A new study shows that most large companies don't spend enough of their IT budgets on upgrading their security infrastructures - a situation that could lead to bigger problems in the face of government legislation and corporate mergers and acquisitions.

Nemertes Research last week released its "Effective Security Solutions" report, which says the average 2% to 3% of the overall IT budget that companies allocate for security will not adequately prepare most of them for government regulations, new applications and/or Web services architectures.

Johna Till Johnson, Nemertes Research president and chief research officer, and a Network World columnist, says spending 3% on security will allow for only the security basics at most large organizations. Nemertes' definition of security basics includes deploying firewalls and VPNs, and controlling the security perimeter.

"Everyone will say that security is essential, and no one will dare say it's not important, but they are still underspending on security," Johnson says.

Nemertes found that many companies in the past five years have made strides in designating security officers, staff and budget, but still fall short when it comes to funding new and necessary projects. She says companies must spend at least 5% of their overall IT budgets on security to incorporate the infrastructure upgrades and policy-based processes necessary to comply with government regulations passed in the past eight years or so.

The security requirements in legislation, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Gramm-Leach-Bliley Financial Modernization Act of 1999, the Sarbanes-Oxley Act of 2002 and ongoing Department of Homeland Security initiatives, represent a significant concern for companies currently underspending, Johnson says.

HIPAA establishes national standards to ensure privacy in electronic healthcare transactions, and in light of all the accounting discrepancies in recent years, Sarbanes-Oxley requires that managers vouch for the internal controls their companies place over areas that include transactions, electronic information and communications. Sarbanes-Oxley will become a Securities and Exchange Commission rule. The Gramm-Leach-Bliley act broke down information-sharing barriers among U.S. banking, securities and insurance industries so as to provide various financial services to customers, but also requires many electronic financial privacy regulations be put in place.

Whitepapers

• Advancing the Economics of Networking
• Enterprise Data Center Network Reference Architecture
• Implementing HA at the Enterprise Data Center Edge to Connect to a Large Number of Branch Offices
• File Integrity Monitoring: Secure Your Virtual and Physical IT Environments
• Boost Productivity While Cutting Costs with Next-generation Collaboration
• Deploying Virtualized NetWare on Linux Whitepaper

View more SECURITY whitepapers

Webcasts

• PoE Plus: Impact on the PoE Market
• Creating a high performance workplace with wireless networking
• Harnessing the power of communications to increase workplace performance
• Making data centers the IT strategic focus
• Protecting assets and employees with IP Video Surveillance
• Stay out of the headlines: Detecting and preventing network intrusions

View more SECURITY webcasts

Special Reports

• The Evolution of Network Security
• IP address management in 2008 - six things to know
• The self-managed network

View more SECURITY special reports