With IT security maturity flagging and budgets stagnant, IT project leaders must ensure they build adequate risk-management funding into project budgets from the get-go, new research into IT security budgets has suggested.
Gartner’s IT Security Budgets and Staffing Projections for 2013 found that annual spending on IT security and risk management represents around 5.5 per cent of total IT spending. With overall IT budgets remaining flat this year, security budgets are expected to follow the trend.
Measures of information security maturity suggested that the budget inertia has taken its toll, with maturity actually down in 2012 from the year before and most information security programs still at the ‘developing’ (level 2) stage on Gartner’s five-level IT Score ranking. Planning and budgeting were noted as the most mature area, with security governance close behind; threat and vulnerability management were ranked least mature overall.
These findings are consistent with the general situation within Australian IT security planning, Rob McMillan, Gartner research director for security, risk and privacy told CSO Australia. “Australia’s ability to understand concepts and risks is always pretty well advanced,” McMillan explains.
“Australia was the foundation for very important risk management standards, such as AS4360 – which became the guts of ISO 27005 – and so there is a good understanding of risk in Australia generally. But the challenge is always execution: nothing means anything until you see how it pans out.”
To counter this trend, Gartner recommends that project managers budget 5% to 20% of a total project budget for security testing and risk mitigation – and that project managers be prepared to press their case for stronger security budgets against business leaders whose instinct may be to minimise security spending along with overall IT spending.
Skills in building this case must be nurtured by CIOs that have become increasingly comfortable with corporate compliance requirements over the past few years, Gartner noted. For this reason, CIOs know – and must take the initiative to impart to business leaders – that security has to be an intrinsic part of strategic planning rather than something to be added in later.
This may seem intuitive at first glance, but surveys of CIO priorities – which showed security as CIOs’ number-nine concern for 2013 – offer important insight into the continuing perception of security as a separate process and entity. CIOs’ three top priorities – analytics and business intelligence, mobile technologies and cloud computing, respectively – all require adequate attention to security in order to function correctly.
Making this point will require a concerted effort from business and IT executives alike, McMillan says, warning that CSOs and equivalent “shouldn’t have to sell this to the executives”. With executives happy to push for security-threatening paradigms like bring your own device (BYOD) models, McMillan says those executives should have an attendant sense of responsibility around security – and a willingness to support their technological desire with appropriate security funding.
“I don’t think you see the standard of maturity amongst senior management that we ought to be seeing, by and large,” he explains. “You would think that from a leadership perspective, if CEOs are expecting the rest of the organisation to adhere to the rules and protect the assets of the company, they ought to be displaying a level of leadership that demonstrates their own commitment to those rules. And you don’t always get that.”