Two articles about the same issue. “Security to drop out of CIO spending top ten” by John Leyden at The Register, and “Spend less on IT Security, says Gartner” by SA Mathieson at InfoSecurity Magazine. Both come from a keynote speech by Gartner’s vice-president John Pescatore at the IT Security Summit in London this month.
From Mathieson’s article:
Getting to a mature stage of IT security will take many organisations some time, Pescatore said: by 2010, Gartner estimates just a fifth will have reached its ‘operations excellence’ stage where they spend just 3-4% of IT on security, while two-fifths will still be in the previous ‘corrective’ stage, spending 7-8%.
In response to a question, Pescatore dismissed the idea that insider threats are growing: he believes that attacks generated by malicious insiders are stable at 20-25%. Half come from mistakes made by insiders, while around 30% of attacks are made solely by outsiders, the majority of whom are cybercriminals.
From Leyden’s article:
For security managers the process involves persuading their counterparts in, for example, application development to include security functions in their projects. In this way security expenditure in real terms can go up even as security budgets (as such) stay flat or modestly increase. Security budgets freed from firefighting problems can then be invested with a view to managing future risks.
“Even a reduced security budget does not necessarily mean reducing security-related spending,” Pescatore said. “Security professionals need to think in terms of changing who pays for security controls,” so they can “move upstream” and spend their time and resources on more demanding projects, he added.
Gartner predicts that security spending will rise 9.3 per cent in 2007, but will drop out the first ten spending priorities for CIOs for the first time since the prolific internet worms of 2003. Malware threats these days have evolved into targeted attacks featuring malware payloads designed not to draw attention to themselves.
It sounds reasonable. If all corporate departments assume their part in keeping the business secure (by means of security awareness, purchase of secure products and solutions, and inclusion of security-aware development practices, for example), the IT Security departments could shift from “firefighter mode” and focus on proactive security.
