Security budgets stagnant, execs must put money where their mouths are: Gartner

With IT security maturity flagging and budgets stagnant, IT project leaders must ensure they build adequate risk-management funding into project budgets from the get-go, new research into IT security budgets has suggested.

Gartner’s IT Security Budgets and Staffing Projections for 2013 found that annual spending on IT security and risk management represents around 5.5 per cent of total IT spending. With overall IT budgets remaining flat this year, security budgets are expected to follow the trend.

Measures of information security maturity suggested that the budget inertia has taken its toll, with maturity actually down in 2012 from the year before and most information security programs still at the ‘developing’ (level 2) stage on Gartner’s five-level IT Score ranking. Planning and budgeting were noted as the most mature area, with security governance close behind; threat and vulnerability management were ranked least mature overall.

These findings are consistent with the general situation within Australian IT security planning, Rob McMillan, Gartner research director for security, risk and privacy told CSO Australia. “Australia’s ability to understand concepts and risks is always pretty well advanced,” McMillan explains.

“Australia was the foundation for very important risk management standards, such as AS4360 – which became the guts of ISO 27005 – and so there is a good understanding of risk in Australia generally. But the challenge is always execution: nothing means anything until you see how it pans out.”

To counter this trend, Gartner recommends that project managers budget 5% to 20% of a total project budget for security testing and risk mitigation – and that project managers be prepared to press their case for stronger security budgets against business leaders whose instinct may be to minimise security spending along with overall IT spending.

Skills in building this case must be nurtured by CIOs that have become increasingly comfortable with corporate compliance requirements over the past few years, Gartner noted. For this reason, CIOs know – and must take the initiative to impart to business leaders – that security has to be an intrinsic part of strategic planning rather than something to be added in later.

This may seem intuitive at first glance, but surveys of CIO priorities – which showed security as CIOs’ number-nine concern for 2013 – offer important insight into the continuing perception of security as a separate process and entity. CIOs’ three top priorities – analytics and business intelligence, mobile technologies and cloud computing, respectively – all require adequate attention to security in order to function correctly.

Making this point will require a concerted effort from business and IT executives alike, McMillan says, warning that CSOs and equivalent “shouldn’t have to sell this to the executives”. With executives happy to push for security-threatening paradigms like bring your own device (BYOD) models, McMillan says those executives should have an attendant sense of responsibility around security – and a willingness to support their technological desire with appropriate security funding.

“I don’t think you see the standard of maturity amongst senior management that we ought to be seeing, by and large,” he explains. “You would think that from a leadership perspective, if CEOs are expecting the rest of the organisation to adhere to the rules and protect the assets of the company, they ought to be displaying a level of leadership that demonstrates their own commitment to those rules. And you don’t always get that.”

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags IT Security Budgets and Staffing Projections for 2013Gartnersecurity spending

More about CSOGartnerISOIT Security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts