Corporate security spending not in line with real-world requirements

A new study shows that most large companies don’t spend enough of their IT budgets on upgrading their security infrastructures – a situation that could lead to bigger problems in the face of government legislation and corporate mergers and acquisitions.

Nemertes Research last week released its “Effective Security Solutions” report, which says the average 2% to 3% of the overall IT budget that companies allocate for security will not adequately prepare most of them for government regulations, new applications and/or Web services architectures.

Johna Till Johnson, Nemertes Research president and chief research officer, and a Network World columnist, says spending 3% on security will allow for only the security basics at most large organizations. Nemertes’ definition of security basics includes deploying firewalls and VPNs, and controlling the security perimeter.

“Everyone will say that security is essential, and no one will dare say it’s not important, but they are still underspending on security,” Johnson says.

Nemertes found that many companies in the past five years have made strides in designating security officers, staff and budget, but still fall short when it comes to funding new and necessary projects. She says companies must spend at least 5% of their overall IT budgets on security to incorporate the infrastructure upgrades and policy-based processes necessary to comply with government regulations passed in the past eight years or so.

The security requirements in legislation, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Gramm-Leach-Bliley Financial Modernization Act of 1999, the Sarbanes-Oxley Act of 2002 and ongoing Department of Homeland Security initiatives, represent a significant concern for companies currently underspending, Johnson says.

HIPAA establishes national standards to ensure privacy in electronic healthcare transactions, and in light of all the accounting discrepancies in recent years, Sarbanes-Oxley requires that managers vouch for the internal controls their companies place over areas that include transactions, electronic information and communications. Sarbanes-Oxley will become a Securities and Exchange Commission rule. The Gramm-Leach-Bliley act broke down information-sharing barriers among U.S. banking, securities and insurance industries so as to provide various financial services to customers, but also requires many electronic financial privacy regulations be put in place.

“The fine print in these pieces of legislation has the CEO or the security officer potentially going to jail if found in violation of these acts. Companies are just starting to wrap their heads around that idea,” Johnson says.

With mergers and acquisitions more frequent, companies must put more dollars into creating a common security infrastructure across IT departments. Johnson says that poses a particularly big problem for financial services organizations. The research firm found that about three-quarters of security executives say access control, authorization and auditing (the triple A’s of security) and identity management are among their top spending priorities.

Other findings show that while 80% have not yet deployed Web or application security, many will look into the technology in the coming year or so.