Security Spending: In the Red?

3:55 PM -- The 12th annual Computer Security Institute report is due out at the beginning of next week, and it raises some interesting questions about the costs of cybercrime and the spending patterns associated with IT security.

According to the report, cybercrime cost the average company more than $350,000 in the past 12 months -- more than double what it cost them a year ago. Yet, after many volatile years, security spending is becoming more fixed -- and comprises a lower percentage of the average company's IT budget. (See Annual CSI Study: Cost of Cybercrime Is Skyrocketing.)

Are enterprise security departments setting themselves up for a fall?

The CSI study, which for the past 11 years has been conducted in conjunction with the FBI, is one of the oldest continuous studies of security industry trends. It's not a purely scientific study -- as CSI itself will tell you -- but it's one of the most established bellwethers that we have for measuring security plans and attitudes in the enterprise.

This year, after three straight years of reporting lower cybercrime costs, CSI survey respondents say they have seen significant increases in the damage caused by malicious activity. Financial fraud and insider attacks are the new culprits, displacing virus attacks as the top cost. (See Insider Threats Increase, But Damage Is Minimal.)

Yet while security spending continues to increase, its place in the budget is becoming more stable. According to the new study, almost half of respondents are now spending between 1 and 5 percent of their IT budgets on security. This is a leveling-out over last year, when 34 percent of respondents spent more than 6 percent, and 47 percent spent 2 percent or less.

Clearly, the days of wild spending on IT security are over. Companies are looking for predictable budgets from their security departments, so there is gravitation toward a set spending limit. This is certainly more fiscally responsible than handing the security department a blank check -- or no budget at all.

Unfortunately, however, security threats are not predictable. As the CSI study itself shows, there are years when incidents are down, damages are down, or both. And then there are other years, when the cost of cybercrime doubles, without warning, and IT finds itself short of the resources it needs to defend itself.

The question is this: Can IT security become a steady line item in the budget, with predictable costs and staffing requirements? Or should companies always overbudget, or keep an "emergency fund," to keep themselves in the black when attacks are especially virulent?

There's no clear answer to this question -- each company must do its own risk assessment. But if it were my company, I'd want to be sure that when a severe attack came, I'd have the resources needed to defend against it.

As we see in CSI's new report, a lot can happen in a year.

— Tim Wilson, Site Editor, Dark Reading