Compliance Results and Spending on IT Security
Benchmarks completed by 1,060 organizations show a direct relationship between results for compliance and total spending on IT security. Organizations spending more on IT security are experiencing lower numbers of compliance deficiencies and fewer IT security events resulting in financial harm. The amount spent on IT security among leading firms participating in the benchmarks is 10.3% of the total annual IT budget (Figure 1).

Figure 1: Compliance Results and Spending on IT Security

Compliance Results by IT Budget
The benchmarks also show that results for compliance do not vary by the size of the IT budget. Rather, results by the size of the IT budget track the industry-wide results: 20 percent laggards, 69 percent norm and 11 percent leaders. Insignificant differences in compliance results by the size of the IT budget are less than the standard error.

Compliance Results for Spend as a Proportion of Revenue
The leaders are spending more as a proportion of total revenue, assets under management or budget: spending one dollar on security for every $29,335 in revenue. However, mean spend as a proportion of revenue comes with a high standard deviation of $25,000 reflecting significant differences in spend on IT security that are due to variations in spend on security by industry. For example, security spend differs considerably between construction, education, financial services, government, healthcare, insurance, manufacturing and retail industries among others. We do not recommend using spend as a percentage of revenue numbers as a guide, until such time that industry-specific findings can be correlated and published. We recommend using spend as a percentage of the IT budget, which has a standard deviation of less than 0.3%.

Allocating Spend to Improve Compliance and IT Security Results
Most firms are allocating, on average, between 20 and 22 percent of total spend on IT security for employee labor. However, some of the funds previously earmarked for contractors and outside services are being reallocated by compliance leaders to equipment and software. Among the firms with the worst compliance and IT security results, 37 percent of total IT security spend is allocated to contractors while 43 percent is allocated to equipment and software. Among the firms with the best compliance and IT security results, 26 percent of total spend on IT security is allocated to contractors while 52 percent is allocated to equipment and software.

Allocating Spend to Improve Enabling Practices
Compliance leaders are allocating spending on IT security differently than are other organizations. The practices being honed by compliance leaders include: 1) how effectively and frequently data and knowledge are managed; and 2) how effectively and frequently risk assessment and management practices are conducted (Figure 2).

Figure 2: Allocating Spend to Improve Enabling Practices

Not limited to these two, compliance leaders are also spending to improve the scope of technology maturity, organizational effectiveness, procedures, training and accountability. As might be expected, total spend and spend allocation among the organizations operating at the norm are somewhere in the middle and organizations with the worst results are further behind in all enabling practices.

Guidance Recommendations:

Guidance for all organizations, based on fact-based benchmarks, include:

• Spend on IT security: 10% or more of the IT budget is shown to improve results
• Top three practice areas for spend allocation: management of data, knowledge and risk management practices, and technology maturity
• Top send allocation shift: toward equipment and software for automating continuous measurements

© IT Policy Compliance Group, 2006