NEW YORK … April 28, 2003 – Nearly 40 percent of companies report they don’t have a Chief Security Officer or equivalent executive in place, according to “Effective Security Solutions,” a report from Nemertes Research, an independent research firm that specializes in assessing the business impact of technology.

In addition, the study finds that the median information security budget at large enterprise organizations is just 3 percent of the overall IT budget, with 19 percent of companies spending under 1 percent on security initiatives. The research also reveals that a significant percentage of large financial-services organizations spend a mere 1 percent—or less—of their overall IT budget on security. “One might assume that organizations with smaller security budgets comprised smaller, less-sophisticated enterprises in industries relatively untouched by regulation. One would be wrong,” says Nemertes President & Chief Research Officer Johna Till Johnson.

Given the security requirements posed to such companies by legislation such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Gramm-Leach-Bliley Financial Modernization Act of 1999, the Sarbanes-Oxley Act of 2002, and ongoing Department of Homeland Security initiatives, this under- spending on information security represents a significant concern.

On a more positive note, most companies report successful deployments of infrastructure security solutions (firewalls, VPNs, virus scanners, and the like). Nearly three-quarters (74percent) of security executives describe “triple-A” (access control, authorization, and auditing) and identity management as among their top priorities. And while 80 percent haven’t deployed Web or application security, most are looking to do so.

The report contains input from organizations across a range of industries, including financial and information services, distribution, manufacturing, retail, healthcare and pharmaceuticals. Companies surveyed typically had annual revenues of $1 billion and up. The report includes a comprehensive survey of IT executives’ security organizations, processes, and best practices; a benchmark of technologies and solutions currently in deployment; a review of architectural initiatives; and an overview of emerging technologies and next-generation solutions.

Nemertes Research is a leading independent research firm that specializes in quantifying the business impact of technology. For more information about Nemertes reports and offerings, contact us at 888-241-2685 or research@nemertes.com.
###