This article can also be found in the Premium Editorial Download "Information Security magazine: Does security make the grade in Windows Server 2008?."
Download it now to read this article plus other related content.
A Burton Group survey says security budgets typically make up 2 percent of IT budgets -- lower than earlier estimates of 6 percent to 12 percent -- and that CISOs are having a difficult
"I think the lower level is really attributable to the notion that we don't need to spend as much on capital expenditures anymore," says analyst Pete Lindstrom. "We've gotten over the hump in buying all the basic security functions."
Lindstrom says organizations with more centralized security or those late in making major security purchases would typically have a security budget with a greater percentage of the overall IT budget, he says.
"It's somewhat comforting to know that we've reinforced ourselves in a way that makes sense," Lindstrom says.
In addition, respondents say top security executives are typically three levels below the CEO in the organization.
"We have a tendency to call every senior security professional a chief information security officer but it's very unlikely that they report directly to the CEO or even the CIO," says Lindstrom.
Lindstrom says top security executives typically oversee security functions that have been decentralized. For example, patch management duties fall within the client-server administration group or firewall management falls within the network administration group.
Survey respondents say the CEO is more involved with governance risk and compliance projects within the security organization, but less likely to be concerned with the company's security architecture or IT operational security functions, says Lindstrom.
This was first published in February 2008