Money Matters: Security Execs Get Bigger Budgets, Higher Profiles


This Dark Reading report on a presentation and related research by Forrester on security spending suggests that security executives are more visible in the enterprise. That enlarged profile brings challenges. For instance, IT folks now have "dotted line" reporting responsibilities to more executives than in the past.


The other news from the study is that after dipping slightly last year, security has risen to the top budget priority spot for half of the 1,100 decision-makers questioned.


In a global economy in which interrelationships are physical as well as financial, it's important to gauge security spending outside the United States. Gartner says that a higher percentage of IT budgets are spent on security in Australia, China and India than in the United States or Europe.


The analyst firm says 40 percent of organizations have increased budgets compared to 2007 and 45 percent remained constant. Gartner says 46 percent of Chinese and 56 percent of Indian respondents are spending significantly or somewhat more on security, while only 18 percent of Australian respondents are doing so. The average portion of IT budgets focused on security is 15 percent, a number the firm says is high compared to Western Europe and North America.


This tracks with a study that I noted last month. Access Markets International says that spending among Indian SMBs is up, though the starting point seems low. The original AMI release is here.


Companies and executives spend lots of time and money on IT budgets. This commentary, by well known security consultant Bruce Schneier, deconstructs the return on investment (ROI) element of budgeting and creates a context for its use in security purchases. ROI is a bit of a misnomer in the security context, since the key is to prevent losses, not generate revenue. Schneier says that the classic way of determining how much to spend on security is annualized loss expectancy (ALE). The description reads like that of life insurance and the actuarial tables on which they are based.


ALE suggests that determining how to spend is a function of how much a breach will cost and the chances of it happening, Schneier says. He shows where ALE fails, so to speak. These are cases in which the cost of a problem is too subjective or in which the possibility of an incident is remote but potentially catastrophic. The final takeaway is that ALE analysis from vendors should be taken with a grain of salt, but can provide important general information for buying decisions.


In June, InformationWeek released an exhaustive survey on security spending. There is a wealth of good information on what measures security executives are employing. While investment in security is increasing or constant for 95 percent of respondents, two-thirds say that their vulnerability is same or worse than last year. The grand conclusion of the report is that security executives can improve on the bang they get for their investment buck by doing a better job of determining the worst threats to their organizations and how to directly address them. In other words, the story says, concise risk management -- figuring out how best to spend each dollar -- is more prudent than haphazardly throwing money at problems.