Despite a major increase in high-profile IT security breaches, the amount of time and money most organizations are allocating to security remains stagnant.
Respondents reported the CIO/CTO have control most often, at 37%, followed by business unit leaders, at 22%. Only 19% cited the IT security leader.
CIOs/CTOs again top the list (33%), followed by business unit leaders (31%) and the CFO at 13%. Only 10% cited the IT security leader.
Only 24% of respondents strongly agreed that their organization views security as one of the top two strategic priorities.
Nearly half (46%) said the IT security budgets increased in the past two years. In the next two years, 50% said it will increase. However, the same percentage of respondents (50 %) said their budgets are either flat (46%) or would actually decrease (4%).
On average, 8.2% of the IT budget, or $9.14 million, is allocated to security annually, and 9.2% of the IT security budget is allocated for activities related to new technologies (approximately $840,000).
Senior management determines the budget 39%, versus 32% who rely on an actual assessment. Most of the budget is used for staffing, according to 32% of respondents, followed by technologies and their maintenance (25%). Only 19% is allocated to managed or outsourced services.
Only 43% of respondents said their organizations’ IT security budgets are adequate. More than half (53%) said the process is too complex.
More than half (58%) said they do not have sufficient resources to achieve compliance with security standards and laws.
Nearly a third of respondents do not agree (34%) or are unsure (17%) that C-level executives are briefed on security priorities and investments in technology and personnel. Only 21% of respondents said the IT security budget is on the board’s agenda.
Corporate leaders are more likely to view third-party mistakes or flubs, including those cloud providers made, as a serious threat (49%). The staff considers insecure Web applications (57%) and negligent insiders (56%) more serious threats.
The staff sees the minimization of downtime as the primary security objective (83%), while corporate leaders (72%) cite overall organizations’ security posture. Only 8% of both groups believe providing cyber-security training for all employees should be a top security objective.
Nearly two-thirds (62%) said data in applications is most vulnerable, followed by third parties, such as cloud providers (57%) and mobile devices (44%).
On average, 37% of all investments in enabling security technologies did not meet expectations. What’s more, 44% said they lack in-house expertise, followed by 32% citing vendor support issues. Another 32% pointed to higher-than-expected installation costs.
Most often deployed are anti-virus software (68%), followed by security incident and event management systems (SIEM) (63%) and identity and access management systems (57%).
Technologies that are both earmarked for purchase and economically beneficial are SIEM (53% and 63%) and encryption (52% and 45%).
84% said they are investing in intrusion-detection or intrusion-prevention systems. However, only 41% said it is a top-performing technology in terms of the economic benefits. Similarly, 72% said they are purchasing identity and access management systems, but only 57% said it is economically beneficial.
Only 18% of respondents said their companies’ IT security program activities are fully deployed. A full 22% admitted to still being in an early stage.