According to research, secure organisations can sometimes spend less than average on security as a percentage of the IT budget.
As explained by McMillan, the lowest-spending 20 per cent of organisations are composed of two distinctly different types of organisations.
“Un-secure organisations that underspend,” McMillan explained.
“And secure organisations that have implemented best practices for IT operations and security that reduce the overall complexity of the IT infrastructure and work toward reducing the number of security vulnerabilities.”
Consequently, McMillan’s view is that enterprises should be spending between four and seven per cent of IT budgets on IT security - lower in the range if they have mature systems, higher if they are wide open and at risk.
“This represents the budget under the control and responsibility of the CISO, and not the "real" or total budget,” he added.
To help demonstrate due care in information security, partners can advise organisations to first assess risks and understand both the CISO's security budget and the "real" security budget found in the complicated range of accounts that may not capture all security spending.
“A CISO who has knowledge of all of the security functions taking place within the organisation as well as those that are necessary but missing and the way in which those functions are funded, is likely to use indirectly funded functions to greater advantage,” McMillan added.
Sign up for CIO Asia eNewsletters.