When we initially set out to examine how organizations were budgeting and spending on IT security, we knew it would not be a straightforward or simple proposition. Security spending doesn’t take place in a single, well-defined area, with one set of budget lines and discrete products. Rather, whatever IT security strategies, procedures or resources may exist at your organization, there’s a good chance that the associated costs are largely, even exclusively, buried under nonsecurity headings.That’s why we couldn’t just ask about IT security budgets; we had to ask about security-related spending within other budget lines as well. And we had to understand the relationship between the two.
In January 2011, we fielded an online survey to members of our extensive database of enterprise IT executives, asking them about security budgets and about the influence IT security has on nonsecurity budgets. (Editors note: You may also download this report, Enterprise Security Spending Trends, with accompanying charts in PDF form.) The survey received 164 responses from individuals knowledgeable in these areas and working in organizations with at least 50 employees; 49 percent of respondents work in enterprises with at least 1,000 employees.
We were surprised to learn that half of these organizations actually have no dedicated, corporatewide budget for IT security (see Finding 1.1). This is true even in the largest organizations, and it means that spending, including staffing, frequently occurs on the departmental, project and application levels. The implication is clear: Security planning is not occurring on a strategic level as much as it should.