Most Canadian firms aren’t, according to industry figures.


How much should your organization be spending on security? According to analyst figures, about 14% of the IT budget – but less than a quarter of companies are spending that much.Last year, IDC released a report analyzing Canadian companies’ security budgets to find out how much they were spending, and on what. The results – from a survey of over 200 Canadian organizations – showed that while the average spend was just under 10%, the budget varied depending on how mature the company’s approach was.

IDC divided Canadian firms into four key groups:

  • Egoists
    17% of organizations are egoists, with good security. This group spends 12% of its IT budget on security, but even with its positive track record, it might be a little overconfident in its capabilities.
  • Realists
    Almost a quarter of organizations fall into this category. Their cybersecurity budget is the highest of all, at 14% of their IT budget, but they still understand that security isn’t a zero-sum game; it’s a constant battle that can never be won. They spend a lot of time comparing their own performance to that of their industry peers.
  • Denialists
    Comprising the largest proportion of organizations at 37%, this is the head-in-the-sand crowd. Their IT security needs work, but they don’t realize it. They tend to install technologies in a bid to solve the security problem rather than taking the time to invest in designing secure processes and then training staff in them.
  • Defeatists
    Almost a quarter of firms examined fell into this, the worst of all categories. They’re crummy at security, and they know it. Their approach relies largely on throwing budget around and seeing what works, but there’s not as much budget to go around: these firms spend an average of only 6% of their IT budget on security.

Some dollars are more equal than others

Realists are the only organizations that spent over the recommended 13.7% of their IT budget on security. The average was 9.8%, putting us woefully behind the curve. On the other hand, it’s worth remembering that not every dollar is equally spent – and that not every dollar with a security benefit necessarily shows up in the security budget.

Buying a tool to spot network anomalies is clearly a security-related purchase, but it may not do much for a company’s security stance if it isn’t incorporated into a broader detection and mitigation process. Just look at what befell Target, which ignored early warnings from its expensive FireEye anomaly detection service before it lost tens of millions of credit card numbers. Spotting a handful of warnings among hundreds or thousands each day is a tough call, but it could have helped to mitigate the effects of the intrusion.

Conversely, an IT department that spends money creating a system of repeatable, automated change management and provisioning processes before it buys sophisticated detection tools is making their infrastructure more secure, even if the main drive is for efficiency. What portion of that shows up as a security line item, if at all?

Not spending anything on security isn’t an option – but throwing money at a problem without establishing robust IT processes isn’t much better.

The same holds true for non-technical employees. Promoting a security culture in an organization takes persistence. On average, respondents to the IDC survey said that they’d like to spend 24% of their IT security budget on building best practices, awareness and education. “The reality is that shoring up employee lack of security knowledge will continue to be carried out on much less than this percentage,” said IBM’s report on the IDC numbers.

By all means, assess how much you’re spending on security and be sure that it matches the ideal number. But give every dollar a job – and be sure that it’s working smarter, rather than just harder.


Bookmark and Share