46 percent said IT security budget increased significantly (15 percent of respondents) or increased (31 percent of respondents) in the past two years, said Dell in its 2015 Global IT Security Spending and Investments report.
In the next two years, 19 percent said the IT security budget will increase significantly and 31 percent says it will increase, 50 percent say their budgets are flat (46 percent) or will actually decrease in a few organizations.
More than 50 percent of IT security and IT leaders and their staff surveyed said their organization’s C-Level executives are not given the necessary information to make budgeting decisions regarding security priorities and the investments in technology and personnel required.
46 percent say the leadership is responsible for the budget. Only 29 percent of respondents say the budget is determined from the staff level or bottom up. This is another indication that IT security and those lower in the company are not as influential in the budgeting process as they should be, said Dell.
“Organizations cannot expect to combat today’s increasing cyber threats If important stakeholders, such as the C-level executives and board members, are not adequately informed about their organization’s security strategy, challenges and goals,” said Kevin Hanes, executive director of Security and Risk Consulting for Dell SecureWorks.
58 percent said they did not think or were unsure if their organization possessed sufficient resources to achieve compliance with security standards and laws, the study, commissioned by information security vendor Dell SecureWorks.
The global Ponemon study: “2015 Global IT Security Spending & Investments,” surveyed 1,825 IT security and IT leaders and their staff in 42 countries in North America, Europe, Middle East, Africa, Asia Pacific, Japan and Latin America.
Security and IT leaders believe it is most important to pursue improvement in the organization’s security posture (72 percent of respondents), while security and IT staff members see the minimization of downtime as the primary security objective (83 percent of staff respondents).
Security and IT leaders view third-party mistakes, including those made by cloud providers, as a more serious cyber threat (49 percent of leader respondents) than negligent insiders (37 percent of leader respondents), while security and IT staff members consider insecure Web applications and negligent insiders as more serious threats (57 and 56 percent of staff respondents, respectively).
Senior management determines IT security budgets and spending. Only 32 percent of respondents say they actually conduct an assessment of their organization’s security risks. Security leaders must become part of the leadership fabric in order to ensure proper budgets based on assessment of security risks facing the company.
The average total revenue of organizations represented in this research is $1.2 billion. On average companies spend $111.7 million annually on IT operations and investment. This includes licensing and maintenance fees, labor costs, investments in enabling technologies and overhead.
8.2 percent of the IT budget is allocated to IT security or $9.14 million annually and 9.2 is the percentage of the IT security budget for activities related to innovations in enabling technologies and control processes (approximately $840,000).
The most valuable resource to an organization is its IT security staff. Based on the allocation of resources, most of the budget is used for staffing purposes (32 percent of respondents) followed by technologies and their maintenance (25 percent of respondents).
Only 21 percent of respondents say the IT security budget is on the board’s agenda. It is because the organization prefers to leave security governance to senior management (86 percent of respondents). However, 64 percent of respondents say lack of directors’ expertise and knowledge about cybersecurity keeps the issues off the board’s agenda. Thirty-six percent of respondents believe IT security is not a priority issue.
In the past 2 years, respondents say on average 37 percent of all investments in enabling security technologies fell below their expectations. The root cause of most dissatisfaction is due to the human factor. Fortyfour percent say it is a lack of in-house expertise followed by 32 percent of respondents who say vendor support issues. 32 percent say it was higher than expected installation costs. Much lower were system performance issues (degradation) and higher than expected maintenance costs, both 4 percent of respondents.
Sixty-two percent of respondents say data in applications is most vulnerable followed by third parties, including cloud providers (57 percent of respondents) and mobile devices (including smartphones) (44 percent of respondents).
Application security risks are the most serious, according to 34 percent of respondents followed by threats to the network. The number one according to 68 percent of respondents is anti-virus solutions followed by 63 percent of respondents who select incident & event management systems (SIEM) and identity and access management systems (57 percent of respondents).
It is not the IT security leader who owns the IT security budget and makes decisions about how to allocate the budget (19 percent and 10 percent, respectively). Rather, both responsibilities rest with the chief information officer (CIO) or chief technology officer (CTO). It is most often the CIO, CTO and business leader who decide how much to invest.