Security spending does not equal maturity: Gartner

By Dylan Bushell-Embling
Monday, 12 December, 2016

Organisations often falsely equate their IT security spending with their level of security maturity, and are often unaware of their true security spending in any case, according to Gartner.

The company’s research indicates that organisations spend an average of 5.6% of their overall IT budget on IT security and risk management.

But while organisations typically compare their budgets with others in their industry to determine whether they are adequately addressing the risks of cybercrime, Gartner Research Director Rob McMillan said such comparisons can be misleading.

“General comparisons to generic industry averages don’t tell you much about your state of security. You could be spending at the same level as your peer group, but you could be spending on the wrong things and be extremely vulnerable,” he said.

“Alternatively, you may be spending appropriately but have a different risk appetite from your peers.”

Some of the most mature organisations in terms of security are among the lowest-spending 20% of organisations, McMillan said.

These are organisations that have implemented best practices for IT operations and security that work towards reducing the overall complexity of IT infrastructure and the number of security vulnerabilities.

Gartner recommends organisations spend between 4% and 7% of their IT budgets on IT security — those with mature systems can spend in the lower range, while at-risk companies should be spending in the higher range.

But many organisations often do not have an accurate measure of their real security budgets, because security features are incorporated into hardware, software and services that are not specifically dedicated to security.

Few cost accounting systems break out security as a separate line item, which often leaves CISOs without insight into security spending throughout the enterprise, but gaining a better understanding of this ‘real’ budget is a distinct advantage.

“A CISO who has knowledge of all of the security functions taking place within the organisation — as well as those that are necessary but missing — and the way in which those functions are funded is likely to use indirectly funded functions to greater advantage,” McMillan said.

Image courtesy of 401(K) 2012 under CC