[ISN] Security swallows a twelfth of IT budgets

From: InfoSec News (isnat_private)
Date: Fri Mar 07 2003 - 00:38:23 PST

  • Next message: InfoSec News: "[ISN] ACSAC 19 == CALL FOR PAPERS AND PARTICIPATION"

    By Ian Lynch in Barcelona [07-03-2003]
    Not including special projects or disaster recovery, says Meta
    IT directors have been advised to spend three to eight per cent of
    their IT budgets on ongoing security costs.  The figures are best
    practice guidelines given by analyst Meta at its 14th annual forum in
    Barcelona earlier this week.
    Meta explained that the figure does not include special events, nor
    projects such as public key infrastructure implementations.
    The analyst added that security budgets will increase by 10 per this
    year, as they had done in 2001 and 2002.
    Financial services firms should spend eight per cent of their IT
    budget on security to cover ongoing costs. Energy companies should
    allocate 6.5 per cent, e-commerce companies six per cent, retailers
    five per cent and manufacturing companies three per cent.
    These figures do not cover business continuity and disaster recovery,
    which should take up another 2.5 to four per cent, according to Tom
    Scholtz, vice president of security and risk strategies at Meta.
    Security is the third biggest concern for businesses, said Scholtz,
    and should be seen as an asset protection tax.
    Enterprises need to evolve or establish their security programmes,
    because continuing to operate a break/fix approach will dramatically
    increase corporate liabilities.
    A good programme takes two or more years to establish and includes
    nine components (see below), each as important as the other.
    "It should not just be about IT but about culture, processes and, in
    the fullness of time, physical security," said Scholtz.
    Given that chief information officers move jobs on average every 18
    months, the programme should be overseen by a management steering
    But Scholtz conceded that politics and tradition will probably ensure
    that the security job function will remain in the IT domain for some
    The analyst predicted that 40 per cent of enterprises will have put
    programmes in place by the end of 2003, with 70 per cent of
    enterprises developing their own programme by 2005. Leading-edge
    programmes will have matured by the end of 2003.
    Meta's nine components for a security programme:
    * A governance structure that ties security to the business.
    * A vision, reduced to quarterly deliverables, that drives toward an 
      appropriately secured environment; an architecture that is 
    * An organisational approach that supports accountability and the 
      correct separation of duties.
    * A plan to generate continuous cultural change.
    * A maturity programme for security-related processes.
    * An approach to supporting local management discretion in determining 
      the appropriate level of security.
    * The execution of processes that determine just how secure the 
      environment is - right now!
    * The execution of projects that make the environment more secure.
      The execution of processes which ensure that security is servicing 
      the current needs of all aspects of the business.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Mar 07 2003 - 03:02:54 PST