Security Planning: Reactive or Proactive?
If your IT organization is in a reactive posture when it comes to security, then it is probably falling into the 50 percent of respondents who have no corporatewide security budget. Why? Because with no companywide security strategy, what you are doing is responding to the individual needs of the various stakeholders at your organization, as those needs arise from usage or new project development.
It's important to be able to respond to your internal clients' needs, of course, but without dedicated security resources, you don't have a good way to assess risk, evaluate loss scenarios or set appropriate investment levels. That's not even considering the obvious benefits of economies of scale and sharing of knowledge and experiences.
Where a centralized security budget exists, a significant portion is allocated for dedicated IT security staffing, according to our survey. While security hardware, software and services combined form an average of 48 percent of the dedicated budget, staffing alone represents 34 percent (see Finding 1.2). Staffing is a clear initial requirement for investment if you want to take a strategic approach to security. You need knowledgeable, capable people to formulate, monitor and develop your security infrastructure, even if individual security solutions are deployed at the business-unit level.
When solutions are part of a centralized company budget, security hardware forms a significant share of spending, with software and services accounting for only 13 percent and 12 percent share-of-spending, respectively. The ongoing replacement of much security software with service-based offerings partially explains its low share. But why aren't services greater? With 95 percent of the IT executives we surveyed saying their companywide budget has a services portion -- more than any other area (see Finding 1.3) -- services are clearly popular. The trick is that spending per employee on security services is the same as -- or a bit lower than -- it is for software. So organizations are adding the flexibility of services at a similar cost per employee.