Analyst group Gartner claims that almost three quarters of American companies feel safer than they were a year ago but only 22 percent of Australian firms feel the same way.
During the opening keynote speech at Gartner's IT Security Summit in Sydney on Tuesday, research director Rich Mogull told delegates that the results of the telephone survey were not skewed by "over-confident Americans".
"In the US, 71 percent thought they were safer than a year ago ... in Australia, only 22 percent thought they were safer while 45 percent thought they were about the same," said Mogull. "It is not the Americans being over confident."
According to Mogull, Gartner's research has indicated that companies generally fall into a number of phases (outlined below) when it comes to spending on security. These phases could explain why Australian firms are feeling less secure than their US-based counterparts.
- Blissfully Ignorant: where they spend less than three percent of their IT budget on security and, according to Gartner, will most likely face serious issues in the future.
- Awareness/Corrective phase: where companies have had a rude awakening from their ignorance and are now trying to get their systems up to date. This process takes around three years and requires a company to spend between four and eight percent of its IT budget on security.
- Operational Excellence: where companies have internal procedures in place to deal with existing security issues and are prepared to fight any new threats quickly and efficiently. These companies spend between three and four percent of their IT budget on security.
According a survey carried out last year by Gartner, 63 percent of Australian firms expected to spend less than four percent of their IT budget on security during 2006. That number was made up from 22 percent that expected to spend less than two percent and 41 percent that expected to spend between two percent and four percent of their IT budget on security.
In his notes, Mogull suggests that more money will be thrown at IT security over the next few years as firms reach "enlightenment".
"The net effect is an overall increase in security spending rates for the next two to three years, flattening after 2009. The overall market continues to grow through 2008 as IT budgets grow, even as security budgets of a small, but growing, group of leading organisations start to stabilise," wrote Mogull.
Security is a cost of doing business
Mogull said companies should stop asking for a return on investment for certain security products and instead see them as a "cost of doing business".
"What is the return on investment of buying a firewall or antivirus? It's like asking 'what is the return of investment on a fire extinguisher?' What is the return on investment on getting your employees desks?
"For some it really is just the cost of doing business. If you don't have antivirus, if you don't have firewalls then you are not going to be able to do anything else -- unless you do it all on paper," he added.