Businesses are spending on average just over 5% of their overall IT budgets on trying to prevent the latest hacks and security breaches, according to analyst house Gartner.
Despite the growing risk of threats facing organisations, surprisingly, Gartner said that IT security spending ranges from just 1% to 13% of a firm’s IT budget, and warns that companies comparing their security spending, even to other firms in the same sector, can be potentially misleading.
“Clients want to know if what they are spending on information security is equivalent to others in their industry, geography and size of business in order to evaluate whether they are practicing due diligence in security and related programmes,” explained Gartner’s research director, Rob McMillan.
“But general comparisons to generic industry averages don’t tell you much about your state of security. You could be spending at the same level as your peer group, but you could be spending on the wrong things and be extremely vulnerable.”
He added: “Alternatively, you may be spending appropriately but have a different risk appetite from your peers.”
According to Gartner, most companies will continue to misuse average IT security spending figures as a substitute for assessing security posture, at least until 2020. The analyst firm warned that business requirements and risk tolerance need to be considered when evaluating whether or not a business has set its security budget at the right level.
“IT spending statistics alone do not measure IT effectiveness and are not a gauge of successful IT organisations,” Gartner explained. “They simply provide an indicative view of average costs, without regard to complexity or demand.”
This is because many organisations are unaware of their security budget, and – in most instances – the chief information security officer does not have insight into security spending throughout the enterprise, Gartner said.
“This is partly because few cost accounting systems break out security as a separate line item, and many security-relevant processes are carried out by staff who are not devoted full-time to security, making it impossible to accurately account for security personnel,” the firm added.
And deciding what to spend that budget on is a different thing entirely. Security spending is generally split among hardware, software, services – including outsourcing and consulting – and personnel.
“To identify the real security budget, there are many places to look, such as networking equipment that has embedded security functions, desktop protection that may be included in the end-user support budget, enterprise applications, outsourced or managed security services, business continuity or privacy programmes, and security training that may be funded by HR,” Gartner said.
Its research suggests secure organisations can sometimes spend less than average on security as a percentage of their IT budgets. The lowest-spending 20% of businesses are composed of two distinctly different types of organisations: Unsecure organisations that underspend, and secure organisations that have implemented best practices for IT operations and security and work toward reducing the number of security vulnerabilities.
Gartner’s view is that enterprises should be spending less on security if they have mature governance systems, and higher if they are wide open and at risk.