Inside the IT Security Budget Paradox

Security spending

1 - Inside the IT Security Budget ParadoxInside the IT Security Budget Paradox

Despite a major increase in high-profile IT security breaches, the amount of time and money most organizations are allocating to security remains stagnant.

2 - Where Control of the IT Security Budget LiesWhere Control of the IT Security Budget Lies

Respondents reported the CIO/CTO have control most often, at 37%, followed by business unit leaders, at 22%. Only 19% cited the IT security leader.

3 - Who Decides How Much to Invest in IT Security?Who Decides How Much to Invest in IT Security?

CIOs/CTOs again top the list (33%), followed by business unit leaders (31%) and the CFO at 13%. Only 10% cited the IT security leader.

4 - IT Security as a PriorityIT Security as a Priority

Only 24% of respondents strongly agreed that their organization views security as one of the top two strategic priorities.

5 - IT Security Budget PlansIT Security Budget Plans

Nearly half (46%) said the IT security budgets increased in the past two years. In the next two years, 50% said it will increase. However, the same percentage of respondents (50 %) said their budgets are either flat (46%) or would actually decrease (4%).

6 - Percentage of IT Budget Allocated to SecurityPercentage of IT Budget Allocated to Security

On average, 8.2% of the IT budget, or $9.14 million, is allocated to security annually, and 9.2% of the IT security budget is allocated for activities related to new technologies (approximately $840,000).

7 - How IT Security Budget Is DeterminedHow IT Security Budget Is Determined

Senior management determines the budget 39%, versus 32% who rely on an actual assessment. Most of the budget is used for staffing, according to 32% of respondents, followed by technologies and their maintenance (25%). Only 19% is allocated to managed or outsourced services.

8 - IT Security Budgeting ProcessIT Security Budgeting Process

Only 43% of respondents said their organizations’ IT security budgets are adequate. More than half (53%) said the process is too complex.

9 - IT Security Budgets in Terms of Compliance MandatesIT Security Budgets in Terms of Compliance Mandates

More than half (58%) said they do not have sufficient resources to achieve compliance with security standards and laws.

10 - An Absence of CXO  Security InvolvementAn Absence of CXO Security Involvement

Nearly a third of respondents do not agree (34%) or are unsure (17%) that C-level executives are briefed on security priorities and investments in technology and personnel. Only 21% of respondents said the IT security budget is on the board’s agenda.

11 - The Great IT Security DisconnectThe Great IT Security Disconnect

Corporate leaders are more likely to view third-party mistakes or flubs, including those cloud providers made, as a serious threat (49%). The staff considers insecure Web applications (57%) and negligent insiders (56%) more serious threats.

12 - IT Security GoalsIT Security Goals

The staff sees the minimization of downtime as the primary security objective (83%), while corporate leaders (72%) cite overall organizations’ security posture. Only 8% of both groups believe providing cyber-security training for all employees should be a top security objective.

13 - Most Vulnerable Elements of ITMost Vulnerable Elements of IT

Nearly two-thirds (62%) said data in applications is most vulnerable, followed by third parties, such as cloud providers (57%) and mobile devices (44%).

14 - Satisfaction With IT Security InvestmentsSatisfaction With IT Security Investments

On average, 37% of all investments in enabling security technologies did not meet expectations. What’s more, 44% said they lack in-house expertise, followed by 32% citing vendor support issues. Another 32% pointed to higher-than-expected installation costs.

15 - IT Security Technologies DeployedIT Security Technologies Deployed

Most often deployed are anti-virus software (68%), followed by security incident and event management systems (SIEM) (63%) and identity and access management systems (57%).

16 - Top Planned Beneficial IT Security InvestmentsTop Planned Beneficial IT Security Investments

Technologies that are both earmarked for purchase and economically beneficial are SIEM (53% and 63%) and encryption (52% and 45%).

17 - Questionable IT Security InvestmentsQuestionable IT Security Investments

84% said they are investing in intrusion-detection or intrusion-prevention systems. However, only 41% said it is a top-performing technology in terms of the economic benefits. Similarly, 72% said they are purchasing identity and access management systems, but only 57% said it is economically beneficial.

18 - Maturity of IT Security StrategyMaturity of IT Security Strategy

Only 18% of respondents said their companies’ IT security program activities are fully deployed. A full 22% admitted to still being in an early stage.

Michael Vizard
Michael Vizard
Michael Vizard is a seasoned IT journalist, with nearly 30 years of experience writing and editing about enterprise IT issues. He is a contributor to publications including Programmableweb, IT Business Edge, CIOinsight, Channel Insider and UBM Tech. He formerly was editorial director for Ziff-Davis Enterprise, where he launched the company’s custom content division, and has also served as editor in chief for CRN and InfoWorld. He also has held editorial positions at PC Week, Computerworld and Digital Review.


Must Read