The Computing Technology Industry Association (CompTIA) has released an interesting study with some good news. The industry group surveyed 1,070 organizations and found that last year they spent 20 percent of their of their technology budgets on security. That's five percentage points better than the year before, and an improvement of 8 percent compared to 2004.
CompTIA drilled into the numbers. It found that of each buck spent on security, 42 cents went to security technology; 17 percent for "security-related processes;" 15 cents for training; 12 cents for assessment; 9 cents for certification; and the rest to pay for assorted odds and ends.
Looking forward, CompTIA found that almost half of respondents expect to spend more on security technologies and one-third more on training during the next year. The average spending increase is expected to be between 19 and 23 percent.
More good security spending news is available in a Deloitte & Touche annual survey of security practices, here reported on at Infoworld. The survey, which included data from 169 financial institutions, revealed that 98 percent spent more on information security this year than last. The study covered 32 countries, and said that 11 percent of the banks, investment houses and insurance companies spent 15 percent more than last year. Of companies that measure on a per-capita basis, 7 percent spent more than $1,000 per person, 14 percent between $251 and $500, 23 percent between $100 and $250 and 11 percent less than $100.
The basic idea that security spending is rising also is validated in this Business Standard story, which says worldwide outlays are expected to rise 20 percent. This piece, which focuses on India, should interest IT and security personnel in the United States because the cyber cultures of the two countries are so deeply linked. The story says 36 percent of respondents in India expect increases between 10 percent and 20 percent. Various responses from the survey suggested that mobile and wireless are of increasing concern to security personnel.
Of course, the big caveat to all these essentially positive numbers is that spending more doesn't necessarily equate to better security. The spending must be done wisely as well.
This InfoWorld blog, a preview of a presentation slated for the Gartner Symposium/ITxpo 2007, says there is no consistency across companies on the portion of the overall IT budgets spent on security. Security's cut, so to speak, ranges between 3.5 percent and 20 percent, with an average close to 11.7 percent. The piece, a preview of a presentation by Gartner fellow Neil MacDonald, said top ideas for spending wisely are taking a process-based approach; avoiding high cost projects; focusing on integrated instead of best-of-breed products and utilizing internal applications security test tools during developments. A bit of insight is offered on each of these steps.
This 1 Raindrop post offers ideas on how to approach network security budgeting. The five key questions for IT managers: How secure am I? Am I better than this time last year? Am I spending the right amount of money? How do I compare to my peers? What risk transfer options to I have?
The writer offers basic approaches to analyzing and breaking down security spending within the context of overall IT budgets and links to others with input on this arcane, but extremely important, issue.