Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Wednesday, September 15, 2004

Who spends what on computer security?

What price security? Somewhere between $110 and $334 per employee, depending on the size of your company.

According to the ninth annual Computer Security Institute/FBI Computer Crime and Security Survey, when asked about security spending as a percentage of their overall IT budget, nearly half of the 494 respondents pegged it at 1 to 5 percent, 15 percent put it at 6 to 10 percent, 8 percent indicated that security accounted for more than 10 percent of all IT expenditures, and 14 percent said they didn’t know.

Economies of scale allow larger companies to spend less per employee, while companies in certain industries (transportation, high tech, and telecommunications, as well as federal and state governments) spend far more heavily per employee than companies in the medical, retail, and manufacturing sectors, according to the ninth annual Computer Security Institute/FBI Computer Crime and Security Survey.

Asked about what metrics were applied to security spending, one-third of the respondents didn’t respond. Of the 320 that did respond, slightly more than half said security spending decisions were subject to ROI analysis, while the other half was split between net present value and internal rate of return.

Outsourcing of computer security has yet to take hold to any meaningful degree: nearly two-thirds of the respondents said they don’t outsource any aspect of security, and less than 1 percent said they outsource all of it. Slightly more than one-fourth of the respondents said they have signed on for some form of cybersecurity risk insurance.

Posted on 09/15