IT security budget may be misleading indicator of security, Gartner says

IT security spending ranges from about 1 percent to 13 percent of the IT budget, according to the most recent IT Key Metrics Data from Gartner. But spending can be a misleading indicator of program effectiveness, analysts say.

According to the survey, organizations spend an average of 5.6 percent of the overall IT budget on IT security and risk management.

"Clients want to know if what their spending on information security is equivalent to others in their industry, geography and size of business in order to evaluate whether they are practicing due diligence in security and related programs," said Rob McMillan, research director at Gartner. "But general comparisons to generic industry averages don't tell you much about your state of security. You could be spending at the same level as your peer group, but you could be spending on the wrong things and be extremely vulnerable. Alternatively, you may be spending appropriately but have a different risk appetite from your peers.” 

According to Gartner, most organizations will continue to misuse average IT security spending figures as a proxy for assessing security posture through 2020.

Without the context of business requirements, risk tolerance and satisfaction levels, the metric of IT security spending as a percentage of the IT budget does not provide valid comparative information that should be used to allocate IT or business resources. Moreover, IT spending statistics alone do not measure IT effectiveness and are not a gauge of successful IT organizations. They simply indicate average costs, without regard to complexity or demand.

Gartner's view is that enterprises should spend between 4 and 7 percent of their IT budgets on IT security: at the lower end of the range if they have mature systems, and higher if they are wide open and at risk. This represents the budget under the control and responsibility of the CISO, and not the "real" or total budget. 

"A CISO who has knowledge of all of the security functions taking place within the organization as well as those that are necessary but missing and the way in which those functions are funded, is likely to use indirectly funded functions to greater advantage," McMillan said.

Worldwide spending on information security products and services will reach $81.6 billion in 2016, an increase of 7.9 percent over 2015, according to Gartner’s forecast. According to a RAND Corporation study, the cost of managing cyber-security will likely increase 38% over the next 10 years, reaching almost $100 billion, as companies spend more on cybersecurity tools. Worldwide spending on cybersecurity has already passed the $70-billion-a-year threshold and is growing 10% to 15% annually.

Gartner's latest forecast also includes these assumptions:

The average selling price for firewalls is expected to increase by at least 2 or 3 percent per year until the end of 2018.

By 2018, 90 percent of organizations will implement at least one form of integrated DLP, up from 50 percent today.

Public cloud adoption will impact firewall spending by less than 10 percent until the end of 2019 but will have greater impact after that.

Half of midsize and large organizations will add bigger, more advanced inspection-oriented features to their network firewalls by 2019.