In most enterprises, there is no single coordinated place that security purchasing decisions are made. That is part of the problem many businesses are having.
A typical situation is that one groups runs the company Web servers, and they provide whatever security products those servers use. Another group is responsible for desktop services, e-mail, etc., and that group makes security purchase decisions for those products. If the company has a CIO, the CIO office will often mandate certain security products to be used, usually without coordinating with the two groups above. Individual offices, or even users, might procure their own security products, as well.
It is rare to find a company that has a single decision point. The most effective companies will have their IT support reporting to the company CIO, and they will be responsible for all IT within the company. This includes desktops, servers, firewalls, networks and anything else needed. In this way, they can develop an appropriate security architecture for the company and procure products to implement that architecture. So, the head of the IT support or the CIO would be the decision point for security purchases.
For more information on this topic, visit these other SearchSecurity.com resources:
Best Web Links: Budgeting for Security
Featured Topic: Security Budgets
Executive Security Briefing: Security spending a necessary evil
This was first published in February 2002