Security swallows a twelfth of IT budgets

[InfoSec News <isn () c4i org>]

http://www.vnunet.com/News/1139286

By Ian Lynch in Barcelona [07-03-2003]

Not including special projects or disaster recovery, says Meta

IT directors have been advised to spend three to eight per cent of
their IT budgets on ongoing security costs.  The figures are best
practice guidelines given by analyst Meta at its 14th annual forum in
Barcelona earlier this week.

Meta explained that the figure does not include special events, nor
projects such as public key infrastructure implementations.

The analyst added that security budgets will increase by 10 per this
year, as they had done in 2001 and 2002.

Financial services firms should spend eight per cent of their IT
budget on security to cover ongoing costs. Energy companies should
allocate 6.5 per cent, e-commerce companies six per cent, retailers
five per cent and manufacturing companies three per cent.

These figures do not cover business continuity and disaster recovery,
which should take up another 2.5 to four per cent, according to Tom
Scholtz, vice president of security and risk strategies at Meta.

Security is the third biggest concern for businesses, said Scholtz,
and should be seen as an asset protection tax.

Enterprises need to evolve or establish their security programmes,
because continuing to operate a break/fix approach will dramatically
increase corporate liabilities.

A good programme takes two or more years to establish and includes
nine components (see below), each as important as the other.

"It should not just be about IT but about culture, processes and, in
the fullness of time, physical security," said Scholtz.

Given that chief information officers move jobs on average every 18
months, the programme should be overseen by a management steering
committee.

But Scholtz conceded that politics and tradition will probably ensure
that the security job function will remain in the IT domain for some
time.

The analyst predicted that 40 per cent of enterprises will have put
programmes in place by the end of 2003, with 70 per cent of
enterprises developing their own programme by 2005. Leading-edge
programmes will have matured by the end of 2003.

Meta's nine components for a security programme:


* A governance structure that ties security to the business.

* A vision, reduced to quarterly deliverables, that drives toward an 
  appropriately secured environment; an architecture that is 
  adaptable.

* An organisational approach that supports accountability and the 
  correct separation of duties.

* A plan to generate continuous cultural change.

* A maturity programme for security-related processes.

* An approach to supporting local management discretion in determining 
  the appropriate level of security.

* The execution of processes that determine just how secure the 
  environment is - right now!

* The execution of projects that make the environment more secure.
  The execution of processes which ensure that security is servicing 
  the current needs of all aspects of the business.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.