Security swallows a twelfth of IT budgets

IT directors have been advised to spend three to eight per cent of their IT budgets on ongoing security costs.

The figures are best practice guidelines given by analyst Meta at its 14th annual forum in Barcelona earlier this week.

Meta explained that the figure does not include special events, nor projects such as public key infrastructure implementations.

The analyst added that security budgets will increase by 10 per this year, as they had done in 2001 and 2002.

Financial services firms should spend eight per cent of their IT budget on security to cover ongoing costs. Energy companies should allocate 6.5 per cent, e-commerce companies six per cent, retailers five per cent and manufacturing companies three per cent.

These figures do not cover business continuity and disaster recovery, which should take up another 2.5 to four per cent, according to Tom Scholtz, vice president of security and risk strategies at Meta.

Security is the third biggest concern for businesses, said Scholtz, and should be seen as an asset protection tax.

Enterprises need to evolve or establish their security programmes, because continuing to operate a break/fix approach will dramatically increase corporate liabilities.

A good programme takes two or more years to establish and includes nine components (see below), each as important as the other.

"It should not just be about IT but about culture, processes and, in the fullness of time, physical security," said Scholtz.

Given that chief information officers move jobs on average every 18 months, the programme should be overseen by a management steering committee.

But Scholtz conceded that politics and tradition will probably ensure that the security job function will remain in the IT domain for some time.

The analyst predicted that 40 per cent of enterprises will have put programmes in place by the end of 2003, with 70 per cent of enterprises developing their own programme by 2005. Leading-edge programmes will have matured by the end of 2003.

Meta's nine components for a security programme:

• A governance structure that ties security to the business.
• A vision, reduced to quarterly deliverables, that drives toward an appropriately secured environment; an architecture that is adaptable.
• An organisational approach that supports accountability and the correct separation of duties.
• A plan to generate continuous cultural change.
• A maturity programme for security-related processes.
• An approach to supporting local management discretion in determining the appropriate level of security.
• The execution of processes that determine just how secure the environment is - right now!
• The execution of projects that make the environment more secure.
• The execution of processes which ensure that security is servicing the current needs of all aspects of the business.