A common assumption is that security expenditure is a proxy for security maturity. This may make sense at first blush but paradoxically, a low relative level of information security spending compared to peers can be equally indicative of a very well-run or a poorly run security program. Spending analysis is, therefore, imprecise and a potentially misleading indicator of program success. In fact, it is necessary to ensure that the right risks are being adequately managed, and understand that spending may fluctuate accordingly.
According to Gartner’s most recent IT Key Metrics Data, respondents spent between 4-7% on IT security and risk management as a percentage of the overall IT budget. Note that IT spending statistics alone do not measure IT effectiveness and are not a gauge of successful IT within organizations. They simply provide an indicative view of average costs in general, without regard to complexity or demand.
The compliance hyperbole of previous years that drove information security spending has abated, having matured with organizations moving from planning to productive activities to address the requirements. Compliance remains a relevant internal selling point for justifying security and risk management budgets, but other factors — such as the series of high profile attacks played out in global media in recent years — have now become strong drivers. The visibility of information security spending in the boardroom is at an all-time high.
It is quite possible to constrain spending without compromising your security posture. One way is to consider managed detection and response. This is an effective outcome based combination of expertise and tools to detect threats, especially targeted advanced threats and insider threats. Our SIEMphonic service offering is a premier example of this type of service. The figure above, as described in this research note, can be the result.