Most large companies don’t spend enough of their IT budgets on upgrading their security infrastructures, a situation that could lead to bigger problems in the face of government legislation and corporate mergers and acquisitions, according to a new study.

Nemertes Research recently released its ” Effective Security Solutions” report, which says the average two per cent to three per cent of the overall IT budget that companies allocate for security will not adequately prepare most of them for government regulations, new applications and/or Web services architectures.

Johna Till Johnson, Nemertes Research president and chief research officer, says spending three per cent on security will allow for only the security basics at most large organizations. Nemertes’ definition of security basics includes deploying firewalls and VPNs, and controlling the security perimeter.

“Everyone will say that security is essential, and no one will dare say it’s not important, but they are still underspending on security,” Johnson says.

Nemertes found that many companies in the past five years have made strides in designating security officers, staff and budget, but still fall short when it comes to funding new and necessary projects. She says companies must spend at least 5 per cent of their overall IT budgets on security to incorporate the infrastructure upgrades and policy-based processes necessary to comply with government regulations.

With mergers and acquisitions more frequent, companies must put more dollars into creating a common security infrastructure across IT departments. The research firm found that about three-quarters of security executives say access control, authorization and auditing (the triple A’s of security), and identity management are among their top spending priorities.