Security budgets to remain flat in 2010

I’m back after a brief hiatus with a summary of the findings from our annual budget survey.

IREC conducts an annual budget survey of its membership in the June – August timeframe. We just wrapped up data analysis on the 2009-2010 survey that ~80 CISOs provided data for. I wanted to share some of the preliminary findings with you all. Here are the Top 5 findings:

1. Budgets to remain flat going into 2010: The average organization will spend 3.5% of the IT budget on information security in FY2010. This is down from 3.8% for FY2009, but not a statistically meaningful difference. We also look at Information Security on a per-employee basis. This number has jumped from USD622 in 2009 to USD677 in 2010. This is a corollary effect of layoffs that has resulted in a smaller employee base.
2. Personnel spending forms the bulk of the CISO’s budget: 47% of the security budget goes towards personnel (staff salaries). The next big chunk is capitalized technology expenses (18%). Outsourced security services and consulting spend accounts for another 16%.
3. Staffing remains flat with some pockets of big hiring: On average, the CISO’s organization expects to have 40 in-house staff in 2010 (we are not counting contractors and staff that might be working on security initiatives but do not belong to the CISO’s budget). This is up from an average of 38 in 2009. Much of this jump is attributed to a handful of companies that are projecting 20%+ staff increases.
4. On certifications and frameworks, CISSP and ISO lead: 49% of security staff carry atleast one certification, primarily CISSP. 73% of organizations use ISO 27001 as their security framework. ISO 27002 is slowly catching on. However not many are pursuing or planning to pursue ISO certifications. Just about 7% have some part of their organization ISO certified and 75% report no plans to pursue certification.
5. CISOs are playing a larger role in BCP, e-discovery and data privacy: While things seem to have settled down from a scope and reporting perspective, CISOs’ portfolio of responsibilities seem to be expanding. 66% claim primary or shared ownership for BCP, 82% for e-discovery and 91% for data privacy. This is a huge jump from years past.

Once we complete our full analysis, I will update the post and add more details – in areas such as technology adoption trends, threat trends and security governance. Ciao for now!

PS: Check out this article in Business Week on social media adoption that IREC co-authored with our sister programs at the Corporate Executive Board! We will also be hosting a webinar on “Security Implications of Social Media” on October 15th.

Explore posts in the same categories: Uncategorized

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: