IT security gets more defined

Gartner analyst says more of the world's leading companies have defined their security processes, and warns against spending too much on security benchmarking.

For the first time in 20 years, more than half of the world's top 2,000 organizations are at the point where they have established a defined set of security processes, according to a Gartner analyst.

Speaking at a briefing on security management Monday, Gartner Research Director Andrew Walls presented a positive picture, where a growing number of Global 2000 companies have formalized their security processes.

He said that more than 50 percent of Global 2000 have reached level 3 of the security metrics program, which benchmarks a company's security processes and is based on CMM (Capability Maturity Model) principles. (See table for security maturity levels.)

Level
0 - Nonexistent
1 - Initial
2 - Developing
3 - Defined
4 - Managed
5 - Optimized
What it entails
-
Establishing a security team and reviewing status quo
Developing a new policy set and initiating strategic program
Designing architecture and formalizing processes
Concluding catch-up projects
Tracking technology and business change and continuous process improvement
% of IT budget to spend
4 -6
4 - 6
7 - 8
7 - 8
3 - 4

Source: Gartner

As to how much an organization should spend on security benchmarking, Walls said it should be kept to less than 10 percent of the IT budget.

"A metrics program should not be a huge endeavor," said Walls, noting that many companies are spending over and beyond his prescribed limits.

But before embarking on security benchmarking, Wall noted, an organization should first peg their maturity level first, so as to ensure more accurate reporting.

"A company should first gather operational metrics for at least three months before building an accurate report," he added.