first assess their risks and understand both the CISO's security budget and the "real" security budget found in the complicated range of accounts that may not capture all security spending.

"A CISO who has knowledge of all of the security functions taking place within the organisation — as well as those that are necessary but missing — and the way in which those functions are funded, is likely to use indirectly funded functions to greater advantage," McMillan concludes.


Subscribe to ITWIRE UPDATE Newsletter here

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinatrs and campaigns and assassistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!

INTRODUCING ITWIRE TV

iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.

SEE WHAT'S ON ITWIRE TV NOW!

BACK TO HOME PAGE
Peter Dinham

Peter Dinham - retired in 2020. He is a veteran journalist and corporate communications consultant. He has worked as a journalist in all forms of media – newspapers/magazines, radio, television, press agency and now, online – including with the Canberra Times, The Examiner (Tasmania), the ABC and AAP-Reuters. As a freelance journalist he also had articles published in Australian and overseas magazines. He worked in the corporate communications/public relations sector, in-house with an airline, and as a senior executive in Australia of the world’s largest communications consultancy, Burson-Marsteller. He also ran his own communications consultancy and was a co-founder in Australia of the global photographic agency, the Image Bank (now Getty Images).

Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments