How much of your IT budget should be spent on security? In the face of high-profile data breaches like the Ashley Madison incident playing out in the headlines, it appears many Canadian executives are thinking it should be more than they spend currently.
While Canadian organizations are currently spending an average of about 12.5 per cent of their IT budget on security products, services, and staff, they’d consider the ideal amount of spending to be about 16.7 per cent, according to a 2015 survey conducted by IDC Canada. The survey covered 204 business leaders and is accurate within seven percentage points, 19 times out of 20.
Across Canada, it appears the Atlantic region reports spending the most on IT security, dedicating 16.3 per cent of budget and aspiring to get to 21.6 per cent. In Western Canada (including the Yukon), respondents are spending an average of 12.1 per cent on security and would like to get to 16.7 per cent. In Ontario it’s 12.7 per cent and 16.4 per cent respectively, and Quebec has the lowest reported numbers at just 10 per cent and 14.3 per cent.
Explore the results in our newly updated interactive Cybercrime Map of Canada below. The map includes the most recent cybercrime from Statistics Canada, IDC’s data about IT security budgets and the number of malware infections across the country from EnigmaSoftware.com. (Story continues below).
As IT World Canada reporter Howard Solomon wrote earlier this week, one place where IT spend is increasing is with managed security service providers (MSSPs). More CISOs are considering such a service in the face of a talent shortage in the IT security field, says Kevin Lonergan, an infrastructure solutions analyst at IDC.
Security leaders are asking the question of MSSPs “Can they provide equal or better security than my in-house solution at better or equal cost?” he says.
Also driving the trend is the appeal of bundling of multiple services into one provider. Major telecommunications companies have been offering a new breed of services in the last few years, and their investment appears to be paying off. Both Telus and Bell are categorized as “market leaders” by IDC in its MarketScape report assessing MSSPs across the country.
At Telus Security Solutions, Michael Argast, director of sales engineering at enablement, confirms this is a growth area for the carrier. Spending surveys show that budget is being dedicated to managed services.
“We know that it’s growing at strong double-digit growth rates,” he says. “It’s a growing part of our business.”
Telus Security Solutions was fired up as a division in 2004. It grew its capabilities with some key acquisitions, including Assurent Secure Technologies in 2006 (the seed that became Telus Security Labs), and digital forensics provider Digital WYZDOM. Adding these specialized security teams to Telus means that the telco can deliver proactive security services to its clients, the type of thing that most enterprises wouldn’t have the time or manpower to do on their own.
“We go out and scrape the dark web for Anonymous talking about attacks, social media chatter, that sort of thing,” Argast says. “We make these sort of investments where we see current and future markets.”
While enterprises are hiring MSSPs more often, it may not always feel that different from working with internal staff. Telus has about a dozen clients across the country where its security specialists are embedded on-site, and it’s a growing model for large enterprises.
“A larger organization likes the high-touch, hands-on model of having someone on site,” he says.
According to IDC’s survey, Canadian organizations are most keen on spending for MSSP services in the areas of secure virtual machines (SVM) with 29 per cent of that budgets assigned there. Identity access management (IAM), email, and mobile also see about 24-25 per cent of budget allocated to spending on MSSPs.