Companies expect to spend roughly 10% of their total IT budget on security in 2003, an 8% increase over 2002 levels, with employee education, business continuity and disaster recovery taking priority. Current employees still pose the biggest threat to companies’ technology infrastructures, and security executives are most concerned about electronic attacks like viruses and unauthorised access to systems — more than physical attacks or electronic attacks with physical consequences (ie. loss of power).
Increasingly, security investments are considered strategic. Along with government and industry regulations and internal compliance audits, customer confidence is a key factor driving companies to invest in information security.
CSO Research Predictions
The importance of protecting company assets will continue to be elevated to the corner office and will become a priority for the CEO over other IT issues. The customer plays an important role in companies’ security plans, and organisations that instill confidence in customers that their personal and business information is safe will have a competitive edge. Security will move from being a line item in the IT budget to warranting its own budget separate from the technology budget and moving from the CIO’s domain to the control a senior-level security executive.
Security budgets Companies will allocate an average of 10.3% of their total IT budget to information security in the coming year, up from 9.5% reported in 2002. More than one third of the companies surveyed have an annual security budget — including security products, systems, services and staff, — of more than $US1 million in 2003 while 36% reported security budgets between $US101,000 and $US1 million. Close to one quarter (27%) reported security budgets of less then $US100,000 for 2003.
The majority (71%) of executives surveyed said that their company had separate budgets for physical security and IT or information security, up from 58% reported In July 2002. Three quarters (75%) of CSOs reported that the IT security budget was included in the overall IT budget. This figure is down from the 80% reported in July, signaling that companies are putting increased emphasis on IT security, giving it its own budget versus being a line item in the IT budget.
Security management priorities for 2003 When asked what their organisation’s security management priorities were for the coming year, respondents listed training/educating employees (72%), assuring business continuity (68%), disaster recovery (68%), enforcing security policy (65%) and assessing risk (61%), in that order.
When asked about spending priorities, CSOs said they would invest in security software (38%), services (21%) and security hardware (14%) in 2003.
While compliance with government and industry regulations is motivating many companies to invest in security, others are taking measures to instill confidence in their customer base. When asked about the key factor driving security investment in their organisation, security executives listed current government/industry regulation (22%), auditing, risk management (21%) and customer confidence (15%) most frequently.
Benefits of security investments Survey respondents are already getting benefits from their security investments. When asked to list the top benefits that their organisation had experienced as a result of its security investments to date, respondents listed fewer security breaches (75%), reduced financial loss (47%) and increased customer satisfaction (29%) most frequently.
CSO magazine’s Security Sensor survey was administered online from November 25 through December 9, 2002. Subscribers to CSO magazine were invited to take the survey. The results shown here are based on the responses of 797 security professionals (not all respondents answered all questions), representing a response rate of 9%. The margin of error for this study is +/- 3.5%.
When asked about title, 34% were senior-level including CIOs, CTOs, CSO/CISO and vice presidents. Forty-five per cent of respondents were directors or managers. Seven per cent held government titles and 13% listed “other.”
Thirty-nine per cent of the survey respondents worked at companies with annual revenue of $US1 billion or greater. Twenty-two per cent were from companies with annual revenue between $US100 million and $US999.9 million, and 34% listed revenue at less than $US100 million. (Six per cent did not answer.)
Respondents represented a wide range of industries including local, state or federal government (19%), insurance/healthcare (15%), computer-related industries (13%), finance/banking (10%), manufacturing (8%) and education (7%).