Security spending at most organizations accounts for somewhere between 2 and 20 percent of the total IT budget, according to research from Giga Information Group, Inc., and more of this money is being spent on personnel.
During the past year, Giga found that organizations appeared to appropriate larger portions of the budget for senior security managers, including chief security officers (CSOs) than before. Spurred by Sept. 11 and a heightened awareness of the need for security, the time of “jungle rules” for security management is at an end.
“To reevaluate the state of internal security, security managers need to understand what skills and salary levels are needed for security personnel, as well as how to structure the entire team,” said Giga Vice President Steve Hunt. “How these teams are built depends heavily on the size and complexity of the organization, but most importantly, on the company’s risk tolerance.”
Giga’s research found that CSOs working in financial services earn significantly higher salaries – up to $400,000 annually plus bonuses – than their counterparts in telecom, utilities and manufacturing.
“Given the newness of the position, there is still little uniformity around how the CSO is compensated,” Hunt said.
CSOs in financial services reporting directly to the CIO make between $125,000 and $270,000, while those reporting to business executives (CFOs, COOs, etc.) may earn as much as $400,000, plus a 15 percent to 25 percent bonus. CSOs in telecom, utilities and manufacturing that commonly report to executives two levels below the CIO earn about $70,000 to $90,000 per year, plus a 15 percent bonus. This is closely matched by CSOs from the science-business sector, where CSOs may earn as much as $100,000 but can expect somewhat smaller bonuses, at 10 percent to 15 percent.
According to Hunt, there are three possible outcomes for risk management: Accept the risk, assign the risk or mitigate the risk.
“The extent to which you choose mitigation and the complexity of your IT infrastructure’s applications portfolio will ultimately dictate the size and depth of your internal security program,” Hunt said. “The tolerance for risk, more than anything else, dictates the resources that will be needed for the security organization.”
Large non-tech manufacturers, for example, usually rate themselves as very risk-tolerant, while large banks rate themselves as very risk-intolerant and financial trading institutions, large hosting services and defense contractors usually behave with zero-tolerance for risk. Giga’s research shows risk tolerance is getting lower.
“High-profile companies or organizations associated with national infrastructure are lowering their risk tolerance measurably and increasing their security budgets similarly as a result of the current threat climate,” Hunt said.
Malicious code infection (also known as a virus) remains the most common security threat. According to the 7th Annual ICSA Labs’ Virus Prevalence Survey (ICSA is an independent division of managed security services provider TruSecure Corp.), despite increased spending on security, the rate of malicious code infection continues to rise.
The survey gathered data from 300 companies and government agencies to describe the virus problem in computer networks, including desktop computers. Gantz-Wiley Research, Network Associates, Panda Software and Symantec Corp. sponsored the study.
Among the virus trends the study found taking shape in 2002:
- An increase in the number of multiple vector threats similar to Nimda, more worms and viruses will attempt to exploit vulnerabilities in multiple vectors.
- The proliferation of host-based threats-worms such as Code Red and Nimda show a trend of malicious code that infect and propagate through Internet host computers.
- The creation and continuation of factors that contribute to rising infection rates. These include new virus types, increased use of multiple e-mail programs, new replication vectors and expanded forms of connectivity.
“Although companies are spending more money and applying more technology to the problem of viruses and worms than ever before, malicious code is keeping pace,” said Peter Tippett, chief technologist at TruSecure Corp. “Organizations need to examine their security policies and practices to ensure they are getting the most out of their existing resources. At the same time, antivirus vendors need to provide more heuristic tools and software vendors must offer more secure applications.”
The survey also found that the average company spends between $100,000 and $1,000,000 in total ramifications per year for desktop-oriented disasters (both hard and soft costs). In addition to being more prevalent, computer viruses were more costly, more destructive and caused more real damage to data and systems than in the past. File corruption and data loss are becoming much more common, although loss of productivity continues to be the major cost associated with a virus disaster.
Organizations are also responding to increased threats by increasing their spending on security software. According to Dataquest, Inc. the worldwide security software market is expected to reach
$4.3 billion in 2002, a 18 percent increase over revenue of $3.6 billion in 2001 (see More IT Dollars Headed to Security).
The telecommunications and communications industries led the way in security spending in 2001. But in 2002, with security a front page issue, government, education, IT and financial services are expected to increase security software spending while telecommunications, communications and services are projected to cut back.