Last week, I asked all of our readers to help me ID the mystery security buyer: We had recently conducted a poll on who makes security purchases, and the majority came back to us as "Other."
I also promised you that I would let you know what I found. What I gathered from reading each response and doing a rough tally was that "Other" is most likely the following:
- IT manager
- Network manager
- Systems administrators
- Few organizations have a dedicated security core, so it could be anyone.
There were lots of other ideas about who "other" is, so I've packaged up all the responses here for you to browse through.
- "It could be CIO, Director of Infrastructure Management, Director Technical Support, System Administrator. Most questionnaires do not include applicable titles to match where they place security people in IT management structure. In fact, when choosing "titles", security is generally not one of the choices, except in a security related area. By the way, security-buying decisions here come from the Director of Infrastructure Management in concert with the CIO. I have no budget."
- "Chief Executive Officer, probably. After all, they want to take every decision!"
- "It has been my experience that the Corporate Controller, or CFO end up being the decision maker on these purchases. Unfortunately, they are making decisions based on cost/return on investment as opposed to real need. The other group that I have found making these purchasing decisions are the Sales group. Usually a tit for tat exchange for getting business from a security seller."
- "I'd bet it's regular old IT managers, since relatively few companies have dedicated infosecurity staff."
- "The other buyer is the IT Operations/Desktop Managers, Network Managers, Mail Managers or the System Administrators. IT Operations/Desktop Managers purchase anti-virus software like McAfee, Norton, et al.; Network Managers purchase firewalls, QoS devices and network intrusion devices, Mail Managers purchase content management and host-based intrusion detection; System Administrators purchase the toy of the week. Few organizations have a professional security core."
- "Security Committee or Panel headed by IT."
- "When I raised the issue that our current firewall didn't have the necessary features to enforce the security policy we needed, I was told that our company had some kind of joint marketing endorsement deal with the manufacturer and so changing to another product was not an option."
- "In most of the companies I've worked for lately, any purchases over $2,000 - $3,000 are requested by the CTO or CIO and approved by the CEO or a combination of the CEO and CFO."
- "At our company, security-buying decisions are made by the CIO, Facilities Manager, or the President."
- "Our Sys Admin buys our security software."
- "Others could include internal/external auditors. As part of submitting recommendations I have often had to recommend the use of various security packages. I have also worked on package selection panels as IT audit teams have a vested interest in ensuring that security packages not only create a more secure environment but that they make IT auditing easier/automated/cost effective."
- "Having been in sales and on the other side of the fence buying millions of dollars worth of IT, I can tell you that the bulk of purchase decisions come from the business people. These are the people with the problems and typically IT forms part of the solution, i.e. automation of purchasing using EDI or protection of the transport of sensitive information using encryption."
- "We have about forty colleges and schools with departments and divisions in each. At last count there were 850 different networks of varying size and all with their own political base. Network security is the responsibility of the network support staff. Whether it is the 'Professor' with the title or the engineer who does the work. The university uses state guidelines for titles -- security is the title applied to door guards, event workers, not network technical staff. So all of us without the "Title" but doing the job are your 'other'. At least we are not the anonymous 'they'."
- "From our consulting practices I have often seen security-buying decisions initiated by program, project managers, or analysts involved with an on going project."
- "I would say most of the other group is comprised of network engineers and network security engineers."
- "At our company, we have separated mainframe security from network security, so for mainframe decisions it would be CTO, and for network security products, it would be our network-engineering manager."
- "Other: Project Managers (project implementation requires new technology. Project may fund initial capital spending with ongoing maintenance done by security); Corporate Governance groups e.g. CPO (Chief Privacy Officer) or Regulatory & Compliance; IS/IT Auditors - recommendations via audit reports; Network managers (e.g. firewalls, IDS). (In no order of importance). Also note: Security architects -- only 2%...perhaps it's because there are so FEW security architects out there!"
