A Burton Group survey says security budgets typically make up 2 percent of IT budgets -- lower than earlier estimates of 6 percent to 12 percent -- and that CISOs are having a difficult time climbing to higher rungs of the corporate ladder. But the news isn't as somber as it appears on the surface.
"I think the lower level is really attributable to the notion that we don't need to spend as much on capital expenditures anymore," says analyst Pete Lindstrom. "We've gotten over the hump in buying all the basic security functions."
Lindstrom says organizations with more centralized security or those late in making major security purchases would typically have a security budget with a greater percentage of the overall IT budget, he says.
"It's somewhat comforting to know that we've reinforced ourselves in a way that makes sense," Lindstrom says.
In addition, respondents say top security executives are typically three levels below the CEO in the organization.
"We have a tendency to call every senior security professional a chief information security officer but it's very unlikely that they report directly to the CEO or even the CIO," says Lindstrom.
Lindstrom says top security executives typically oversee security functions that have been decentralized. For example, patch management duties fall within the client-server administration group or firewall management falls within the network administration group.
Survey respondents say the CEO is more involved with governance risk and compliance projects within the security organization, but less likely to be concerned with the company's security architecture or IT operational security functions, says Lindstrom.