Our 2006 IT Security Study: The Current State of IT Security Budgets, Management Practices, and Security Incidents,
provides a comprehensive view of the current state of information security in North America.
For IT decision-makers, this study provides objective data and key metrics for the following uses:
Benchmarking and justifying the organization's IT security budget and staffing levels by comparing them with those of organizations of similar size.
Evaluating various network and computer security technologies by understanding their level of adoption within industry overall and within companies of similar size.
Assessing the organization's commitment to IT security by understanding the extent to which other firms have instituted or are in process of implementing various IT security best practices.
Prioritizing IT security initiatives based upon current estimates of IT security incidents by type.
For vendors of IT security products and services, this study is a valuable source of information for understanding market opportunities. The study provides hard data that can be used to formulate or validate assumptions underlying business development plans.
Read a short summary of just one of the key findings from this study: IT Security--Large Firms Lag Behind.
THE EXECUTIVE SUMMARY
Chapter 1, the Executive Summary, summarizes the key findings of the full report and provides supporting statistics. The Executive Summary also includes key findings from the related Malware Report, details of the survey demographics by industry sector and job position, and a comparison with the CSI/FBI security survey. The Executive Summary is 21 pages, with six charts and tables.
See the bottom of this page for special pricing by chapter.
THE FULL STUDY
The remaining chapters (2-5) present the detailed results of the IT Security Survey along with our analysis based on interviews with IT security experts. Chapter 2 provides the composite results for all organizations that participated in the survey. Chapter 3 present statistics for small organizations (revenues between U.S. $100 million and $250 million). Chapter 4 presents statistics for medium organizations ($250 million to $750 million). Chapter 5 presents statistics for large organizations (over $750 million).
Statistics include the following:
IT Security Budget Ratios and Trends: including the IT security budget as percentage of the total IT budget, budget change from last year, budget cost allocation in dollars, budget cost per desktop, and cost by major category. These statistics are presented at the median, 25th percentile, and 75th percentile, where appropriate.
IT Security Staffing Ratios and Trends: including the ratio of IT security employees to total IT staff, the number of IT security personnel per thousand desktops, and the IT security management reporting structure. These statistics are presented at the median, 25th percentile, and 75th percentile, where appropriate.
IT Security Technology Adoption Trends: including statistics on the adoption of specific and representative IT security technologies, namely, spam filtering, VPN, WEP, WPA, server access controls, intrusion alerts, intrusion prevention, encryption, PKI, password management, smart cards, password tokens, and biometrics.
IT Security Management Practices: including percent of companies that have deployed IT security policies and procedures, physical access controls, document shredding, application and data access controls, password syntax controls, password rotation, password cancellation for terminated employees, restriction of desktop administration rights, periodic security training, desktop software audits, security audits, and security certifications.
Chapter 2 also provides summary statistics for the IT security incidents, such as cybercrime and other threats experienced by respondents in the composite sample, including: number of infosec incidents by source, percentage of incidents by point of entry, and the impact of IT security incidents on corporate websites.
Among the nearly 200 pages of detailed statistics, this year's study found several significant trends:
By nearly every measure, large firms lag behind mid-size organizations in IT security spending, staffing, technology, and management best practices. The full report provides details to substantiate this finding with nine metrics of security spending and staffing, analysis of the adoption rate of 25 representative security technologies and management best practices.
Many companies of all sizes fail to implement a number of basic security management best practices. The full report explains how organizations in each size category stack up against 12 representative management best practices for IT security.
In spite of deficiencies, most companies are not authorizing more money for information and data security. This is evidenced by changes in IT budgets provided in this report and the respondents' assessment of the adequacy of those budgets to provide protection against criminal activity and other information security risks.
See the bottom of this page for special pricing by chapter.
DETAILED TABLE OF CONTENTS
Chapter 1: Executive Summary
IT Security Study Highlights
Malware Study Highlights
About This Study
Contents by Chapter
Industry Sector Representation
Job Function Representation
Comparison With the CSI/FBI Survey
Chapter 2: Statistics for the Composite Sample (All Organizations)
IT Security Budget and Staffing Ratios with Trends: These statistics are presented at the median, 25th percentile, and 75th percentile, where appropriate.
IT Security Budget as a Percentage of Total IT Budget
IT Security Budget Changes
IT Security Budget Allocation in Dollars (U.S.)
IT Security Budget Allocation per Desktop
IT Security Budget Allocation by Major Category
Adequacy of IT Security Budgets
Ratio of IT Security Personnel to Total IT Staff
Number of IT Security Personnel per Thousand Desktops
IT Security Management Reporting Structure
IT Security Technology Adoption Trends
Adoption of Spam Filtering
Adoption of Virtual Private Networks
Adoption of Wired Equivalent Privacy (WEP)
Adoption of Wi-Fi Protected Access (WPA)
Adoption of Server Access Controls
Adoption of Intrusion Alerts
Adoption of Intrusion Prevention Systems
Adoption of Encryption
Adoption of Public Key Infrastructure (PKI) Systems
Adoption of Password Management
Adoption of Smart Cards
Adoption of Password Tokens
Adoption of Biometrics
IT Security Management Practices
IT Security Policies and Procedures
Physical Security Access Controls
Document Shredding Policy
Application and Data Access Controls
Password Syntax Controls
Forced Password Rotation
Password Cancellation for Terminated Employees
Desktop Administration Rights
Periodic IT Security Training for All Employees
PC Software Audits
IT Security Audits
IT Security Certification for Security Staff
IT Security Incident Statistics
Number of IT Security Incidents by Source
Percentage of IT Security Incidents by Point of Entry
Impact of IT Security Incidents on Websites
Statistics by Organizational Size
These chapters provide the same statistics as show in Chapter 2, with the exception of the IT Security Incident statistics, which are only provided for the composite sample.
Chapter 3: Small Organizations ($100 million to $250 million U.S. in annual revenue)
Chapter 4: Medium Organizations ($250 million to $750 million)
Chapter 5: Large Organizations (over $750 million)
Purchasing Options: Pricing by Chapter
Chapter 1, the Executive Summary: $45
Chapter 1 and 2, the Composite Statistics: $295
Chapters 1, 2, and 3, the Composite and Small Organization Statistics: $495
Chapters 1, 2, and 4, the Composite and Medium Organization Statistics: $495
Chapters 1, 2, and 5, the Composite and Large Organization Statistics: $495
The Full Study: $995 (all chapters)
Update! For an assessment of current IT security threat levels in 12 categories, please see our new study, Trends in IT Security Threats: 2007 (priced separately).
Still have questions about this study?
Contact our analyst staff now.