- "I don't think I even responded to the survey, but your question of who constitutes "other" intrigued me enough to respond. Our shop and company is small enough (<300 employees with an IT staff of about 18) that basically two people (me on the AS/400 and an NT administrator) control the detailed installation and operation of security on our systems. BUT security is perceived as an 'overhead' expense and always gets put on the back burner by the front office. New development always seems to take priority. The front office (read President and CEO) controls ALL expenditures over a certain dollar amount. And their perception of expense is basically that it MUST show some effect on the bottom line. Forget about 'soft costs'. It's not a condemnation of the front-office perspective, as several other people from other companies that I deal with have to deal with the same corporate mindset."
- "I am in a smaller company. We don't have a CIO, CSO, etc. I have an IT manager, and directly above him we have another manager, then the president of the company. If it is a major purchase the president is the decision maker. If it is a smaller level decision, my manager and his manager make the decision. Mind my manager's manager is an accountant, not an IT professional."
- "In smaller firms other probably means IT manager or Sys Admin."
- "In my organization, the IT Manager makes the security-buying decisions. In the small companies for which I have worked, it is customary for the IT Manager to be the top IT professional as well as to perform all security-related functions."
- "Apparently the 'Other' is the hackers, crackers and exploiters who insinuate purchases based on their activities."
- "We find that there are many different people influencing security purchases. We are a re-seller in the UK, and due to the fact that security is now being taken seriously, there is more interest. But many companies have yet to appoint specific security staff, and the job has been handed to existing staff; in most cases, this is an unwanted extra responsibility?We also find that many decisions are still (unfortunately) based upon price -- enforced by purchasing and finance managers. Especially in the large enterprise, corporate and local government sector's. Here is a rough guide to our purchasers: Designated security staff 10%; IT Director 8%; Network manager 15%; Desktop manager 5%; Purchasing 20%; MD (SOHO/SME) 15%; Re-seller distribution partner 27%."
- "My case is not very typical: I'm head of the IT dept in a Russian city administration. It's my job to select any IT security products and to make decisions, but I can't make security *buying* decision -- it's only the vice-mayor's privilege to make formal approvals (decisions) for buying."
- "Very few companies (apart from the largest or wealthiest) employ anyone called Security Manager, Chief Security Officer or Security Architect. Most organizations have either a systems manager who haves to take on security in much the same way they do all other general sys admin. My guess is that the chain for purchasing decisions generally goes from Systems Admin to operations and to finance."
- "Infrastructure manager, or service manager in my experience."
- "In small shops, it is the Systems Programmer; in even smaller shops, it is the programmer/analyst/operator. Not everyone has a specialized title that fits the choices you offer-- in fact, it looks like maybe only 65% of the shops are that big and that specialized."
- "I would risk saying that it might be FDs, auditors or other commercial/financial people who are not directly involved with, nor informed enough about information security."
- "At my present company the 'Others' are most definitely non-technically inclined partners. Otherwise known as bean counters!" :)
- "CIO, CFO, MIS Director, IT Manager"
- "Other - 35% = CFO in the most cases..."
- "From my experience with potential security buyers, tech people influence and make recommendations regarding security-buying decisions, but the decision to buy rests with others up the ladder, such as CFO or CEO. In Portugal, where 98% of the companies are SME's, most companies don't even have Chief technology officers, Security managers, Chief security officers or Security architects. So who the "Others" are largely depends on the type of companies the majority of your readers work for. And the results of the poll suggest the majority might be small to medium sized businesses. I bet "Others" are non-techies, such as Owner, Managing Director, CFO and CEO."
- "I read your article and would like to give you the answer (in the cases I see on a day-to-day basis inside the company I work for and at the customers of my own company) Most of the decisions on this area are made by higher management because of the price. The IT manager, who is a non-technical person in 90% of the cases, makes the decisions for the larger amounts. The difficulty is to convince these managers that the purchase you are asking him is actually necessary."