|
| http://www.csoonline.com/csoresearch/report50.html
CSOs Prioritize Security Spending for 2003
by Lorraine Cosgrove Ware
CSO Sensor Shows Security a Strategic Asset
Executive Summary
Companies expect to spend roughly 10% of their total IT budget on security in 2003, an 8% increase over 2002 levels, with employee education, business continuity and disaster recovery taking priority. Current employees still pose the biggest threat to companies’ technology infrastructures, and security executives are most concerned about electronic attacks like viruses and unauthorized access to systems—more than physical attacks or electronic attacks with physical consequences (i.e. loss of power).
Increasingly, security investments are considered strategic. Along with government and industry regulations and internal compliance audits, customer confidence is a key factor driving companies to invest in information security.
CSO Research Predictions
The importance of protecting company assets will continue to be elevated to the corner office and will become a priority for the CEO over other IT issues. The customer plays an important role in companies’ security plans, and organizations that instill confidence in customers that their personal and business information is safe will have a competitive edge. Security will move from being a line item in the IT budget to warranting its own budget separate from the technology budget and moving from the CIO’s domain to the control a senior-level security executive.
Key Findings
Security budgets
Companies will allocate an average of 10.3% of their total IT budget to information security in the coming year, up from 9.5% reported in 2002. More than one third of the companies surveyed have an annual security budget—including security products, systems, services and staff,—of more than $1 million in 2003 while 36% reported security budgets between $101,000 and $1 million. Close to one quarter (27%) reported security budgets of less then $100,000 for 2003.
The majority (71%) of executives surveyed said that their company had separate budgets for physical security and IT or information security, up from 58% reported In July 2002. Three quarters (75%) of CSOs reported that the IT security budget was included in the overall IT budget. This figure is down from the 80% reported in July, signaling that companies are putting increased emphasis on IT security, giving it its own budget versus being a line item in the IT budget.
Security management priorities for 2003
When asked what their organization’s security management priorities were for the coming year, respondents listed training/educating employees (72%), assuring business continuity (68%), disaster recovery (68%), enforcing security policy (65%) and assessing risk (61%), in that order.
When asked about spending priorities, CSOs said they would invest in security software (38%), services (21%) and security hardware (14%) in 2003.
While compliance with government and industry regulations is motivating many companies to invest in security, others are taking measures to instill confidence in their customer base. When asked about the key factor driving security investment in their organization, security executives listed current government/industry regulation (22%), auditing, risk management (21%) and customer confidence (15%) most frequently.
Benefits of security investments
Survey respondents are already getting benefits from their security investments. When asked to list the top benefits that their organization had experienced as a result of its security investments to date, respondents listed fewer security breaches (75%), reduced financial loss (47%) and increased customer satisfaction (29%) most frequently.
Methodology
CSO magazine’s Security Sensor survey was administered online from November 25 through December 9, 2002. Subscribers to CSO magazine were invited to take the survey. The results shown here are based on the responses of 797 security professionals (not all respondents answered all questions), representing a response rate of 9%. The margin of error for this study is +/- 3.5%.
When asked about title, 34% were senior-level including CIOs, CTOs, CSO/CISO and vice presidents. Forty-five percent of respondents were directors or managers. Seven percent held government titles and 13% listed “other.”
Thirty-nine percent of the survey respondents worked at companies with annual revenue of $1 billion or greater. Twenty-two percent were from companies with annual revenue between $100 million and $999.9 million, and 34% listed revenue at less than $100 million. (Six percent did not answer.)
Respondents represented a wide range of industries including local, state or federal government (19%), insurance/healthcare (15%), computer-related industries (13%), finance/banking (10%), manufacturing (8%) and education (7%).
Back to Research Reports Index
CSO Research Update
Sign up for our upcoming newsletter, CSO Research Update and receive summaries of CSO's most recent research and a schedule of upcoming studies. For peer-based insight on security issues, subscribe now.
More Research
CIO Tech Poll Report
CIO KnowPulse Polls
Security Check
CSO Metrics
SECURITY CHECK
Does offshore outsourcing of code development constitute a significant security risk?
yes
no
View results without voting
2003 CXO Media Inc. Privacy Policy January 07, 2003 |
|