Organisations should aim to spend less of their IT budgets on security, Gartner vice-president John Pescatore told the analyst firm’s London IT Security Summit on 17 September.

In a keynote speech, he said that retailers typically spend 1.5% of revenue trying to prevent crime, then still lose a further 1.5% through shoplifting and staff theft, costing 3% in total.
But Gartner’s research suggests that the average organisation spends 5% of its IT budget on security, even with disaster recovery and business continuity work excluded, and IT managers are tired of requests for more. Security has dropped from first (in 2005) to sixth (in 2007) in the firm’s annual survey of chief information officers’ technical concerns.

Pescatore said that managers are not impressed by the claim that “security is a journey” without a destination. “Can you imagine, ‘profit is a journey’?” he asked, pointing out that other areas of IT are often able to offer their organisations more functionality for less money, or some other kind of business benefit.

Growing efficiencies could be possible for IT security too: “I really don’t think most of us need more and people,” he said, if organisations moved to a model he called ‘Security 3.0’. In this, IT security would anticipate threats, rather than fight them after they hit.

“We’ve been doing ‘smack the rat’ security,” he said, referring to the fairground game, but in future the model should be chess – a longer-term test of strategy, rather than reaction speed.

Pescatore said ways to prevent problems rather than fight them include buying and building secure systems, which means considering security during procurement and development, and rejecting products which are not adequately protected. This might mean spending more initially, but prevention is cheaper than cure: “This is the single biggest step,” he said towards his model.

On data security, Pescatore told his audience that the ideal, ubiquitous digital rights management system would not appear in their working lifetimes. Instead, it makes more sense to watch where data is flowing, and block it from reaching insecure locations.

Getting to a mature stage of IT security will take many organisations some time, Pescatore said: by 2010, Gartner estimates just a fifth will have reached its ‘operations excellence’ stage where they spend just 3-4% of IT on security, while two-fifths will still be in the previous ‘corrective’ stage, spending 7-8%.

In response to a question, Pescatore dismissed the idea that insider threats are growing: he believes that attacks generated by malicious insiders are stable at 20-25%. Half come from mistakes made by insiders, while around 30% of attacks are made solely by outsiders, the majority of whom are cybercriminals.