IT security gets more defined

For the first time in 20 years, more than half of the world's top 2,000 organizations are at the point where they have established a defined set of security processes, according to a Gartner analyst.
Speaking at a briefing on security management Monday, Gartner Research Director Andrew Walls presented a positive picture, where a growing number of Global 2000 companies have formalized their security processes.
He said that more than 50 percent of Global 2000 have reached level 3 of the security metrics program, which benchmarks a company's security processes and is based on CMM (Capability Maturity Model) principles. (See table for security maturity levels.)

Level	0 - Nonexistent	1 - Initial	2 - Developing	3 - Defined	4 - Managed	5 - Optimized
What it entails	-	Establishing a security team and reviewing status quo	Developing a new policy set and initiating strategic program	Designing architecture and formalizing processes	Concluding catch-up projects	Tracking technology and business change and continuous process improvement
% of IT budget to spend	< 3	4 -6	4 - 6	7 - 8	7 - 8	3 - 4

Source: Gartner

As to how much an organization should spend on security benchmarking, Walls said it should be kept to less than 10 percent of the IT budget.

"A metrics program should not be a huge endeavor," said Walls, noting that many companies are spending over and beyond his prescribed limits.

But before embarking on security benchmarking, Wall noted, an organization should first peg their maturity level first, so as to ensure more accurate reporting.

"A company should first gather operational metrics for at least three months before building an accurate report," he added.