BOSTON, MA – April 11, 2018 – officially released its latest findings on budget–related best practices for information security leaders to consistently command the budget and resources they need. The research report, identifies key obstacles in enterprise security budgeting and provides methods and benchmarks used by successful InfoSec leaders to facilitate the budget discussion.
The research outlines four key battlefronts and provides guidelines from some of the most successful, well-supported InfoSec leaders. Key findings reveal that regardless of size, maturity or corporate heft, the approach to security budgeting looks different in organizations that inherently value information security and those that do not.
“It’s part of the CISO’s job to transition from unsupported to being fully supported, but that can only be done when the stage has been properly set within an organization,” said Doug Graham, chief security officer at Nuance Communications. “This research report from IANS goes beyond the numbers and uncovers some of the underlying and contributing factors that can help CISOs win the battle and set the stage for a stronger security posture within their organization.”
To keep the research enterprise-focused, only responses from representatives of organizations with full-time CISOs and annual revenue higher than $500 million were included. Half of the enterprise CISOs surveyed (49 percent) have annual security budgets between $1 million and $5 million. One in four (25 percent) have between $6 million and $10 million to spend, while roughly the same number (22 percent) report budgets larger than $10 million.
Most CISOs allocate the biggest budget share to people and technology, with 43 percent on people and 36 percent on technology. The remaining 21 percent include professional services, outsourcing and other budget items. Two-thirds of CISOs indicate that both headcount and operating expenditures are areas of budget growth to which the company is most sensitive.
The Fiscal Battle Zone
Today’s CISOs all have one thing in common: the pressing need for funding to keep their security programs vital. Information security leaders must continually compete to win the resources required to go beyond the InfoSec basics and proactively manage risk. Worldwide IT security spending jumped nearly 8 percent in the past year to top $90 billion, and it’s forecast to climb above $113 billion by 2020, according to Gartner.
Despite promising numbers, however, executive decision-makers now want InfoSec costs inexorably linked to business value and return on investment. While some CISOs consistently command the budget and resources they need, others continue to struggle.
“Somewhat surprisingly, a number of Fortune-level companies with household names have CISOs who struggle to secure the appropriate levels of funding,” said Phil Gardner, founder and CEO, IANS Research. “Although metrics are powerful, several CISOs expressed to us that when it comes to securing budget, it’s more important to deliver a narrative that business leaders can understand. CISOs who can deliver a compelling narrative on how InfoSec powers the business will advance their objectives, increase their stature and win the battle of the budget.”
Credibility, Trust and Influence
Trust and credibility are the bedrock of CISO effectiveness. Two camps of CISOs emerged during the study – the Supported and Under-Supported. 38 percent of respondents considered themselves Under-Supported, while 62 percent described themselves as Supported. Under-supported CISOs are expected to get the same products and services for either the same (42 percent) or less money (32 percent) as supported CISOs. Ultimately, Under-Supported CISOs are under more pressure and face more scrutiny for ongoing spend. Only 26 percent of Under-Supported CISOs said their ongoing spend is “pretty much left alone” and that inflationary increases are accepted.
The difference between the two had little to do with company size or industry and more to do with an organization’s culture and CISO selection process.
The most Under-Supported CISOs responses include:
Suffer from a lack of corporate support.
Rely more on technical explanations than on business justifications for budget requests.
Are forced to fit spending into larger budgets like IT and their discretionary spending is tightly controlled.
Are still in the early stages of risk prioritization and their metrics reporting lacks depth and context.
Meanwhile, corporate reporting lines keep these Under-Supported CISOs several steps removed from the organization’s most influential leaders.
IANS (Institute for Applied Network Security) is an information security advisory and consulting firm serving Fortune-class information security teams and professionals with in-depth insights and decision support regarding their most pressing technical and strategic challenges. IANS provides access to information security experts who address and solve our clients’ challenges as they arise. IANS helps security teams achieve technical excellence and improve engagement with the organization to drive security’s impact deeper into the company. Through a mix of research, consulting, and interactions with a peer community of security professionals, IANS serves as a comprehensive resource for information security teams. Visit us at