The Global State of Information Security 2003

From a worldwide study conducted by PricewaterhouseCoopers and CIO magazine, we look at where infosec is in 2003 and where it's going.

By Scott Berinato

Page 7

2. Set baseline security requirements for anyone connecting to your network, and force partners and vendors to meet those requirements.

The Per Capita Benchmark

Dividing employees by security budget yields some surprisingand erraticspending habits. But even here the confidence correlation is clear.What the Numbers MeanThe per capita security spendinformation security budget divided by number of employeesgives you a benchmark with which to compare yourself across industries, regardless of company size. It can also show how spending per employee varies geographically. It's a simple but powerful calculation that will shed some light on a subject that you've been struggling with.

Impulsively, you might use the spectrum to see if your spending is normal. But while there is an overall average spending level ($964), there's nothing "normal" about the range of spending, from as little as $100 per employee to well into the thousands of dollars.

Many factors could account for the broad range of spending. In some industries, the stakes are exponentially higher, even if the personnel requirements are not. An energy utility is a good example, where 72 respondents yielded an average security spend per capita of more than $7,000.

Despite the lack of normalcy, the confidence correlation shows up here too. The confident companies spent nearly two and a half times more per capita than those that lacked confidence, and one and a half times as much as the overall average. (Interestingly, the 6 percent who were unsure of how confident they were spent just $585 per capita, even less than the least confident group).

North American businesses also spent significantly more ($1,200 per capita) than companies in the rest of the world (about $800). That didn't make them any safer, per se. Some argue it proves North American companies are less efficient with their security spending.

In the strangest twist of all, companies that suffered no damages last year spent $684 per capita, less than the average for companies that had suffered damages. Companies with more than a half million in damages spent nearly $1,500 per head. The calculation may be primitive, but security executives are clamoring for any objective numbers they can get their hands on. At the very least, it's a ballpark in which to play.To-Dos1. Try the per capita security expenditure calculation in your enterprise.

2. Compare your per capita expenditure to the average in your industry, the very confident and not very confident groups, and the overall average of $964.Why No One Hits .400 AnymoreThe late naturalist Stephen Jay Gould contended that complex systems evolve from wild variation in their youth to relative uniformity in maturity, all the while maintaining an overall constant average in both. To make his point, Gould used baseball. In Full House: The Spread of Excellence from Plato to Darwin, he noted that, throughout the history of the game, the aggregate batting average of major-league hitters has remained constant at about .260, but that there used to be a much higher incidence of .400 hitters than now. Ted Williams was the last player to hit over .400. Prior to that, Ty Cobb and Rogers Hornsby did it three times each.